Port forward

[Guest]

OK, so this is not strictly an XP question, although the workstations
involved are XP Pro. It is really a gateway metric question.

I have a client with an office of about 30 computers in a Win2K SBS domain.
More & more users want remote access (i.e. RDP from home to office). I have
been simply assigning an alternate RDP port to the user's workstation in the
office & setting up a forwarded port on the firewall/router (Netgear FVS318)
for each. The LAN IP of this firewall has, to this point, been the gateway
for all the workstations on the LAN.

However, I just got my 17th user who wants RDP; the firewall supports only
16 ports forwarded. I know I can probably get a more expensive router (any
suggestions)? that will handle 32 ports forwarded.

Or, can I just install two FW's and set up some of the ports on each (the
additional FW can have a public IP address in the same subnet as FW #1 and
with the same gateway). Here's the the question (I am currently testing this):

I cannot get an incoming RDP connection to work without setting the gateway
on the workstation (or at least one of its gateways) as the LAN IP of the FW
that will forward RDP to that workstation.

Or (and this is the heart of the question) I can set up multiple gateways on
the workstation. This works if I set the metric for FW #1 (the gateway) as 1
and FW #2 (the RDP firewall) as 2. Now, two questions:

1. Should I just set up all workstations (regardless of which FW handles the
RDP connection for the workstation) generically with two gateways (FW1:
metric1/FW2:metric2), or is it better to set up each workstation with only
one gateway?
2. Is this configuration likely to cause me any routing problems?

 

[Sooner Al [MVP]]

It looks to me like a VPN would be more appropriate. Multiple users
connecting to the SBS domain via a VPN tunnel versus multiple ports open on
the firewall.

You could either purchase a VPN end-point type router or use SBS (which I
believe includes a VPN server) as the end-point. I suggest you post to
"microsoft.public.windows.server.sbs" news group for help with the latter
option. As far as VPN end-point type routers look for devices like these...

http://us.zyxel.com/products/model....dexcate1=1123007871&indexFlagvalue=1021873683
http://us.zyxel.com/products/model....dexcate1=1123007871&indexFlagvalue=1021873683

....or...

http://us.zyxel.com/products/model....dexcate1=1123007871&indexFlagvalue=1021873683
http://us.zyxel.com/products/model....dexcate1=1123007871&indexFlagvalue=1021873683

On a much smaller scale I do the same thing with Secure Shell (SSH) and
connect multiple Remote Desktop sessions through the one tunnel.

http://theillustratednetwork.mvps.org/Ssh/RemoteDesktopSSH.html

--

Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the mutual
benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no
rights...

 

[Guest]

I have thought long and hard about using the VPN, and I cannot disagree that
this is probably the ideal option in some environments. There are a couple of
considerations, though. You can tell me if you feel these outweigh the
benefits of the VPN. I must admit, this may be just a matter of having
outgrown an approach that worked for a smaller number of users.

1. My router does, in fact, support client-to-router VPN, but Netgear sells
its VPN client separately at about $40 per user.

2. I already use the SBS VPN on a small scale (not for RDP), but with 30+
users and four other servers in the domain, I am trying to limit the amount
of traffic the SBS server must handle (after all, it is already running AD,
print/file services, Exchange (in conjunction with an in-house Blackberry
Enterprise Server) Symantec Enterprise, Backup Exec, Shared Fax, DNS and a
few of the other normal functions of an SBS PDC on behalf of those 30+
users). I originally had the SBS functioning as my FW (ISA) and gateway, but
replaced those functions with the aforementioned firewall to take some load
off the server.

3. RDP is native to XP. Any one user may want to connect from any of a
number of remote systems. With Windows XP on the client, all they have to do
now is to open the RDP session using the firewall's IP address and their LAN
workstation's alternate RDP port. that With either of the above options, the
user must either carry around a VPN disk or the additional information needed
to set up the SBS VPN before connecting to the workstation via RDP on its LAN
IP address.

4. Correct me if I'm wrong, but on the security side, I hardly think it is
likely that a hacker would guess the firewall's IP or DNS address as well as
the customized port, AD user name, and AD password within the three attempts
it takes to lock the user's account in AD.

If nothing else, this problem has inspired my curiosity about gateway
metrics. I set up the same port forward on both firewalls. With #1 being the
LAN's Internet gateway, the only way I have gotten the port forward to work
via FW #2 is to set up dual gateways on the host station, with metric 1 for
FW #1 and metric 2 for FW #2. It did not work with automatic metrics for
both. Would this dual gateway approach have any unintended consequences?