The VPN Gateway Remote Access option allows for a single VPN-based IP address at the VPN Gateway which is shared among all users behind the VPN Gateway. The address is shared through the implementation of Port Address Translation (PAT), where users are given individual addresses from a private address range that are mapped to/from the VPN or Internet IP address during network communications. PAT has limitations for situations where network traffic is initiated by hosts on the hub site to users behind the VPN Gateway. The VPN Gateway can enable port forwarding to forward specific hub-site initiated traffic. Please refer to Port Forwarding guidance for more detail.

If a requirement exists for the hub site to initiate traffic using a specific protocol to more than one PC behind an VPN Gateway, the Remote Access connectivity option cannot be used. Separate protocols like telnet or ftp (designated by the destination port) can be forwarded to different PCs behind the VPN Gateway, but each specific protocol and port pair can be forwarded to one and only one PC, you cannot for example send unsolicited ftp traffic to two different PCs behind the LAN.

A server at the hub site can only initiate traffic to the single VPN Gateway VPN Address and cannot directly address any specific PC behind the VPN Gateway.

Any traffic originating from the PC with a local, PAT'd IP address will appear to the target server as originating from the VPN Gateway’s subnet, but the corresponding response traffic received by the VPN Gateway can be routed correctly onwards to the translated subnet via Port Address Translation.