Best way for VPN.

Posted on 2004-11-22
Medium Priority
Last Modified: 2013-11-16
I am going to be implementing a hardware VPN solution utilizing something along the lines of a cisco pix or sonicwall. I have dont the VPN setup before, on a unix platform. This time around I will be doing it on a windows platform. What is the best way to extend a domain over a site to site VPN? Is there any good documentation about it? I have found tons of stuff on VPN's just nothing specific on site to site VPN's with a win2k3 domain running over them. I understand each side has to have a distinct subnet associated with it, but how do I make the connection for the AD information and such to traverse the VPN?

Question by:cbtech

Expert Comment

ID: 12645172
I've set it up using the Cisco 1700 series routers and it worked really well.  All you need do is buy the routers with the VPN accelerator cards, set up the config and you're ready to go.  

To get the traffic you want to go over the link, you simply have to define it as interesting traffic and it will go.  You do that in the config for the router.  I still have several config files for the 1700 series I'd be glad to share if you decide to go that way.  With luck, they will work for you and you'll be up and running right away.

As for documentation, there is lots of documentation for Cisco, but nothing that I know of that will directly address how to set up the VPN to run specifically over a Windows 2003 network.

Good luck!
LVL 18
ID: 12648400
I have done it numerous ways.  The current solutions I am using is with Watchguard firewalls, but it works with Symantec or Pix.  I have also done it with Windows VPN.

What are you trying to accomplish?

In my case, the core network is at City Hall.  I have a Watchguard at City Hall and at the remote sites.  The Firewall's establish a Secure VPN tunnel between themselves.  So, now my remote sites actually logon to the domain from those remote sites.  If the romote site has a resonable amount of users you might want to put a Domain Controller there.  That way the users authenticate to that DC which could also act as their file server, etc., but you would still have the connectivity and accessibility to the main site.

Author Comment

ID: 12648575
I have two remote sites, each with about 12 users. I would like to give them domain connectivity to the main site, but I would like to have each site use its own route out to the internet, so I dont have all the internet access piped through the VPN, just the domain information, like authentication and file sharing.  But if the VPN goes down, I want them to have internet access too. How will this work with things like active directory integrated DNS and DHCP?
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.


Accepted Solution

Robing66066 earned 500 total points
ID: 12648874
Well, a hardware site-to-site connection would be my first choice.  You would set a VPN router up at each site, along with a VPN router at your central site.  Program the VPN connection to be always on.  You can configure the router to forward all the DHCP requests from the remote sites to the central site and allow all Microsoft traffic (various ports including 88, 135-139 and 445 plus 53 for DNS).  That will take care of your integrated DNS and DHCP and shares.  

One word of caution about how you are talking about setting this up.  Providing your users direct access to the Internet from their site does open up a security risk.  Remember that these computers are now connected to your main network.  If you allow them to access the Internet through their own router, you provide hackers with another way into your network.  If one of those computers is compromised, an attacker could gain access to the rest of your network through them.  Since the tendency in this sort of situation is to purchase a less powerful solution for the remote sites, your weakest link in your security network will now be those sites.

I would instead recommend that all access to the Internet pass through the VPN connection.  You'll see more traffic on the VPN, but in the end it will be more secure.

I'd still recommend the Cisco 1700 series for this.  They are relatively inexpensive and should handle the number of users you are talking about.  (Assuming you have the bandwidth available...)

Good luck.

Expert Comment

ID: 12650913
I have setup multiple networks using Cisco routers.  My personal preferance is the Cisco 831 router.  It comes with a 4 port hub on your inside interface and a Ethernet connection to you WAN side.  This router also comes with an encryption module and an IOS firewall, all for under $500.00.  The 1700 series router are fine, just more expensive, and you have to purchase the IOS firewall and encryption separately.  The configuration on the 831 routers is pretty easy as well.  There is even a web bases configuration tool on these to help you configure the router.  I am not sure if the 1700 series routers come with this since I only the Command Line Interface to configure routers.
LVL 18
ID: 12651031
If your connectivity to the main site goes down, your internet should be fine.  Most firewalls or routers are smart enought to route traffic appropriately unless you tell it otherwise.  In other words, Internet traffice can always go directly to the web, however, requests to that certain server or resource that the firewall or router knows is over the VPN will be routed over the VPN.  If the VPN goes down, local and internet traffic still work fine.

Expert Comment

ID: 12651443
You should take a look ath this link:


It provides some insight into configuring Acitve Directory replication over slower connections such as a VPN. I have tried to do this in the past and had issues around the replcation. One word of advice.....schedule your replications for off-peak hours. AD Replication can suck up the bandwith of a VPN very quickly.

For hardware I would recommend a PIX. Even the smaller 501's can do site-to-site VPN's. This Cisco article shows how to set up a simple Pix to Pix VPN.

Good Luck,


Expert Comment

ID: 13677663
Hi I have set up a VPN using Windows 2003 server.I am able to reach the VPN server from the remote client over Internet. But I am not able to see any PCs in the network or not able to access any of the shared folder at the head office. Why it is happening like this and what is the solution for this problem?
Thanks in advance

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's take a look into the basics of ransomware—how it spreads, how it can hurt us, and why a disaster recovery plan is important.
Last month Marc Laliberte, WatchGuard’s Senior Threat Analyst, contributed reviewed the three major email authentication anti-phishing technology standards: SPF, DKIM, and DMARC. Learn more in part 2 of the series originally posted in Cyber Defense …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question