Scenario:

Bordermanager 3.6 server at main office providing firewall services
for
our internal systems and is a VPN server for our remote offices.
Remote offices each consist of a few systems dynamic-NAT'ed behind a
DSL
firewall/router (Netgear FR314 - listed on Craig Johnson's site as one

that works with BM VPN). PC's are running Bordermanager VPN client
software
( 3.6 and 3.7 mix) in a client to site mode. Remote PC's are
connecting
to the VPN and then running Citrix client software to connect to my
Metaframe server behind the Bordermanager server.

Problem:

When the firewall is in place, my Citrix sessions at the remote
offices
disconnect after one or two minutes of idle time - regardless of
timeouts
set on the Citrix server. After examining the logs of my
firewall/router,
I notice that UDP port 2010 traffic from my Bordermanager server is
being
discarded by the remote office Netgears (frequently). I suspect that
this
is somehow causing a situation that results in the disconnection of my

Citrix sessions.

The Bordermanager client is able to remain in a "connected" state even

with these packets being dropped (or is it possibly
"auto-reconnecting?),
however, I believe that it is somehow resulting in my Citrix sessions

disconnecting.

Everything works fine if I bypass the Netgear FR314 routers and
provide
the remote office PC's with public IP addresses. However, when I use
the
Netgear firewall/router and configure the remote offices with dynamic
NAT,
the router drops the Bordermanager UDP port 2010 keep-alives. I'm
confused
about the purpose of these packets. TID 2953912 indicates that these
are
used for VPN site to site (server to server) communication, but the
packets are being sent from my Bordermanager server to varying
high-ports
of my public addresses of my Netgear DSL firewall/router at the remote

locations.

Are these packets needed to maintain a Bordermanager VPN client-server

connection? If so, how do I stop the Netgear from dropping them? When

running in Dynamic NAT mode there does not appear to be a way to
accomplish this on this router. Open all high ports? Yikes!

Any ideas?