|
windows
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Port forwardinvolved are XP Pro. It is really a gateway metric question. I have a client with an office of about 30 computers in a Win2K SBS domain. More & more users want remote access (i.e. RDP from home to office). I have been simply assigning an alternate RDP port to the user's workstation in the office & setting up a forwarded port on the firewall/router (Netgear FVS318) for each. The LAN IP of this firewall has, to this point, been the gateway for all the workstations on the LAN. However, I just got my 17th user who wants RDP; the firewall supports only 16 ports forwarded. I know I can probably get a more expensive router (any suggestions)? that will handle 32 ports forwarded. Or, can I just install two FW's and set up some of the ports on each (the additional FW can have a public IP address in the same subnet as FW #1 and with the same gateway). Here's the the question (I am currently testing this): I cannot get an incoming RDP connection to work without setting the gateway on the workstation (or at least one of its gateways) as the LAN IP of the FW that will forward RDP to that workstation. Or (and this is the heart of the question) I can set up multiple gateways on the workstation. This works if I set the metric for FW #1 (the gateway) as 1 and FW #2 (the RDP firewall) as 2. Now, two questions: 1. Should I just set up all workstations (regardless of which FW handles the RDP connection for the workstation) generically with two gateways (FW1: metric1/FW2:metric2), or is it better to set up each workstation with only one gateway? 2. Is this configuration likely to cause me any routing problems? It looks to me like a VPN would be more appropriate. Multiple users
connecting to the SBS domain via a VPN tunnel versus multiple ports open on the firewall. You could either purchase a VPN end-point type router or use SBS (which I believe includes a VPN server) as the end-point. I suggest you post to "microsoft.public.windows.server.sbs" news group for help with the latter option. As far as VPN end-point type routers look for devices like these... http://us.zyxel.com/products/model.php?indexcate=1073271397&indexcate1=1123007871&indexFlagvalue=1021873683 http://us.zyxel.com/products/model.php?indexcate=1082973192&indexcate1=1123007871&indexFlagvalue=1021873683 ....or... http://us.zyxel.com/products/model.php?indexcate=1126088144&indexcate1=1123007871&indexFlagvalue=1021873683 http://us.zyxel.com/products/model.php?indexcate=1126002763&indexcate1=1123007871&indexFlagvalue=1021873683 On a much smaller scale I do the same thing with Secure Shell (SSH) and connect multiple Remote Desktop sessions through the one tunnel. http://theillustratednetwork.mvps.org/Ssh/RemoteDesktopSSH.html -- Show quoteHide quoteAl Jarvi (MS-MVP Windows Networking) Please post *ALL* questions and replies to the news group for the mutual benefit of all of us... The MS-MVP Program - http://mvp.support.microsoft.com This posting is provided "AS IS" with no warranties, and confers no rights... "Brian" <Br***@discussions.microsoft.com> wrote in message news:B2891473-6A3E-4299-A38A-4ABCB4BEEEBC@microsoft.com... > OK, so this is not strictly an XP question, although the workstations > involved are XP Pro. It is really a gateway metric question. > > I have a client with an office of about 30 computers in a Win2K SBS > domain. > More & more users want remote access (i.e. RDP from home to office). I > have > been simply assigning an alternate RDP port to the user's workstation in > the > office & setting up a forwarded port on the firewall/router (Netgear > FVS318) > for each. The LAN IP of this firewall has, to this point, been the gateway > for all the workstations on the LAN. > However, I just got my 17th user who wants RDP; the firewall supports only > 16 ports forwarded. I know I can probably get a more expensive router (any > suggestions)? that will handle 32 ports forwarded. > > Or, can I just install two FW's and set up some of the ports on each (the > additional FW can have a public IP address in the same subnet as FW #1 and > with the same gateway). Here's the the question (I am currently testing > this): > > I cannot get an incoming RDP connection to work without setting the > gateway > on the workstation (or at least one of its gateways) as the LAN IP of the > FW > that will forward RDP to that workstation. > > Or (and this is the heart of the question) I can set up multiple gateways > on > the workstation. This works if I set the metric for FW #1 (the gateway) as > 1 > and FW #2 (the RDP firewall) as 2. Now, two questions: > > 1. Should I just set up all workstations (regardless of which FW handles > the > RDP connection for the workstation) generically with two gateways (FW1: > metric1/FW2:metric2), or is it better to set up each workstation with only > one gateway? > 2. Is this configuration likely to cause me any routing problems? I have thought long and hard about using the VPN, and I cannot disagree that
