VPN Question

[Russ]

In persuing all the literature I can find on setting up VPN for remote
users, it seems that the scenario called "VPN after firewall" fits my
situation best. But I see conflicting information as to exactly what
this setup is. One diagram shows the following:

DSL
|
Firewall
|
VPN server
|
Hub

Another diagram shows:

DSL
|
Firewall
|
Hub
|
VPN server and rest of LAN

Can someone explain pro and con for the above 2 configurations? It
seems that the first is more complicated because the VPN server has to
pass all normal (non VPN) internet traffic through to the hub. Other
than that, what?

Thanks, Russ

 

[Bill Grant]

They will both work. It really depends on what you want to do.

If you want the firewall to be the default gateway to your LAN, you
would set it up so that the RRAS server was just another LAN client with one
NIC. All clients access the Internet through the firewall directly.

In the other scenario, the server is the default router for your LAN.
You would need to use this setup if you wanted to run ISA or proxy on the
server. The setup of the server is then similar to a server connecting a LAN
to a DMZ. The link from the server to the firewall/router must be in a
different subnet from the LAN machines.