Solved

Site to Site VPN

Posted on 2007-03-17
5
336 Views
Last Modified: 2010-04-09
Hi  please have a look at the following setup:

Site A
OS: Windows 2003 Standard
Services: Exchange, AD, Apps, Files
Firewall: Cisco PIX 506e

Site B
OS: Windows SBS
Services: Exchange, AD, Files
Firewall Cisco PIX 501

Now because the Site B doesn't have many users I want to decommission the server there so that users can log on to the main AD on Site A.  I want to try out site to site VPN.  Can anyone give me hints?  Is there a way that users can log in straight to the other network.  I want the VPN to be invisible to the users so they don't have to log in.  Many thanks
OS:
0
Comment
Question by:KhalidJ
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 22

Expert Comment

by:Olaf De Ceuster
ID: 18740058
In this scenario SBS needs to be the PDC of a single domain and as such you should move to site A and Server 2003 to site B.
You can certainely use the SBS VPN (SBS Connection) to join your users remotely (or use RWW)
Even better: Keep your server 2003 and join it to the SBS domain as a Domain controller (You want to do this locally and you NEED to use the Add new server wizard in Server Management on SBS). This will replicate your users. Setup the  server  2003 as DHCP and DNS getting it's user data over VPN (Tunnel) from the SBS server. (SBS and Server 2k3 will need to be on unique subnets)
This will mean that the AD is replicated  and even if you loose internet your users will still be able to logon locally (=SiteA)
If you use R2 versions you can Replicate files too. Very easy with very little Internet overhead. Very cool.
Since you have exchange on Server 2003 you could set that up as a backup mail server too.
Or for remote users use RPC over Http. Users won't know the difference and be able to use outlook normally (even if the VPN drops but Internet is active).
If you need help with any of this please don't hesitate to ask.
Olaf
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 18740790
If you create a site-site VPN tunnel between the two PIX firewalls, you can then de-commision the SBS server and users can join the domain at SiteA and work just like the server was local. All it takes is proper DNS setup on the AD so that users in site B can resolve the SRV records for the domain.
They will still be on two different subnets, so I think you would have to define the subnet for siteB in AD.

Here's example for simple site-site VPN with PIX
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml
0
 
LVL 13

Expert Comment

by:Kini pradeep
ID: 18741333
is the windows server insite A part of sbs domain ?
and are you decomissioning the sbs dc ??
0
 
LVL 1

Author Comment

by:KhalidJ
ID: 18759472
Site A is on a different domain.  Plan is to use a single domain only.
0
 
LVL 22

Expert Comment

by:Olaf De Ceuster
ID: 18760631
The scenariao I proposed needs to be single domain with SBS server as main server.
This also means you don't need any server 2003 licenses only sbs licenses.
Olaf
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the steps required to use the default Photos screensaver to display branding/corporate images
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question