this is probably the ideal option in some environments. There are a couple of considerations, though. You can tell me if you feel these outweigh the benefits of the VPN. I must admit, this may be just a matter of having outgrown an approach that worked for a smaller number of users. 1. My router does, in fact, support client-to-router VPN, but Netgear sells its VPN client separately at about $40 per user. 2. I already use the SBS VPN on a small scale (not for RDP), but with 30+ users and four other servers in the domain, I am trying to limit the amount of traffic the SBS server must handle (after all, it is already running AD, print/file services, Exchange (in conjunction with an in-house Blackberry Enterprise Server) Symantec Enterprise, Backup Exec, Shared Fax, DNS and a few of the other normal functions of an SBS PDC on behalf of those 30+ users). I originally had the SBS functioning as my FW (ISA) and gateway, but replaced those functions with the aforementioned firewall to take some load off the server. 3. RDP is native to XP. Any one user may want to connect from any of a number of remote systems. With Windows XP on the client, all they have to do now is to open the RDP session using the firewall's IP address and their LAN workstation's alternate RDP port. that With either of the above options, the user must either carry around a VPN disk or the additional information needed to set up the SBS VPN before connecting to the workstation via RDP on its LAN IP address. 4. Correct me if I'm wrong, but on the security side, I hardly think it is likely that a hacker would guess the firewall's IP or DNS address as well as the customized port, AD user name, and AD password within the three attempts it takes to lock the user's account in AD. If nothing else, this problem has inspired my curiosity about gateway metrics. I set up the same port forward on both firewalls. With #1 being the LAN's Internet gateway, the only way I have gotten the port forward to work via FW #2 is to set up dual gateways on the host station, with metric 1 for FW #1 and metric 2 for FW #2. It did not work with automatic metrics for both. Would this dual gateway approach have any unintended consequences? Show quoteHide quote "Sooner Al [MVP]" wrote: > It looks to me like a VPN would be more appropriate. Multiple users > connecting to the SBS domain via a VPN tunnel versus multiple ports open on > the firewall. > > You could either purchase a VPN end-point type router or use SBS (which I > believe includes a VPN server) as the end-point. I suggest you post to > "microsoft.public.windows.server.sbs" news group for help with the latter > option. As far as VPN end-point type routers look for devices like these... > > http://us.zyxel.com/products/model.php?indexcate=1073271397&indexcate1=1123007871&indexFlagvalue=1021873683 > http://us.zyxel.com/products/model.php?indexcate=1082973192&indexcate1=1123007871&indexFlagvalue=1021873683 > > ....or... > > http://us.zyxel.com/products/model.php?indexcate=1126088144&indexcate1=1123007871&indexFlagvalue=1021873683 > http://us.zyxel.com/products/model.php?indexcate=1126002763&indexcate1=1123007871&indexFlagvalue=1021873683 > > On a much smaller scale I do the same thing with Secure Shell (SSH) and > connect multiple Remote Desktop sessions through the one tunnel. > > http://theillustratednetwork.mvps.org/Ssh/RemoteDesktopSSH.html > > -- > > Al Jarvi (MS-MVP Windows Networking) > > Please post *ALL* questions and replies to the news group for the mutual > benefit of all of us... > The MS-MVP Program - http://mvp.support.microsoft.com > This posting is provided "AS IS" with no warranties, and confers no > rights... > > "Brian" <Br***@discussions.microsoft.com> wrote in message > news:B2891473-6A3E-4299-A38A-4ABCB4BEEEBC@microsoft.com... > > OK, so this is not strictly an XP question, although the workstations > > involved are XP Pro. It is really a gateway metric question. > > > > I have a client with an office of about 30 computers in a Win2K SBS > > domain. > > More & more users want remote access (i.e. RDP from home to office). I > > have > > been simply assigning an alternate RDP port to the user's workstation in > > the > > office & setting up a forwarded port on the firewall/router (Netgear > > FVS318) > > for each. The LAN IP of this firewall has, to this point, been the gateway > > for all the workstations on the LAN. > > However, I just got my 17th user who wants RDP; the firewall supports only > > 16 ports forwarded. I know I can probably get a more expensive router (any > > suggestions)? that will handle 32 ports forwarded. > > > > Or, can I just install two FW's and set up some of the ports on each (the > > additional FW can have a public IP address in the same subnet as FW #1 and > > with the same gateway). Here's the the question (I am currently testing > > this): > > > > I cannot get an incoming RDP connection to work without setting the > > gateway > > on the workstation (or at least one of its gateways) as the LAN IP of the > > FW > > that will forward RDP to that workstation. > > > > Or (and this is the heart of the question) I can set up multiple gateways > > on > > the workstation. This works if I set the metric for FW #1 (the gateway) as > > 1 > > and FW #2 (the RDP firewall) as 2. Now, two questions: > > > > 1. Should I just set up all workstations (regardless of which FW handles > > the > > RDP connection for the workstation) generically with two gateways (FW1: > > metric1/FW2:metric2), or is it better to set up each workstation with only > > one gateway? > > 2. Is this configuration likely to cause me any routing problems? > > > 
Other interesting topics
Trouble setting up a secure wireless network
Networking DHCP not working in XP Can't make Microsoft Networking work.... Last windows update broke my home network (file and print sharing) https broken? Linking laptop to home PC DSL vs Cable router setup Access in remotley no network after mb replacement |
|||||||||||||||||||||||
