Question

Best way for VPN.

Asked by: cbtech

I am going to be implementing a hardware VPN solution utilizing something along the lines of a cisco pix or sonicwall. I have dont the VPN setup before, on a unix platform. This time around I will be doing it on a windows platform. What is the best way to extend a domain over a site to site VPN? Is there any good documentation about it? I have found tons of stuff on VPN's just nothing specific on site to site VPN's with a win2k3 domain running over them. I understand each side has to have a distinct subnet associated with it, but how do I make the connection for the AD information and such to traverse the VPN?

Thanks!

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2004-11-22 at 07:11:03ID21215892
Tags

vpn

,

cisco

,

best

,

way

Topics

Miscellaneous Security

,

Enterprise Firewalls

,

IPSec Security Protocol

Participating Experts
5
Points
125
Comments
8

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Cisco VPN to PIX setup
    Hi all Got a second interview for a branch of a large manufacturing co. They have a pix (didn't say which one unfortunately) and I think a 2800 router. They also have checkpoint. Now the job seemed to be just an all-rounder which I'm good for. But they seem to have a bit...
  2. VPN Options with Cisco PIX
    I wish to create a secure VPN tunnel between branch offices and the HQ. At the HQ, there is one Cisco PIX 515E Firewall, whereas at each branch office, there is Cisco PIX 501 Firewall. What VPN options do I have here? WHat would be the best option? Pls provide detailed im...
  3. PIX VPN
    I am currently using a pix 506 that among other thing provides vpn access to the network for remote users. I am currently using Group Authentication where all users enter the same group name and password. I would prefer that each user had a unique username and password. wha...
  4. Change TCP port on Cisco Pix VPN
    How do I configure a Cisco Pix 506 to use a different TCP port for VPN authentication?

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: Robing66066Posted on 2004-11-22 at 07:35:31ID: 12645172

I've set it up using the Cisco 1700 series routers and it worked really well.  All you need do is buy the routers with the VPN accelerator cards, set up the config and you're ready to go.  

To get the traffic you want to go over the link, you simply have to define it as interesting traffic and it will go.  You do that in the config for the router.  I still have several config files for the 1700 series I'd be glad to share if you decide to go that way.  With luck, they will work for you and you'll be up and running right away.

As for documentation, there is lots of documentation for Cisco, but nothing that I know of that will directly address how to set up the VPN to run specifically over a Windows 2003 network.

Good luck!

 

by: samccarthyPosted on 2004-11-22 at 12:32:31ID: 12648400

I have done it numerous ways.  The current solutions I am using is with Watchguard firewalls, but it works with Symantec or Pix.  I have also done it with Windows VPN.

What are you trying to accomplish?

In my case, the core network is at City Hall.  I have a Watchguard at City Hall and at the remote sites.  The Firewall's establish a Secure VPN tunnel between themselves.  So, now my remote sites actually logon to the domain from those remote sites.  If the romote site has a resonable amount of users you might want to put a Domain Controller there.  That way the users authenticate to that DC which could also act as their file server, etc., but you would still have the connectivity and accessibility to the main site.

 

by: cbtechPosted on 2004-11-22 at 12:48:05ID: 12648575

I have two remote sites, each with about 12 users. I would like to give them domain connectivity to the main site, but I would like to have each site use its own route out to the internet, so I dont have all the internet access piped through the VPN, just the domain information, like authentication and file sharing.  But if the VPN goes down, I want them to have internet access too. How will this work with things like active directory integrated DNS and DHCP?

 

by: Robing66066Posted on 2004-11-22 at 13:16:26ID: 12648874

Well, a hardware site-to-site connection would be my first choice.  You would set a VPN router up at each site, along with a VPN router at your central site.  Program the VPN connection to be always on.  You can configure the router to forward all the DHCP requests from the remote sites to the central site and allow all Microsoft traffic (various ports including 88, 135-139 and 445 plus 53 for DNS).  That will take care of your integrated DNS and DHCP and shares.  

One word of caution about how you are talking about setting this up.  Providing your users direct access to the Internet from their site does open up a security risk.  Remember that these computers are now connected to your main network.  If you allow them to access the Internet through their own router, you provide hackers with another way into your network.  If one of those computers is compromised, an attacker could gain access to the rest of your network through them.  Since the tendency in this sort of situation is to purchase a less powerful solution for the remote sites, your weakest link in your security network will now be those sites.

I would instead recommend that all access to the Internet pass through the VPN connection.  You'll see more traffic on the VPN, but in the end it will be more secure.

I'd still recommend the Cisco 1700 series for this.  They are relatively inexpensive and should handle the number of users you are talking about.  (Assuming you have the bandwidth available...)

Good luck.

 

by: rshooper76Posted on 2004-11-22 at 17:57:42ID: 12650913

I have setup multiple networks using Cisco routers.  My personal preferance is the Cisco 831 router.  It comes with a 4 port hub on your inside interface and a Ethernet connection to you WAN side.  This router also comes with an encryption module and an IOS firewall, all for under $500.00.  The 1700 series router are fine, just more expensive, and you have to purchase the IOS firewall and encryption separately.  The configuration on the 831 routers is pretty easy as well.  There is even a web bases configuration tool on these to help you configure the router.  I am not sure if the 1700 series routers come with this since I only the Command Line Interface to configure routers.

 

by: samccarthyPosted on 2004-11-22 at 18:22:24ID: 12651031

If your connectivity to the main site goes down, your internet should be fine.  Most firewalls or routers are smart enought to route traffic appropriately unless you tell it otherwise.  In other words, Internet traffice can always go directly to the web, however, requests to that certain server or resource that the firewall or router knows is over the VPN will be routed over the VPN.  If the VPN goes down, local and internet traffic still work fine.

 

by: tradecraft1Posted on 2004-11-22 at 20:13:08ID: 12651443

You should take a look ath this link:

http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/deploy/depovg/advpnddd.mspx

It provides some insight into configuring Acitve Directory replication over slower connections such as a VPN. I have tried to do this in the past and had issues around the replcation. One word of advice.....schedule your replications for off-peak hours. AD Replication can suck up the bandwith of a VPN very quickly.

For hardware I would recommend a PIX. Even the smaller 501's can do site-to-site VPN's. This Cisco article shows how to set up a simple Pix to Pix VPN.

Good Luck,

--Chris

 

by: George_A_VarkeyPosted on 2005-03-31 at 18:53:59ID: 13677663

Hi I have set up a VPN using Windows 2003 server.I am able to reach the VPN server from the remote client over Internet. But I am not able to see any PCs in the network or not able to access any of the shared folder at the head office. Why it is happening like this and what is the solution for this problem?
Thanks in advance
George

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...