Remote Access

[InTheWayBoy]

Okay, so I've finally got my domain all nice and pretty...so it's time to mess it up again

Currently I have a single domain controller running AD, DHCP, DNS, WINS, and RIS...and it's our file and print server. I would like to get another server, but since I just barely got this server I don't think that will happen anytime soon.

Now we have some users who need to access info from a remote location...and that's where I'm lost. I understand some of the ideas behind remote access, but I don't know what I need to use.

I would like to have it so they are part of the domain, applying GPO's and folder redirection. I know that last need may be a pain if the access is slow, but I'll deal with that when I have to.

So I'm getting hung up...I would like to have a solution that would work at login, and I've always seen that "Login using DUN" option, but never knew how to apply it.

Do I need a VPN? If so, is the one that comes with 2003 good enough? Also, what kinda client configuration while I be needing to do. I've never played with VPN, but as I understand it the user would need to login to their computer locally, and then establish a VPN connection. But then none of my GPO's would be run at login right?

Also, do I need to worry about the low-link speed detection when doing something like this?

I know this is kinda a vast question to ask, but I have no problem following links and reading papers, so any suggestions would be great.

Also, I have another site that is 100 miles away...both sites have a T1. I was wondering the remote machines could be permanently configured to be apart of our network without the need to have a server there. I've seen some things (Branch Office) that look like what I need, but it looks most solutions require a server at the other location.

Thanx in advance!

[chilifrei64]

To answer your first question. Yes windows RRAS is good enough to get VPN access. Really RRAS setup is pretty simple.. when you configure it you go through a wizard and that will take care of the general stuff for getting you connected. I do recommend having 2 nic's when trying to set up a your windows server for remote access. I like to have one nic for the lan and the other nic for RRAS requests as opposed to having that virtual adapter that gets created.

What you would do to get the computers to log on would be set up a vpn connection under that username to connect to your vpn server. The when you get ready to log in you check the box that says log on using Dial up networking. (keep in mind that a network connection is required) This will allow the user to log in to his computer, authenticate to the domain and run any login script or new policies when they log in.

As far as your remote office goes.. my new recommendation (since you dont want a server at the other side) completely nullifies my first statement

What you want here is a site to site vpn. This can be done with a firewall at each branch.. to make things easier.. make sure you use 2 of the same kind of firewalls or a great deal of knowledge about VPN's. This will allow both locations to act as if they were connected locally. Not having a server at the other side though means any file transfers will be really slow.

You can configure the firewalls to accept client vpn connections also. Depending on the firewall you purchase..then you would just have to add routes in your acl's for proper network access.

I dont have any links for ya other than this one here for site to site.. but like I said.. RRAS really is pretty easy to follow and setup

http://www.cisco.com/univercd/cc/td/doc/pr...onfig/index.htm

[InTheWayBoy]

Okay, so I get two of something like these:

http://www.cisco.com/en/US/products/hw/vpn...2030/index.html

And configure them to communicate between the two. That establishs the VPN, and it's always connected...so on the clients I wouldn't have to configure anything then right? DHCP will travel over? And what would be a good description of this kinda item. For instance, if I want to see what NetGear or D-Link offer, what feature should I look for. Cause it seems like a lot say they support VPN, but turns out it's only via software clients or something.

And it sounds like if I do something like that, then I can't (easily) have other single unit VPN connections? Or is it just so hard to handle that it's not worth attempting...

I've seen RRAS, but have never used it. I'll read up on it and see what's what.

And thanx

Oh, and would this be a good price:

http://www.tigerdirect.com/applications/se...CMP=OTC-FROOGLE

Not that I would buy from them, I hear they are the worst. $1800 for two...at that price I might as well go with another server. I'll still look into it though, seems like it could be handy!

[chilifrei64]

the 506e are nice but unless you are talkin more than 400 pc's between the 2 sites or 25+ client vpn connections.. the 501e will do just fine.. those can be found between 450 and 600 dollars. As far as dhcp goes.. it is not that it would travel over but.. hmm how to explain this

site 1 would be on 1 subnet 10.1.x.x/16

site 2 would be on another subnet 10.2.x.x/16

you would have a site to site vpn with the 2 cisco pix's.. each pix is going to have a route to the other subnet and when site 1 requests information from site 2, the site 1 pix would just route the data through the vpn tunnel.

