locked
VPN Connection Degrades Overall Client Internet Speed RRS feed

  • Question

  • SBS2006 x64.

    My client machines when not connected by VPN to SBS have internet download speeds in excess of 25 MB/s down and 1.75 up. I have DSL and Cable modem connections in several remote offices.
    My client machines are Windows XP and Win 7.

    After connecting to SBS Server via VPN download speeds drop constantly to the 1.75 mb/s and uploads move to 1.65 constantly on multiple machines, multiple locations, DSL and Cable modem connections. The clients connect directly to SBS using Dial Up Networking.

    It would appear that the remote office network bandwidth on the client machine to the external internet is being routed thru SBS. Client downloads, web surfing etc. from the internet are quite slow while connected to server VPN

    During speed testing I make sure that only 1 computer in the office is connected to SBS 2008 or using an internet connection to ensure reliable consistent testing speeds.

    Please advise.

    Thank you!


    Thanks!
    Thursday, February 10, 2011 8:18 PM

Answers

  • When the client PC connects to the SBS over VPN, it's using the default security configuration, which is to use the remote computer's default gateway.  So as you suspect, with an active VPN connection to the SBS, your remote client's Internet traffic is routed through the remote network's default gateway.

    You really want to leave this configured as is, because allowing a remote PC to have an independent Internet connection while also connected to the SBS is generally considered an unacceptable security risk.  (It's called "split tunneling," and you can probably find a lot of dire warnings in your search engine of choice).

    The best fix for this:  instead of connecting a VPN from the remote client PC to the SBS, connect the VPN between the hardware firewalls at the two locations.  Even if you have to replace existing devices with those supporting site to site VPN, I think you'll find it worth the investment - not only security and performance, but your reliability may be better as well.  If that's not an option, can you use RWW instead?


    Dave Nickason - SBS MVP
    Thursday, February 10, 2011 8:51 PM
  • Hi Joe,

     

    Thanks for posting here.

     

    I agree with DAVE that remote client is  connecting to internet through SBS server instead of itself when VPN connection established and this is the root cause of this slow internet connection issue. You may confirm by checking the router table and tracing internet traffic on client side .

     

    If yes, I think there is no better way could avoid this situation if keep using remote default gateway so far.

     

    Another possible way is new Direct Access feature with SBS 2011 .

    With this feature we don’t have to using VPN to access internal network and could also avoid the issue you are encountering now .

     

    With this solution you should upgrade SBS server to 2011 , client OS to Windows 7 and purchase a new additional server for DA service (Windows server 2008 R2 or Forefront Unified Access Gateway) :

    For more information please refer to the link below:

     

    DirectAccess

    http://technet.microsoft.com/en-us/network/dd420463.aspx

     

    Thanks.

     

    Tiger Li

     

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, February 11, 2011 6:37 AM
  • Here's an article that not only goes into the risks, but also shows you the setting you need to change if you want to allow split tunneling.  ISA doesn't add any security in a split tunneling situation - what you have is a client connection direct to the Internet, and a client connection to the SBS.  If a malicious party can connect to the client through that Internet connection, they're equally connected to the SBS with the same rights as the user.  So what would mitigate the risk somewhat would be good security on that client <-> Internet connection.  One might consider XP a little scary - at least make sure those are fully patched. 

    I used to just avoid browsing when connected to VPN, which I'm sure is something users can't always avoid.  I would definitely not attempt to download much while connected over VPN due to the performance hit - VPN uses some bandwidth all by itself.

    What is it that your remote users are doing over VPN?  If most of it is e-mail, they could use Outlook Anywhere as an alternative, and only connect the VPN when they need some other type of access like file shares.

    Here's that article:  http://www.isaserver.org/tutorials/VPN_Client_Security_Issues.html


    Dave Nickason - SBS MVP
    Friday, February 11, 2011 7:48 PM
  • What I tell folks is:

    The VPN is a tunnel under the river.  When you are in the tunnel you are safe, warm and dry.  Get out of the tunnel, or poke a hole in it, and all heck breaks loose.  <g>

     


    Larry Struckmeyer

    Please post the resolution to your issue so that everyone can benefit

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, February 11, 2011 8:12 PM

All replies

  • When the client PC connects to the SBS over VPN, it's using the default security configuration, which is to use the remote computer's default gateway.  So as you suspect, with an active VPN connection to the SBS, your remote client's Internet traffic is routed through the remote network's default gateway.

