Remote Access Upgrade


I would appreciate some experienced advice on this so just going to throw points at it for valued opinion and reference back to this setup description.

Two of our offices buildings are connected via a leased line with the unused one having another leased line which all Internet access goes through.
The building with the Internet facing leased line is no longer used by us and leased out to tennants who do not have any access to the network infrastructure other than their own switches linking the existing lan for each building and an adsl connection.

Office2 still tunnels through Office1 to access the Internet.
All Servers, Exchange, Active Dreictory file server etc. are in Office2

Everything has been working spot on and I want to make as little hardware changes as possible.
I have been asked to look into remote access requirements for currently 70 users but would like to base this scenario on up to 100

The remote users need access to one file server to upload files to.  Usually files too big to be sent via Outlook.  Also to store office documents which they work on.
Basically, Word, Excel, Powerpoint and PDF files.
And Intranet access to diary, timesheet and expense claim forms etc..
Anti Virus updates are via LAN also

This acccess is provided via IPSEC VPN to the Cisco 3030 using Cisco client software

Since the company provided adsl, connectivity has been good.
When using dialup, was not so good.
Only current conection problems would be occasionally large attachments in Outlook and sometimes slowish web browsing.
Dialup acces is still barelyt usable though.

The problem is that they have been using their computers for personaly stuff as well as work.
While work documents would probably a well under 100 MB, their MyDocs and folders are backing up 600Mb, mainly digital camera images.
They also cant be trusted to regularly backup files and occasionally lose things.

Management have asked for offline access to the c drive be blocked completely so all files worked on never leave the server, while still having access to Outlook email.

Here is more or less the current setup

    Remote User
 Cisco Client VPN
   576Kb ADSL
256k Leased Line
Cisco 3030 Concentrator
Cisco 2611 SRA Router
    Office 1
 256k Leased Line
    Office 2
Cisco 2611 SRA Router
  24 port Switch
 VLAN1       VLAN2  VLAN3
   |           |      |
Firewall     *****  *****
   |          LAN2   LAN3

A Sharepoint or similar document management system will allow them to work on files centrally over the VPN connection but will rely heavily on connection speed and latency.  

They are on the road all day and use their broadband mainly in evenings to write up reports and send to server.  During the day, notes are taken in word, files copied to their laptop or to the server if this is restricted which will be via GPRS datacard and is more or less 40k dialup speed due to locations they travel to.

I was not part of this setup and will be travelling from Monday on to these locations to research preformance etc... and come up with a solution.

The LAN is running Active Directory 2003 and Exchange 2003 in mixed mode as I believe there is an NT4 domain controller involved for some reason.  Hopefully will learn more about this tomorrow when I travel to Office2.

Before I go, I would like some advice on possible areas I should be looking at.


The router model is discontinued and Cisco link above recommends it be replaced with this one, which has updaterd OS and more memory and processing etc.

At £1500 each, would this be value for money per performance increase?  Or would the money be best spent elsewhere such as load balancing a central access solution?

If we implemented centralised document management such as Sharepoint.  Say 50 simultanous users accessing documents this way.

From what research I have done so far, I feel a hardware solution between the Lan and firewall providing Load Balancing and acceleration may be a netter option than Windows Load Balancing or software only.

What is the best value for money hardare solution to beef up Intranet access if we throw document management and file storage onto it as well?

I won't have more detailed hardware info until early next week infortunately.

I dont skimp on points and will throw additional 500s for any followup info.  Really appreciate any advice.  

Who is Participating?
Sir, Might I suggest a look-see at terminal server based solutions, this uses the least amount of bandwidth, gets away from the problems with the home-use of notebooks and will ultimately lower your costs and time spent troubleshooting and upgrading with it all centralized.. I've done this setup lots of times over simple ADSL and even better with the centralized portion in a datacentre where the equipment is more available and in a better environment (longevity, stability, etc) - this in tandem with simple PPTP VPN can work quite well and offer a high degree of security.
too many issues wrapped into one Q here.  Please list the 3 most important issues, one sentence each.
jessmcaAuthor Commented:
There aren't really any issues as yet.  At this point it is your advice I seek
There is a lot of info so I will try to summarise.

Background Info

Remote users need to access Outlook email, Intranet facilities, Anti Virus updates and manage documents and files over a VPN connection by Adsl and remote GPRS which is the equivalent connectivity of a dialup connection.

Currently, they work on files locally on their laptops, go home and write up reports which are copied to a file share on the server and access over an IPSEC VPN to a Cisco 3030.

We now want to restrict access to their laptop storage and have all work documentation on the central server only using Sharepoint or something similar.
This will put more load on the connectivity and servers.

My first question was regarding the Cisco 2611 SRA Router linking the two offices.

Question 1

Cisco have posted an End-of-Sale Announcement basically saying that replacing this with the Cisco 2611XM will provide "Up to 33% performance increase for processor-intensive services ", more memory etc..

I wanted opinion on whether this is a sales pitch or if the expense would give a worthwhile performance increase.  They are £1500 each.

