Best way for VPN.

Posted on 2004-11-22
Last Modified: 2013-11-16
I am going to be implementing a hardware VPN solution utilizing something along the lines of a cisco pix or sonicwall. I have dont the VPN setup before, on a unix platform. This time around I will be doing it on a windows platform. What is the best way to extend a domain over a site to site VPN? Is there any good documentation about it? I have found tons of stuff on VPN's just nothing specific on site to site VPN's with a win2k3 domain running over them. I understand each side has to have a distinct subnet associated with it, but how do I make the connection for the AD information and such to traverse the VPN?

Question by:cbtech
    LVL 7

    Expert Comment

    I've set it up using the Cisco 1700 series routers and it worked really well.  All you need do is buy the routers with the VPN accelerator cards, set up the config and you're ready to go.  

    To get the traffic you want to go over the link, you simply have to define it as interesting traffic and it will go.  You do that in the config for the router.  I still have several config files for the 1700 series I'd be glad to share if you decide to go that way.  With luck, they will work for you and you'll be up and running right away.

    As for documentation, there is lots of documentation for Cisco, but nothing that I know of that will directly address how to set up the VPN to run specifically over a Windows 2003 network.

    Good luck!
    LVL 16

    Expert Comment

    I have done it numerous ways.  The current solutions I am using is with Watchguard firewalls, but it works with Symantec or Pix.  I have also done it with Windows VPN.

    What are you trying to accomplish?

    In my case, the core network is at City Hall.  I have a Watchguard at City Hall and at the remote sites.  The Firewall's establish a Secure VPN tunnel between themselves.  So, now my remote sites actually logon to the domain from those remote sites.  If the romote site has a resonable amount of users you might want to put a Domain Controller there.  That way the users authenticate to that DC which could also act as their file server, etc., but you would still have the connectivity and accessibility to the main site.

    Author Comment

    I have two remote sites, each with about 12 users. I would like to give them domain connectivity to the main site, but I would like to have each site use its own route out to the internet, so I dont have all the internet access piped through the VPN, just the domain information, like authentication and file sharing.  But if the VPN goes down, I want them to have internet access too. How will this work with things like active directory integrated DNS and DHCP?
    LVL 7

    Accepted Solution

    Well, a hardware site-to-site connection would be my first choice.  You would set a VPN router up at each site, along with a VPN router at your central site.  Program the VPN connection to be always on.  You can configure the router to forward all the DHCP requests from the remote sites to the central site and allow all Microsoft traffic (various ports including 88, 135-139 and 445 plus 53 for DNS).  That will take care of your integrated DNS and DHCP and shares.  

    One word of caution about how you are talking about setting this up.  Providing your users direct access to the Internet from their site does open up a security risk.  Remember that these computers are now connected to your main network.  If you allow them to access the Internet through their own router, you provide hackers with another way into your network.  If one of those computers is compromised, an attacker could gain access to the rest of your network through them.  Since the tendency in this sort of situation is to purchase a less powerful solution for the remote sites, your weakest link in your security network will now be those sites.

    I would instead recommend that all access to the Internet pass through the VPN connection.  You'll see more traffic on the VPN, but in the end it will be more secure.

    I'd still recommend the Cisco 1700 series for this.  They are relatively inexpensive and should handle the number of users you are talking about.  (Assuming you have the bandwidth available...)

    Good luck.
    LVL 9

    Expert Comment

    I have setup multiple networks using Cisco routers.  My personal preferance is the Cisco 831 router.  It comes with a 4 port hub on your inside interface and a Ethernet connection to you WAN side.  This router also comes with an encryption module and an IOS firewall, all for under $500.00.  The 1700 series router are fine, just more expensive, and you have to purchase the IOS firewall and encryption separately.  The configuration on the 831 routers is pretty easy as well.  There is even a web bases configuration tool on these to help you configure the router.  I am not sure if the 1700 series routers come with this since I only the Command Line Interface to configure routers.
    LVL 16

    Expert Comment

    If your connectivity to the main site goes down, your internet should be fine.  Most firewalls or routers are smart enought to route traffic appropriately unless you tell it otherwise.  In other words, Internet traffice can always go directly to the web, however, requests to that certain server or resource that the firewall or router knows is over the VPN will be routed over the VPN.  If the VPN goes down, local and internet traffic still work fine.

    Expert Comment

    You should take a look ath this link:

    It provides some insight into configuring Acitve Directory replication over slower connections such as a VPN. I have tried to do this in the past and had issues around the replcation. One word of advice.....schedule your replications for off-peak hours. AD Replication can suck up the bandwith of a VPN very quickly.

    For hardware I would recommend a PIX. Even the smaller 501's can do site-to-site VPN's. This Cisco article shows how to set up a simple Pix to Pix VPN.

    Good Luck,


    Expert Comment

    Hi I have set up a VPN using Windows 2003 server.I am able to reach the VPN server from the remote client over Internet. But I am not able to see any PCs in the network or not able to access any of the shared folder at the head office. Why it is happening like this and what is the solution for this problem?
    Thanks in advance

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    When the confidentiality and security of your data is a must, trust the highly encrypted cloud fax portfolio used by 12 million businesses worldwide, including nearly half of the Fortune 500.
    Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now