Emog500
asked on
remote client access to windows server 2003 through a hardware based vpn.
Hi Experts,
I am setting up a hardware based vpn to connect a small remote office with workstations only to a larger main office with a Windows server 2003 as a DC.
How should the remote clients authenticate, what is needed for the remote client to access the server file sharing capabilties and log on the domain? I am confused between the software based vpn solutions, do I still need to setup RAS, please detail a step by step procedure on what must be done on the server side, I do not want to use remote desktop into the server through this vpn tunnel.
Once they are pass the vpn tunnel side is it bussiness as usual and I setup them up as if they are a local client on the domain or is there something else that is needed to authenticate them as remote clients to the server if I want them part of the same domain? Server Remote policy settings etc? What then is needed on the remote client side if these are XP professional workstations?
Thanks so much for your help!
I am setting up a hardware based vpn to connect a small remote office with workstations only to a larger main office with a Windows server 2003 as a DC.
How should the remote clients authenticate, what is needed for the remote client to access the server file sharing capabilties and log on the domain? I am confused between the software based vpn solutions, do I still need to setup RAS, please detail a step by step procedure on what must be done on the server side, I do not want to use remote desktop into the server through this vpn tunnel.
Once they are pass the vpn tunnel side is it bussiness as usual and I setup them up as if they are a local client on the domain or is there something else that is needed to authenticate them as remote clients to the server if I want them part of the same domain? Server Remote policy settings etc? What then is needed on the remote client side if these are XP professional workstations?
Thanks so much for your help!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
So long as the client PC has an unrestricted IP path to the server and can find the AD DNS, their user experience will be the same as if they were on the same LAN as the server, except that performance will be reduced. File sharing over the link may be dog slow. If you have Exchange server 2003, make sure your remote users have Outlook 2003 which is in cached Exchange mode. If you are using WINS, make sure your remote users point to the WINS server at the main site. Also look at your VPN config. For performance you want to split tunnel. I.e. all traffic that needs to go to the main site goes down the VPN, all other internet traffic such as web browsing goes around the VPN direct to the internet. This last bit may have some security implications, but most small businesses do it in my experience.
J
J
ASKER
For a small office of less than 10 users and a fractional T1 line traffic should be okay, split tunnel that is something new I have never heard of where in most FW do you find that? I see the configs for setting up phase 1 and phase 2 of a ipsec tunnel but not sure were or how splitting comes into the picture? I am using a fortigate vpn, resembles a watchguard FW. Can you tell me how this is done between the 2 vpn firewalls?
If it is like Watchguard, I believe it will split tunnel by default. Basically if your main work subnet is 192.168.8.0/24; you set the remote firewall to only route traffic for that LAN down the VPN and all other traffic goes around the VPN and out via the router. You can test it by doing a route trace from a remote PC to say google.com. If it goes via your main site, then it is forcing all traffic down the VPN, which will be slower.
I've never used a fortigate (always wanted to though).
Yes a T1 should be fine for your number of users.
J
I've never used a fortigate (always wanted to though).
Yes a T1 should be fine for your number of users.
J
ASKER
Yes you are correct I just checked that only pptp protocols need configuring and not L2TP, again really appreciate all your help however I am new to this site in asking questions, you are the first, I hope you got your points but if you did not please show me how I can do this.
I have read and heard doing this by vpn maybe slow as you have said is getting terminal servers licenses a better way to go?
I have read and heard doing this by vpn maybe slow as you have said is getting terminal servers licenses a better way to go?
TS licenses may speed things up, but it depends on where the data the remote users need to work with is sited. If it is at their own site, TS won't help, if it's at the main site, it may help more or less, depending upon file sizes. I would test it first without TS and then think about TS later if you need it.
ASKER
thanks again! your help has been very valuable! take care!
ASKER