Question 2

With 100 users accessing documents, Emails etc.. I was considering some load balancing options.

This is new to me so any advice really on this.  I will go off read up on it and come back with additional follow up questions later linking to this thread as background info.

Network Scalability - Handle Complex Environments

Monitor your entire network from a single platform. Free 30 Day Trial Now!

1.  I would not pay the $2500 extra for their increased performance claims.  You can make this up on intellignet VPN setups.

2.  The way your internet access is structured sounds dicey at best.  You MUST have control of both the lines and the switches that route to the internet, you cannot rely on going through another group with hardware that could seriously degrade your connection.  100 user VPN will place a huge burden on this infrastructure, and you need to have control to minimize or optimize the swtiches so as to maximize throughput.  That, I would assign as #1 priority.

3.  The spliting of their digital images off from the work documents is fairly easy to do, but you must instruct the users what to put where.  On each desktop, there will be 2 LINKS -- one for "My Documents" and another for "My Pictures".   They my documents link needs to route to the server, and the My pix link can and probably should route to their local hard drive.  They need to be instructed to save the documents to the My Docs link and the MyPix to the local HDD.

4.  For some of the big files, you should consider sending them via FTP.  It is fairly easy to set up a windows server for FTP, and make it login/password only (no anonymous).  Then you provide a program like FTP voyager to the people (which you can integrate into the "Send To" shell of XP), that will send the big files via FTP.  The server translates this into their home directory.  For 10 users this would not be worth the effort, but for 100 users choking VPN, it will make a big difference to the server performance, a lot more than cisco is claiming with their router upgrade.  The more big files you can get off VPN, the better you will see the performance for the critical files that are proprietary.
To add on to Scrathcyboy's comments

You can create a GPO to have a users My Documents folder redirected and sync'd to a file server which you do backup. That setup is not without it's own problems on bandwidth and the occasion error in syncing which is sure to generate some help tickets.

I can't say for sure how I would set this up without your additional information, which I'll wait for. I've used F5 products before. They've been really reliable and easy to manage for me. They are a good front end product.

On the backend.

Sharepoint is a great application. You can even created mapped drives directly to sharepoint folders. In larger farms it requires more servers than just clustering IIS boxes. You have to start to break up tasks indexing and such which requires more hardware and so on. All the data the users store in sharepoint will go into a SQL database which will also need to be a pig to handle the load of 100 users.

Hope that helps, if not I'll quit drinking while I type. :)
Oh one other thing, you're going to need much larger pipes than 256k if you expect your users to now start pushing 600mb files to you.
/agree with Nexusds

You'll see alot of value with centralized application and file management when working with remote users. I manage a 300 user Citrix farm. A setup like that and you'd have to copy all their files to the file servers but they could access them through Citrix. F5 Networks also offers a remote office solution. Users hit a webpage much like using the Citrix Gateway and they make a VPN connection automaticaly after they supply their user/pass then they have what access you have given them to the file server in an easy to browse left pain window. That could also be an option. I don't remember what model I last used but it was within the past 2 years.

jessmcaAuthor Commented:

Thanks for the feedback


I wont be able to make changes to the route to the Internet through both buildings.
I do agree that it adds uneccsary overhead, but overall the connectivity is pretty good.

So Cisco's upgrade recommendation would not be good value for money in your opinion on performance increase.
Thats good info

Currently, the VPN is via the Cisco 3030 concentrator.  
It currently allocates an internal ip address which routes to the correct LAN via the Cisco 2611s and has been very reliable.
It also supports SSL-VPN.
What more efficient VPN option is there?

The users are not the best IT literacy wise.  I can see major problems mapping MyDocuments to a central server.  Especially when connected over GPRS at 50K.  

shniz123 / nexusds

I think Terminal Services is where we should be going and woiuld be better value for money than implementing a Sharepoint option.
I know the Citrix ICA protocol gives better perfmormance than Micosofts RDP, but requires both Citrix and TS licencing for each user.
The applications are basically Office apps and web Browser.
The anti virus software is McAfee enterprise and is linked to the central server.  SSL-VPN may lose this centralisation but give better performance.

Also ICA supports mobile devices which could be useful for remote access.

Citrix appears to have the best solutions.

have shortlisted these two sites so far

Are there any other TS options I can look at so I can read up further before posting further questions?

There are many unseen cost savings that can easily go against the simple cost of TS CALS..overall you have all files on the servers for backup and recoveries, better security and beleive me, when a PC or notebook goes missing or crashes, it is soooooo easy to get back up and running or configure another pc without them loosing any settings. I generally use MS RDP and depending on the colour depth and features (local drive mapping and/or audio mapping) the performance will vary in comparison to citrix.. there really is only the two I woudl suggest to work with .. MS TS is all with one vendor and can make support easier, although citrix does make things like a single application sharing  easier.
Actually the terminal services idea you awarded the accepted answer to is not a bad idea in this case.  You will have problems with printers and shares when you go to TS, but they can be overcome, and it solves the bandwidth issue.  No the cisco is not worth that huge cost for a fractional improvement.  Good luck.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.