Multiple VPN Tunnels Through ADSL Router to SBS 2003 RRAS

Discussion in 'Windows Small Business Server' started by stevellg, Jan 10, 2006.

  1. stevellg

    stevellg Guest

    I suspect this is an issue that has hit others before. We have SBS 2003
    Standard running at our head office. Our remote users have been
    successfully connecting to the local network using "Connect to SBS" and all
    is working fine. We have now consolidated 5 of our remote workers in one
    remote office location. The users machines are all SBS domain members and
    can independently connect to the SBS network at head office without any
    problems what-so-ever.

    Our problems arise when more than one remote user attempts to connect to the
    network at Head Office from our new remote office. Having a relatively
    inexpensive modem/router (Netgear DG834G) means that we have a router that
    only supports the pass-through of a single VPN tunnel.

    Question 1 - How have others overcome this limitation of inexpensive routers
    and the support of only a single VPN Tunnel?

    Question 2 - Does there exist a relatively inexpensive ADSL modem/router
    that supports the pass-through (outbound) of more than a single VPN Tunnel?

    Question 3 - Can we configure the DG834g router to act as an endpoint
    (Latest Firmware enables VPN) and create a persistent vpn tunnel from the
    remote office to RRAS and our Head office SBS network? If so,How?

    Question 4 - We do have a license for SBS 2003 Premium but have not intalled
    ISA 2004 - will our problems disapear and will be be able to connect from
    our remote location using our Netgear router's VPN tools?

    Question 4 - How have other connected remote locations to an SBS Network?
    What kind of hardware etc?

    Thanks in advance!

    Steve
     
    stevellg, Jan 10, 2006
    #1
    1. Advertisements

  2. stevellg

    Jack T. Guest

    Been there, done that. Worked with Ciscos, Linksys, and SMC. Cisco is
    expensive and not a simple setup. Linksys is infuriating because it is
    missing pieces, and they sell you a non-standard VPN client. There are
    whole web site dedicated to setting it up where you can get beta software
    from Linksys. Go SMC, SMCBR18VPN for that application. Ugliest router
    you've ever seen. Easy to setup, works reliably. Includes 8 port switch,
    firewall, etc. $80. They make a 4 port too, but I never used that one.
    Looks like the same router only smaller. As with any small VPN router, they
    won't pass a lot of VPN traffic fast, and the more the tunnels the slower it
    goes. By default it gives you transparent access to the internet and local
    assets while in VPN sessions without requiring a Masters Degree in VPN
    Mysteries to set it up. If you have trouble understanding the router, their
    tech support works if you know BS when you hear it so that you can get have
    the contact person get you an answer from someone who actually knows the
    router.

    Jack T.
     
    Jack T., Jan 10, 2006
    #2
    1. Advertisements

  3. stevellg

    Rob C Guest

    Have you considered a single router to router vpn tunnel that extends the
    network out to the remote office?
    This works really well with the Linksys WRT54G Wireless G (which can be
    disabled) routers (sub $50 each). They release the firmware open source and
    many have improved upon the base code and include vpn server and client
    aswell as vpn passthrough modes. I heartily recommend v23 firmware from
    www.dd-wrt.com.

    Caution if you decide to go this route, be sure to buy Linksys version 4
    routers. New version 5 routers areout that do not support 3rd party firmware.
     
    Rob C, Jan 10, 2006
    #3
  4. Another thing to consider would be a true firewall appliance. This might be
    worth the extra cost given the extra security it provides in addition to
    resolving your VPN issues - those under-$100 boxes are not designed to
    provide perimiter defense to a LAN.

    Installing ISA would resolve the security issue, although obviously without
    improving a performance issue caused by a hardware device. When faced with
    the VPN limitation you're up against in an inexpensive router, I went with a
    Sonicwall TZ170, which works great. IMO you need that level of device if
    you're not going to install ISA.
     
    Dave Nickason [SBS MVP], Jan 10, 2006
    #4
  5. stevellg

    Steve Guest

    The WRT54GL model has been released that is still Linux based so you can use
    it similar to the version 4. $20 additional cost from Linksys for this
    capability, however!
     
    Steve, Jan 10, 2006
    #5
  6. stevellg

    Jack T. Guest

    those under-$100 boxes are not designed to provide perimiter defense to a
    I would agree that the Sonic wall is a fine device. The SMB is also a
    firewall similar to the other inexpensive routers such as the dlink,
    linksys, and belkin. Explain what you mean by "perimeter defense". I have
    not worked with the Sonic Wall, but I have the WatchGuard Enterprise
    firewalls. The WatchGuard allows a lot better monitoring, policies, etc.
    But it also means that there needs to be someone who understands it.

    Thanks,
    Jack T.
     
    Jack T., Jan 10, 2006
    #6
  7. stevellg

    Jack T. Guest

    those under-$100 boxes are not designed to provide perimiter defense to a
    Sonic wall is quite a popular device. The SMB is also a firewall similar to
    the other inexpensive routers such as the dlink, linksys, and belkin.
    Explain what you mean by "perimeter defense" and the risks.

    I have not worked with the Sonic Wall, but I have the Watch Guard Enterprise
    firewalls. Compared to the low cost routers, the Watch Guard allows a lot
    better monitoring, policies, etc. Subscriptions keep you up to date, and
    you can also do content filtering. But it also means that there needs to be
    someone to understand and monitor it. Most people will not look at security
    alerts much less respond to them even if they receive them unless they have
    an IT department. I see low cost routers mostly as being less flexible but
    they are set-and-forget.

    Looking forward to your thoughts,
    Jack T.
     
    Jack T., Jan 10, 2006
    #7
  8. stevellg

    Joe Guest

    Yes indeed.

    We have SBS 2003
    I think the only possible way is by site-to-site VPN. I have reason to
    believe that SBS itself does not support two VPN connections from the
    same remote IP address. Site-to-site allows remote machines to maintain
    individual IP addresses.
    Don't know. I've only worked with older models.
    I don't think ISA will help.
    I have set up a W2000 workstation to VPN to an SBS and then allow
    traffic between the networks, not just the W2K machine. It was necessary
    to provide a VOIP service on existing hardware. The drawback is that by
    enabling routing between the networks, the security of the SBS LAN is
    reduced. When a single machine connects by VPN to SBS, other machines
    on the remote LAN do not by default have access. As always, there is a
    triangle: security-convenience-cheapness. Pick a point somewhere inside.
     
    Joe, Jan 10, 2006
    #8
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.