Hi

First let me describe the current network setup. I have an ADSL modem
connected to a D-Link DI604 router. A server running Windows 2003 Server R2
and two Windows XP Professional SP3 workstations are all directly connected
to the DI604 router. This is a workgroup network!

At the moment I access all three machines remotely using Remote Desktop
Connection. The router forwards port 3389 to the server, 3390 and 3391 for
each workstation, respectively.

I don't believe that this is the most secure setup for remote access and I
am looking for advice on how to improve.

My first idea is to change the setup, so that I would remotely access the
server using RDP and once on the server I would use RDP on the server to
access each workstation when necessary. This way I figure I need to open only
one port on the router and this will be more secure.

Now some questions:

- Which is more secure, to run RDP over SSL or RDP over VPN?

- IF RDP over SSL is chosen, then I guess only solution is to install an SSL
server on the server?

- If RDP over VPN is chosen above, is it better to get a new router to
replace the DI604 which has VPN capabilities or to install a software VPN
server on the server?

- If it is better with a VPN router which of the following is a good choice
(money not the deciding factor):

1. CISCO RVS4000 4-PORT GIGBABIT SECURITY ROUTER

2. D-LINK DFL-200 FIREWALL

3. D-LINK DFL-210 FIREWALL

4. LINKSYS BEFVP41 4-PORT SWITCH VPN

If any hardware not mentioned is better please let me know!!

Ok that should be all my questions for now. By the way the remote computer
accessing the corporate network is not important as it can use either VPN or
SSL and will use software not hardware in case of VPN solution.

Thanks for any advice and help!

Replace your firewall device with one that can act as a VPN Server.

Your main players to check into are:

Cisco (not Linksys)
Sonicwall
Watchgaurd

Anything worth buying in this class is going to be between $300 and $500
(last time I checked). I have no model numbers to suggest. Go to someplace
such as www.cdw.com . That site gives you the ability to do side-by-side
comparisons. The last company I helped with this "in person" choose to go
with the Watchgaurd because it had less hidden charges for extra features
you had to "subscribe" to get. But they all want to "stick it to you" for
every extra feature you want, some just aren't as bad as other.


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------


"yo.natan" <(E-Mail Removed)> wrote in message
news:68FD3E1B-4EA9-41BB-B032-(E-Mail Removed)...
> Hi
>
> First let me describe the current network setup. I have an ADSL modem
> connected to a D-Link DI604 router. A server running Windows 2003 Server
> R2
> and two Windows XP Professional SP3 workstations are all directly
> connected
> to the DI604 router. This is a workgroup network!
>
> At the moment I access all three machines remotely using Remote Desktop
> Connection. The router forwards port 3389 to the server, 3390 and 3391 for
> each workstation, respectively.
>
> I don't believe that this is the most secure setup for remote access and I
> am looking for advice on how to improve.
>
> My first idea is to change the setup, so that I would remotely access the
> server using RDP and once on the server I would use RDP on the server to
> access each workstation when necessary. This way I figure I need to open
> only
> one port on the router and this will be more secure.
>
> Now some questions:
>
> - Which is more secure, to run RDP over SSL or RDP over VPN?
>
> - IF RDP over SSL is chosen, then I guess only solution is to install an
> SSL
> server on the server?
>
> - If RDP over VPN is chosen above, is it better to get a new router to
> replace the DI604 which has VPN capabilities or to install a software VPN
> server on the server?
>
> - If it is better with a VPN router which of the following is a good
> choice
> (money not the deciding factor):
>
> 1. CISCO RVS4000 4-PORT GIGBABIT SECURITY ROUTER
>
> 2. D-LINK DFL-200 FIREWALL
>
> 3. D-LINK DFL-210 FIREWALL
>
> 4. LINKSYS BEFVP41 4-PORT SWITCH VPN
>
> If any hardware not mentioned is better please let me know!!
>
> Ok that should be all my questions for now. By the way the remote computer
> accessing the corporate network is not important as it can use either VPN
> or
> SSL and will use software not hardware in case of VPN solution.
>
> Thanks for any advice and help!

Thanks for your reply Phillip! I'll have a look at the ones you mentioned!
Can someone please address my other questions! Thanks

"Phillip Windell" wrote:

