Wide Area Network - Please Advise

Here is what we have:

PIX 506E at corp HQ
PIX 501 at 12 remote offices

Corp has:
- two Active Directory servers that are fully functional DNS and WINS servers.
- one Application Server that runs Symantec AV Corp Edition + a few other apps
- one Network Attached Storage server (shares files only available to users at Corp)

- We want to manage remote computers over a VPN via PIX boxes
- We also want to be able to push out Symantec installs so we can mintor virus protection
- We also want to be able to setup a very limited set of IP's/URLs that remote office computers can visit
- We want to be able to manage all user accounts and passwords at Corp with Active directory

I have no cisco experience, but all these boxes were configured by a previous admin.  We've rebuilt the Active directory structure correctly with a fully qualified domain name and everything is working fine but at this point we haven't added any of the remote computers to the domain - just the corp onese (there are about 15 of those).

Although the VPNs are configured already and are running, the previous admin failed to provide correct username's and passwords for the PIX boxes.  I've already reset the password on the 506e at corp and have reviewed the PDM interface enough to know the VPN's are active.  I will have to reset the passwords at each location on the PIX though, but when I do that I want to know how best to go about it and what are the recommended configurations for DNS traffic considering all the desires I listed above?

1.) Should I point DNS back to Corp over the VPN or use the ISP's DNS?
2.) Is there a need to specify WINS back to Corp?
3.) Whats the most secure way to remotely manage these PIX boxes?
4.) What is the best way to handel this conversion overall step by step?
5.) Am I missing any important details, because I'd like to take care of everything needed once remote site visits start so a second round of travel isn't required.  Remote admin is key, being these offices are spread accross the state.

I know a imdiate question I will get is bandwidth, the corp office has a full T1 and each remote office has broadband with static IP's.

Any advice, feedback, ideas, suggestions would be greatly appreciated!  Also, pointers on Cisco PIX and configuring them for remote access would be great.

Thank you all!!!
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

1. With AD you have no choice but to use your AD DNS
2. Not if you use your DNS correctly and all workstations are XP
3. Via SNMP through the VPN tunnel
4. Pick the nearest office as your test bed and just start adding PC's to the domain and note anything unusual. The connectivity is already there, so it's just a matter of finding the DC. Is the PIX providing local DHCP? Be sure to give out the correct dns IP's.
5. Just be sure to enable Remote Desktop on the PC's when you join them up to the domain.

Bandwidth will be an issue especially at HQ with only a T1. If everybody has to come across the wire for all authentication and DNS, then it will increase your T1 load for sure.  You definately want to keep an eye on the usage and guage its increase every time you convert a remote office. Do you have any monitoring tools today? I  highly recommend SolarWinds http://www.solarwinds.net

To setup the pix for remote access, it is simply a matter of designating the inside interface as Management Access interface, enable SNMP, and add your network monitoring system's IP to the SNMP access and your HQ subnet to the http access list.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Mike4CCMAuthor Commented:
1.) how do I enable SNMP through the VPN tunnel
2.) I've added one PC to the domain, nothing was unusual.  Yes, the local PIX is providing the local DHCP at the remote locations.  At corp one of our servers is assigning DHCP.
3.) I've checked, and I can remote desktop to the computers name from corp over the VPN to the remote office without having to use the IP address, which is good.
4.) Can you give me the steps you recommend in order to setup the pix for secure remote access?  Preferibly in an order of commands I type into the PIX command line interface?
5.) Not sure what you are referencing with adding my network monitoring systems IP to the SNMP access and my HQ subnet to the http access list??  Could you provide steps in accomplishing this?
6.) most importantly, we want to be able to push out Symantec Corp edition client installs and monitor their status from corp, is this possible over the PIX VPN?  Normally from Symantec's management consol, I would do a remote client install but it then prompts me to browse to the computer and the remote office computer doesn't appear in the network neiborhood??  Any suggestions?

Thanks for your help.
Keith AlabasterEnterprise ArchitectCommented:
Mike, that is about 6 different questions in there own right.
Mike4CCMAuthor Commented:

I am glad you see I have six different questions, they were numbered - good for you!  Did you have anything positive to say or a response that might answer at least one of the questions?

- Mike
Keith AlabasterEnterprise ArchitectCommented:
Sarcasm doesn't help anyone Mike. When you joined the site and read the members agreement plus the FAQ's you saw that multiple questions require to be submitted seperately/individually. LRMoore assisted you in the first instance with your first set although he woud have been in his rights to have asked you to follow the guidelines at that point. No-one has wanted to respond to your subsequent set of questions and as the thread has now been dormant for over 21 days it falls into the cleanup category.

As LRMoore has answered your initial question(s) it is fair to award him the points.
If you wish to dispute my recommendation then please post a comment in the community support section.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.