    You really want to leave this configured as is, because allowing a remote PC to have an independent Internet connection while also connected to the SBS is generally considered an unacceptable security risk.  (It's called "split tunneling," and you can probably find a lot of dire warnings in your search engine of choice).

    The best fix for this:  instead of connecting a VPN from the remote client PC to the SBS, connect the VPN between the hardware firewalls at the two locations.  Even if you have to replace existing devices with those supporting site to site VPN, I think you'll find it worth the investment - not only security and performance, but your reliability may be better as well.  If that's not an option, can you use RWW instead?


    Dave Nickason - SBS MVP
    Thursday, February 10, 2011 8:51 PM
  • Thank you Dave, unfortunately client is a non-profit and are resistant to changing routers to site-site routers for 5 remote sites.
    They do have Cisco 890 Series Wireless router that supports 20 VPN tunnels, which is I think what you are referring to.
    RWW is not an option as most users are Laptops so they would not have an onsite computer to connect to. I am using some TS features with a virtual TS machine and desktop RDP files for the necessary applications.
    I have strict control of security on client machines with the SBS Server using NAI ePO to control Virus software so split tunnelling may be a temporary, say 6 month fix?
    Would ISA Server be a solution, hopefully easy to configure on SBS?
    thank you!
     
    joe...

    Thanks!
    Thursday, February 10, 2011 9:41 PM
  • Hi Joe,

     

    Thanks for posting here.

     

    I agree with DAVE that remote client is  connecting to internet through SBS server instead of itself when VPN connection established and this is the root cause of this slow internet connection issue. You may confirm by checking the router table and tracing internet traffic on client side .

     

    If yes, I think there is no better way could avoid this situation if keep using remote default gateway so far.

     

    Another possible way is new Direct Access feature with SBS 2011 .

    With this feature we don’t have to using VPN to access internal network and could also avoid the issue you are encountering now .

     

    With this solution you should upgrade SBS server to 2011 , client OS to Windows 7 and purchase a new additional server for DA service (Windows server 2008 R2 or Forefront Unified Access Gateway) :

    For more information please refer to the link below:

     

    DirectAccess

    http://technet.microsoft.com/en-us/network/dd420463.aspx

     

    Thanks.

     

    Tiger Li

     

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, February 11, 2011 6:37 AM
  • Here's an article that not only goes into the risks, but also shows you the setting you need to change if you want to allow split tunneling.  ISA doesn't add any security in a split tunneling situation - what you have is a client connection direct to the Internet, and a client connection to the SBS.  If a malicious party can connect to the client through that Internet connection, they're equally connected to the SBS with the same rights as the user.  So what would mitigate the risk somewhat would be good security on that client <-> Internet connection.  One might consider XP a little scary - at least make sure those are fully patched. 

    I used to just avoid browsing when connected to VPN, which I'm sure is something users can't always avoid.  I would definitely not attempt to download much while connected over VPN due to the performance hit - VPN uses some bandwidth all by itself.

    What is it that your remote users are doing over VPN?  If most of it is e-mail, they could use Outlook Anywhere as an alternative, and only connect the VPN when they need some other type of access like file shares.

    Here's that article:  http://www.isaserver.org/tutorials/VPN_Client_Security_Issues.html


    Dave Nickason - SBS MVP
    Friday, February 11, 2011 7:48 PM
  • What I tell folks is:

    The VPN is a tunnel under the river.  When you are in the tunnel you are safe, warm and dry.  Get out of the tunnel, or poke a hole in it, and all heck breaks loose.  <g>

     


    Larry Struckmeyer

    Please post the resolution to your issue so that everyone can benefit

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, February 11, 2011 8:12 PM
  • Hi Joe,

    Please feel free to let us know if the information was helpful to you.

    Thanks,

    Tiger Li

    TechNet Subscriber Support in forum
    If you have any feedback on our support, please contact tngfb@microsoft.com


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, February 14, 2011 12:49 AM