Best way for VPN.

I am going to be implementing a hardware VPN solution utilizing something along the lines of a cisco pix or sonicwall. I have dont the VPN setup before, on a unix platform. This time around I will be doing it on a windows platform. What is the best way to extend a domain over a site to site VPN? Is there any good documentation about it? I have found tons of stuff on VPN's just nothing specific on site to site VPN's with a win2k3 domain running over them. I understand each side has to have a distinct subnet associated with it, but how do I make the connection for the AD information and such to traverse the VPN?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I've set it up using the Cisco 1700 series routers and it worked really well.  All you need do is buy the routers with the VPN accelerator cards, set up the config and you're ready to go.  

To get the traffic you want to go over the link, you simply have to define it as interesting traffic and it will go.  You do that in the config for the router.  I still have several config files for the 1700 series I'd be glad to share if you decide to go that way.  With luck, they will work for you and you'll be up and running right away.

As for documentation, there is lots of documentation for Cisco, but nothing that I know of that will directly address how to set up the VPN to run specifically over a Windows 2003 network.

Good luck!
Steve McCarthy, MCSE, MCSA, MCP x8, Network+, i-Net+, A+, CIWA, CCNA, FDLE FCIC, HIPAA Security OfficerIT Consultant, Network Engineer, Windows Network Administrator, VMware AdministratorCommented:
I have done it numerous ways.  The current solutions I am using is with Watchguard firewalls, but it works with Symantec or Pix.  I have also done it with Windows VPN.

What are you trying to accomplish?

In my case, the core network is at City Hall.  I have a Watchguard at City Hall and at the remote sites.  The Firewall's establish a Secure VPN tunnel between themselves.  So, now my remote sites actually logon to the domain from those remote sites.  If the romote site has a resonable amount of users you might want to put a Domain Controller there.  That way the users authenticate to that DC which could also act as their file server, etc., but you would still have the connectivity and accessibility to the main site.
cbtechAuthor Commented:
I have two remote sites, each with about 12 users. I would like to give them domain connectivity to the main site, but I would like to have each site use its own route out to the internet, so I dont have all the internet access piped through the VPN, just the domain information, like authentication and file sharing.  But if the VPN goes down, I want them to have internet access too. How will this work with things like active directory integrated DNS and DHCP?
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

Well, a hardware site-to-site connection would be my first choice.  You would set a VPN router up at each site, along with a VPN router at your central site.  Program the VPN connection to be always on.  You can configure the router to forward all the DHCP requests from the remote sites to the central site and allow all Microsoft traffic (various ports including 88, 135-139 and 445 plus 53 for DNS).  That will take care of your integrated DNS and DHCP and shares.  

One word of caution about how you are talking about setting this up.  Providing your users direct access to the Internet from their site does open up a security risk.  Remember that these computers are now connected to your main network.  If you allow them to access the Internet through their own router, you provide hackers with another way into your network.  If one of those computers is compromised, an attacker could gain access to the rest of your network through them.  Since the tendency in this sort of situation is to purchase a less powerful solution for the remote sites, your weakest link in your security network will now be those sites.

I would instead recommend that all access to the Internet pass through the VPN connection.  You'll see more traffic on the VPN, but in the end it will be more secure.

I'd still recommend the Cisco 1700 series for this.  They are relatively inexpensive and should handle the number of users you are talking about.  (Assuming you have the bandwidth available...)

Good luck.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
I have setup multiple networks using Cisco routers.  My personal preferance is the Cisco 831 router.  It comes with a 4 port hub on your inside interface and a Ethernet connection to you WAN side.  This router also comes with an encryption module and an IOS firewall, all for under $500.00.  The 1700 series router are fine, just more expensive, and you have to purchase the IOS firewall and encryption separately.  The configuration on the 831 routers is pretty easy as well.  There is even a web bases configuration tool on these to help you configure the router.  I am not sure if the 1700 series routers come with this since I only the Command Line Interface to configure routers.
Steve McCarthy, MCSE, MCSA, MCP x8, Network+, i-Net+, A+, CIWA, CCNA, FDLE FCIC, HIPAA Security OfficerIT Consultant, Network Engineer, Windows Network Administrator, VMware AdministratorCommented:
If your connectivity to the main site goes down, your internet should be fine.  Most firewalls or routers are smart enought to route traffic appropriately unless you tell it otherwise.  In other words, Internet traffice can always go directly to the web, however, requests to that certain server or resource that the firewall or router knows is over the VPN will be routed over the VPN.  If the VPN goes down, local and internet traffic still work fine.
You should take a look ath this link:

It provides some insight into configuring Acitve Directory replication over slower connections such as a VPN. I have tried to do this in the past and had issues around the replcation. One word of advice.....schedule your replications for off-peak hours. AD Replication can suck up the bandwith of a VPN very quickly.

For hardware I would recommend a PIX. Even the smaller 501's can do site-to-site VPN's. This Cisco article shows how to set up a simple Pix to Pix VPN.

Good Luck,

Hi I have set up a VPN using Windows 2003 server.I am able to reach the VPN server from the remote client over Internet. But I am not able to see any PCs in the network or not able to access any of the shared folder at the head office. Why it is happening like this and what is the solution for this problem?
Thanks in advance
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.