?
Solved

Site-to-Site VPN, Subnet question

Posted on 2004-11-02
6
Medium Priority
?
456 Views
Last Modified: 2010-04-10
We want to set up a site-to-site VPN between routers in our two branch offices and our corporate headquarters.  We have a T1 at our headquarters and ADSL at the branches.  We are running Windows Small Business Server at the main office.  Ideally, workstations in the branches would login directly to our SBS server to the same domain that workstations in the main office do.

Do I need to have all offices on one big subnet, or should I separate them into three separate subnets?  I guess I am confused about how the domain is resolved when logging in on a Windows Network.  If it uses DNS to resolve it then I suppose its fine on seprate subnets, but I'm not sure how that works.

We are a small company of about 20 employees.
0
Comment
Question by:fisc
  • 2
  • 2
  • 2
6 Comments
 
LVL 71

Assisted Solution

by:Chris Dent
Chris Dent earned 500 total points
ID: 12472645

Seperate Subnets for each office to keep IP Routing nice and simple.

For example:

Main Site: 10.0.1.x
Branch Site 1: 10.0.2.x
Branch Site 2: 10.0.3.x

etc

Provided the Firewall portion of your VPN Server / Router / Firewall allows the traffic through then there will be no problem with getting the users logged on.

These subnets will also have no problem registering entries in your central DNS Server (running on SBS) as that should accept updates from authenticated users.

One thing that might come up though, how are you assigning IP Addresses? DHCP or Statically?
0
 
LVL 16

Accepted Solution

by:
JammyPak earned 500 total points
ID: 12472666
it won't be all one subnet - you'll have to have separate internal address spaces (ie. separate IP network addresses) in each site, and then you'll have to set up routing between the sites.

As for domain resolution, you'll just need to have internal DNS servers that are accessible to all sites. You could have 3 DNS servers, and make them all replicate to one another (make it AD-integrated DNS zone). Or, you could have some users querying DNS across the VPN link. In AD, you should also configure 'sites' - you can have one AD 'site' per physical location. Users will always try to login to a DC in the same site as they are, but if there's a location with no DC, then it will still find it in DNS and log the user in.
0
 

Author Comment

by:fisc
ID: 12473002
At the main office we are running DHCP on the SBS sever.  Since it sounds like I should for sure use separate subnets (and I like that better) then we will run DHCP on the routers at the branches.  The resolution of the domain name to the DC is the main thing I was concerned with... wasn't sure if the routers in the branches would pass the request through to resolve.
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
LVL 16

Expert Comment

by:JammyPak
ID: 12473098
domain resolution won't be a problem - as long as DNS is available to all sites...you could just have one DNS server, and have all clients use that even (this *could* be a bottleneck, but not necessarily...)
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 12474193

Given the number of users you shouldn't really encounter any problems with DNS resolution.
0
 

Author Comment

by:fisc
ID: 12476676
Thanks.  I got the site-to-site VPN and logging into the central DC working this afternoon in our test lab.  Next step is to head to the branches and set them up!
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
This installment of Make It Better gives Media Temple customers the latest news, plugins, and tutorials to make their VPS hosting experience that much smoother.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

601 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question