There would have to be DHCP at both site.. and if you want.. dhcp can be configured on the pix.

As for the clients logging on remotely(not at either site) you would then have to configure the pix for those type of connections. The article i posted shows how to do this to.

If a large amount of data is going to be flowing across this site to site vpn, I would probably say to use your Windows server to do the site to site and run some sorta file replication service between the 2 sites.

My recommendation would be still use the 2 PIX's for site to site and run file replication services between the 2 sites using Windows DFS. I set this up between a 4 site vpn. worked wonders.. it was beautiful. But not every company has money like this one did.

[InTheWayBoy]

I like that DFS idea...hadn't really seen a use for it yet, so I don't know much. But essentially anything in the DFS share I create would (Over time) replicate to other servers that have been configured to use that same DFS share right? That's pretty smooth...

But then bandwidth comes into play...we have a full T1 at the main office, and a 3/4 T1 at the other office. I would think that the DFS would be smart enough to only transfer changed files, but still...it's only as fast as the slowest. As far as you know, is there a way to limit the bandwidth used while it's syncing, as I don't want it to suck the whole connection up.

So the PIX can handle the site-to-site and DHCP. I understand the route thing more now, so I'm gonna try leaving the PIX to handle the DHCP. When you say more than 25 VPN connections, that's not counting the site-to-site is it? For instance, if I have ten computers at the other site, does that only give me 15 VPN's letf?

I know some of these questions are better asked at a sales rep, but I don't trust them as far as I can throw em. I really appreciate all the info, you really know your sh*t!

And just to confirm, I should be able to have both the site-to-site, plus additional VPN clients (Laptops, users home machines, etc) as long as it's configured correctly?

We don't have much data, most of it is documents and such...but we will have some programs we need to share. I still need to get them under the domain for security reasons (HIPPA), but now I'm wondering what would be the best way to share the apps. I was originally thinking after this VPN is setup to just run the software on the remote site, but have it pull the info from the server in our office. Now I can see where bandwidth issues come into play, and I'm wondering if something like Terminal Services would better handle the data...any opinion on that?

Most of it is silly, proprietary payrool crap, so I don't think they've made it very friendly to situations such as this. I can see where with the way they store files it would bog the link down...with a terminal server it should be faster, since it's pulling the data locally but showing it remotely right?

[cluberti]

The PIX is a great VPN/firewall, but also consider MS ISA 2004 if you've already got a domain, as these are bit more user-friendly (and you can even get preconfigured hardware devices from most vendors now too). I used to suggest PIX to everyone, but I've leaned almost 100% towards ISA for AD environments. It's worth looking into.

And for your shared applications, terminal services would definitely be the way to go if bandwidth is an issue - all of the disk I/O and file access will be done from the terminal server, and the only thing going across the wire would be screen updates from the terminal server to the client.

It sounds like you've got your work cut out for you - good luck.

[InTheWayBoy]

Yeah, no kidding...

I've heard of ISA, but never really thought much about it. Would a situation like that require a server at the other location? I'm trying to find the best way to not have to have a server at the remote site.

Looks like I have three, maybe four choices:

1. Firewall-to-Firewall (PIX, SonicWALL, etc)

2. ISA (Software)

3. ISP VPN (They handle it all)

4. Linux

That third one is kinda new, as I didn't think they offered it. Anyone have any experience with this kinda VPN? On one hand I tend to think since it's done at the ISP it should be faster...but on the other hand this is USLEC we're talking about and generally I find them to not be so bright.

And the linux solution is neat, but not very reliable as I'm sure it'll take me forever to get all the kinks ironed out. Thanx again!

[cluberti]

If you want traffic to flow reliably in both directions, and not just originating from the remote site, you'll need a site-to-site VPN. The ISP one may be good, but you'll have to determine whether or not you trust them enough with the backbone connecting your two sites.

I'd say that, as someone who's done this many times in many ways, the site-to-site VPN via a PIX or ISA is the easiest and most reliable way to go.

[chilifrei64]

agreed... I have done point to points with sonicwalls, checkpoints, ISA's and other firewall.. even let the isp control it.... and PIX wins them all.