> Replace your firewall device with one that can act as a VPN Server.
>
> Your main players to check into are:
>
> Cisco (not Linksys)
> Sonicwall
> Watchgaurd
>
> Anything worth buying in this class is going to be between $300 and $500
> (last time I checked). I have no model numbers to suggest. Go to someplace
> such as www.cdw.com . That site gives you the ability to do side-by-side
> comparisons. The last company I helped with this "in person" choose to go
> with the Watchgaurd because it had less hidden charges for extra features
> you had to "subscribe" to get. But they all want to "stick it to you" for
> every extra feature you want, some just aren't as bad as other.
>
>
> --
> Phillip Windell
> www.wandtv.com
>
> The views expressed, are my own and not those of my employer, or Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------
>
>
> "yo.natan" <(E-Mail Removed)> wrote in message
> news:68FD3E1B-4EA9-41BB-B032-(E-Mail Removed)...
> > Hi
> >
> > First let me describe the current network setup. I have an ADSL modem
> > connected to a D-Link DI604 router. A server running Windows 2003 Server
> > R2
> > and two Windows XP Professional SP3 workstations are all directly
> > connected
> > to the DI604 router. This is a workgroup network!
> >
> > At the moment I access all three machines remotely using Remote Desktop
> > Connection. The router forwards port 3389 to the server, 3390 and 3391 for
> > each workstation, respectively.
> >
> > I don't believe that this is the most secure setup for remote access and I
> > am looking for advice on how to improve.
> >
> > My first idea is to change the setup, so that I would remotely access the
> > server using RDP and once on the server I would use RDP on the server to
> > access each workstation when necessary. This way I figure I need to open
> > only
> > one port on the router and this will be more secure.
> >
> > Now some questions:
> >
> > - Which is more secure, to run RDP over SSL or RDP over VPN?
> >
> > - IF RDP over SSL is chosen, then I guess only solution is to install an
> > SSL
> > server on the server?
> >
> > - If RDP over VPN is chosen above, is it better to get a new router to
> > replace the DI604 which has VPN capabilities or to install a software VPN
> > server on the server?
> >
> > - If it is better with a VPN router which of the following is a good
> > choice
> > (money not the deciding factor):
> >
> > 1. CISCO RVS4000 4-PORT GIGBABIT SECURITY ROUTER
> >
> > 2. D-LINK DFL-200 FIREWALL
> >
> > 3. D-LINK DFL-210 FIREWALL
> >
> > 4. LINKSYS BEFVP41 4-PORT SWITCH VPN
> >
> > If any hardware not mentioned is better please let me know!!
> >
> > Ok that should be all my questions for now. By the way the remote computer
> > accessing the corporate network is not important as it can use either VPN
> > or
> > SSL and will use software not hardware in case of VPN solution.
> >
> > Thanks for any advice and help!
>
>
>

"yo.natan" <(E-Mail Removed)> wrote in message
news:A3E38A59-5A8C-483A-B951-(E-Mail Removed)...
> Thanks for your reply Phillip! I'll have a look at the ones you mentioned!
> Can someone please address my other questions! Thanks

It's a pretty simple answer,...use the VPN,...run the RDP over that after
you put all the RDP ports back to the normal ports.

You VPN is going to be PPTP or L2TP. The most secure choice is L2TP,...but
PPTP is the easiest to deal with.

IPSec is not even part of the conversation as far as I am concerned unless
the Device you buy will only work with IPSec.


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

Thanks again Phillip for your speedy reply! Much appreciated!

Ok, so VPN it is! Now I just need to decide on what hardware will replace
the D-Link DI604 which is currently in use!

I've done some searching and going on your hardware manufacturer
recommendations...I've found the following Cisco RVS4000 4-port Gigabit
Security Router (roughly $200). Please see the link to the product specs:

http://www.cisco.com/en/US/prod/coll...c78-496735.pdf

I don't know if it is a good device, but it doesn't seem to be overkill for
my situation. It has 4 ports which is what my current D-Link router has and
allows me to connect my server, two workstations and printer. Apparent from
that I have not experience with Cisco products although they seem very widely
used for much large networks. Regarding the VPN capabilities of the product,
it seems that it has a VPN server with IPsec, PPTP and L2TP.

Not sure if this is a good product and with the VPN capabilities I need?

P.S. An advantage with the product is that my network will go from 100 Mbps
to 1000 Mbps which I guess will increase the performance of the network even
though we only deal with documents and accounting software (some of which
runs from the server).

What do you think? Should I look for something else?

"Phillip Windell" wrote:

> "yo.natan" <(E-Mail Removed)> wrote in message
> news:A3E38A59-5A8C-483A-B951-(E-Mail Removed)...
> > Thanks for your reply Phillip! I'll have a look at the ones you mentioned!
> > Can someone please address my other questions! Thanks
>
> It's a pretty simple answer,...use the VPN,...run the RDP over that after
> you put all the RDP ports back to the normal ports.
>
> You VPN is going to be PPTP or L2TP. The most secure choice is L2TP,...but
> PPTP is the easiest to deal with.
>
> IPSec is not even part of the conversation as far as I am concerned unless
> the Device you buy will only work with IPSec.
>
>
> --
> Phillip Windell
> www.wandtv.com
>
> The views expressed, are my own and not those of my employer, or Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------
>
>
>

"yo.natan" <(E-Mail Removed)> wrote in message
news:35B6765B-EAEA-4360-A820-(E-Mail Removed)...
> I've done some searching and going on your hardware manufacturer
> recommendations...I've found the following Cisco RVS4000 4-port Gigabit
> Security Router (roughly $200). Please see the link to the product specs:
>
> http://www.cisco.com/en/US/prod/coll...c78-496735.pdf

I will probably do what you need. But one thing to watch out for with Cisco
(and maybe some others) is that the Remote Access VPN won't work with the
built in abilities of Windows, which require you to install a special dialup
Client and you can't establish a VPN link without it. Some people don't
mind that, but I can't stand that,...I guess it is a personal choice.

I don't use Cisco products of this nature so I don't know all the little
details about them. the only VPN application I am involved in is a
commercial application and we use MS ISA Server as the Firewall & VPN
Server. It requires no special VPN Client to be able to function. But ISA
is way overkill and way too $$$$ for your situation.


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

Not sure what you mean! Would I have to install software on the server and
workstations in order to connect to them remotely? I thought I connect to the
Cisco router using a vpn client on my remote machine and then just use RDC?

"Phillip Windell" wrote:

> "yo.natan" <(E-Mail Removed)> wrote in message
> news:35B6765B-EAEA-4360-A820-(E-Mail Removed)...
> > I've done some searching and going on your hardware manufacturer
> > recommendations...I've found the following Cisco RVS4000 4-port Gigabit
> > Security Router (roughly $200). Please see the link to the product specs:
> >
> > http://www.cisco.com/en/US/prod/coll...c78-496735.pdf
>
> I will probably do what you need. But one thing to watch out for with Cisco
> (and maybe some others) is that the Remote Access VPN won't work with the
> built in abilities of Windows, which require you to install a special dialup
> Client and you can't establish a VPN link without it. Some people don't
> mind that, but I can't stand that,...I guess it is a personal choice.
>
> I don't use Cisco products of this nature so I don't know all the little
> details about them. the only VPN application I am involved in is a
> commercial application and we use MS ISA Server as the Firewall & VPN
> Server. It requires no special VPN Client to be able to function. But ISA
> is way overkill and way too $$$$ for your situation.
>
>
> --
> Phillip Windell
> www.wandtv.com
>
> The views expressed, are my own and not those of my employer, or Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------
>
>
>

"yo.natan" <(E-Mail Removed)> wrote in message
news:1DB98507-E06B-4B6D-BB59-(E-Mail Removed)...
> Not sure what you mean! Would I have to install software on the server and
> workstations in order to connect to them remotely?

The Server has nothing to do with it. On the workstation,..yes,..you have
to install a piece of software called the Cisco VPN Client,...that is not
something I like,...and I don't know if all the Cisco products capable of
VPN force that on you or not.

> I thought I connect to the
> Cisco router using a vpn client on my remote machine and then just use
> RDC?

That is the way I prefer to do it too. I just am doubful with Cisco
products that it will be like that. I'm just saying that is something you
have to keep in mind when you choose a product.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

Ok I think I'm starting to understand the whole VPN setup. I found the manual
for the Cisco product which I named earlier.

http://www.cisco.com/en/US/docs/rout...0_UG_B_web.pdf

I've had a look through, but I would like some clarification and you are
definitely more knowledgeable about VPNs than I am. Pages 49-54 covers
configuring IPsec. If I understand it correctly, you setup the Cisco router
then for each computer connected to the router on the local LAN needs to be
configured using secpol.msc and setup the IPsec rules as stated on these
pages. If I am correct than no software needs to be installed on the server
or the workstations and the IPsec rules make sure that once a VPN connection
has been established to the router, the IPsec rules come into play and route
traffic to the computers.

Is this correct? Can you perhaps clarify what I've said?

Thanks for your patience!

"Phillip Windell" wrote:

> "yo.natan" <(E-Mail Removed)> wrote in message
> news:1DB98507-E06B-4B6D-BB59-(E-Mail Removed)...
> > Not sure what you mean! Would I have to install software on the server and
> > workstations in order to connect to them remotely?
>
> The Server has nothing to do with it. On the workstation,..yes,..you have
> to install a piece of software called the Cisco VPN Client,...that is not
> something I like,...and I don't know if all the Cisco products capable of
> VPN force that on you or not.
>
> > I thought I connect to the
> > Cisco router using a vpn client on my remote machine and then just use
> > RDC?
>
> That is the way I prefer to do it too. I just am doubful with Cisco
> products that it will be like that. I'm just saying that is something you
> have to keep in mind when you choose a product.
>
> --
> Phillip Windell
> www.wandtv.com
>
> The views expressed, are my own and not those of my employer, or Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------
>
>
>

"yo.natan" <(E-Mail Removed)> wrote in message
news9ED7E73-EC7D-45B9-BCE7-(E-Mail Removed)...
> Ok I think I'm starting to understand the whole VPN setup. I found the
> manual
> for the Cisco product which I named earlier.
>
> http://www.cisco.com/en/US/docs/rout...0_UG_B_web.pdf

> definitely more knowledgeable about VPNs than I am. Pages 49-54 covers
> configuring IPsec. If I understand it correctly, you setup the Cisco
> router
> <shortened for space>
> Is this correct? Can you perhaps clarify what I've said?

No.

You want Appendix B: Quick VPN for Windows

You have to install "Quick VPN Client" on the machines that want to "dial
in" to the LAN from outside.

The Appendix C for IPSec makes no sense to me at all and I have no idea what
they are trying accomplish with that.

Appendix D is the one for Site-to-Site VPN,...which is *not* what you are
doing but I wanted you to know ahat that one was for anyway.

There is no way I would buy that.

You want something that will accept incomming Remote Access VPN using either
PPTP or L2TP without having to install any software on the workstation that
is trying to do the connecting.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------