Solved

Remote office VPN to SBS 2003 network

Posted on 2007-04-06
18
702 Views
Last Modified: 2012-08-13
Hi,

We opening a new office about 15 miles away.  We currently have a SBS 2003 network with no hardware firewall in front of it (I know).  

We would like our new remote office to appear as though it were in our home office.  i.e. be able to log into the domain, share files, and etc.

What do I need to set this up?  Can I get a Pix 501 at the remote office and have it permanently connected to the main office via VPN.  I know it's not this simple, can someone please expound.

Thanks!
0
Comment
Question by:thomp361
  • 10
  • 8
18 Comments
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18864494
SBS has many built in feature that may actually meet your needs such as Remote Web Workplace, client VPN access, Outlook Web Access, Sharepoint and such. Assuming you are familiar with these (if not please advise), you really need a site to site VPN to allow all users to connect seamlessly at the same time, for services such as you have described. This would require a VPN capable router, at each site. The Cisco PIX or the newer ASA5500 series would be my first choice but there are others such as the Linksys RV042, Netgear FVS318, WatchGuard SOHO6 and so on, that will do the job nicely as well. Once installed the SBS will be available to remote users for logons and authentication, shares, etc.
0
 

Author Comment

by:thomp361
ID: 18864578
Thanks for the response Rob.

I am familiar with the SBS features but I would like to have a more permanate/integrated solution.

So I would need a VPN router at both locations?  Why can't the remote office router just connect to the home office via SBS 2003 PPtP?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18864699
Most VPN capable routers use IPSec, which is extremely difficult, if even possible to configure, to connect with the SBS directly. A few, such as the PIX, do allow you to configure a PPTP site-to-site tunnel, but to be honest I have never tried to connect one directly to the SBS. This may well be possible, but I am not much help with that.

Ignoring the above, adding a VPN router increases performance slightly, due to offloading the encryption service to a dedicated device, and also drastically improves security by isolating the SBS, and using IPSec encryption. The router option also you to configure such that the entire remote site is available without having to pass all traffic through the SBS, if you wish.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18864717
By they way, personally I would think 2 Netgear or Linksys routers using IPSec would be more efficient and secure than SBS => PIX with PPTP, and less expensive.
Cisco of course, is still the best option.
0
 

Author Comment

by:thomp361
ID: 18864751
Thanks for the info.

Why is the Cisco still the best option over Netgear or Linksys?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18864790
Just the Cadillac of the router world. But just like a Chevette, the others will get you where you want to go <G>
Best security, most configurable options, very dependable hardware, best warranty, and BY FAR the best support service. Then again you have to pay for a support contract. The others do not require you to, but support is virtually non -existent.
0
 

Author Comment

by:thomp361
ID: 18864869
Ok great, thanks for your help!

On the main office side how would I set this up (on a theoretical level)?  i.e. where would the VPN router be placed?  Currently, the SBS WAN NIC runs straight to the DSL router.  Where should I put the VPN appliance in relation to the DSL router and SBS?

Note: this DSL router has 5 static ip addresses assigned to it, only one of which is being used.
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 18864938
Place the router between the SBS and the DSL.
I assume you are using 2 network adapters with the SBS. You could also disable the WAN/Public adapter on the SBS, and connect the LAN side of the router and all PC's to a switch. Only advantage to this is it allows the remote site direct access to resources on the SBS site without having to "go through" the SBS. As a rule this is not necessary, unless perhaps you are running other servers, such as a terminal server.
If you do change any network configurations on the SBS, make sure you use the Configure E-mail and Internet connection Wizard.

In case you are not aware; the two site must use different subnets when using VPN's. If one suite uses 192.168.1.x the other must use something different such as 192.168.2.x If you have mobile clients using the VPN the same conflict can exists, so best that you primary site uses an uncommon subnet. If you change the server IP make sure you use the appropriate wizard for that as well. The wizards assure all SBS related services are properly configured.
0
 

Author Comment

by:thomp361
ID: 18865055
Thanks for the subnet tip.

Yes, two NICs on the SBS and I would prefer to keep it that way.  But going through the SBS could be sticky.

How about this.  Can I put the VPN appliance behind the DSL router (on a seperate IP).  Then have the LAN side of the VPN appliance connecting into my Main office's all PC's LAN switch?

Thanks!
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 77

Expert Comment

by:Rob Williams
ID: 18865137
Yes......sort of <G>
You were not wanting to use a router at the SBS site so all traffic would have gone through the SBS. Why was it not an issue then ? Putting the router on a separate IP is OK but but doesn't protect the SBS.

By "sort of" I mean; that woks fine but you now have 2 gateways for the client (SBS network) machines, the SBS and the router. That is fine, but you can only assign one or the other. By assigning the router as the default gateway, you users no longer have the "filtering" capabilities of the SBS. Therefore there is no real advantage of having 2 NIC's on the SBS.

Keep in mind the remote computers/servers at the other site, can only connect to a device at the SBS site that has it's default gateway pointing to the VPN, whether directly, or through the SBS. If not you can easily get around this, but static routes will need to be added to the router or devices, depending on the hardware selections.
0
 

Author Comment

by:thomp361
ID: 18865387
I see the delima.

So the easiet solution would be to put the VPN appliance behind the DSL.  Then plug the VPN LAN into my all PC's switch.

Then, disable my SBS WAN and leave the SBS LAN plugged into the all PC's switch.

Now my VPN appliance is the default gateway for all PCs.

Is this correct?  I really would like my SBS to remain the default gateway but not required.

Thanks!
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18865423
>>"Is this correct?"
Bingo ! Make sure you use the wizards for any changes on the SBS. You can completely "break" it doing so manually. The wizards can be run multiple times if you don't like the way you did something.

>>"I really would like my SBS to remain the default gateway but not required."
That is no problem. As mentioned the simple way is to put the router between it and the Internet. All services like RWW, Web mail and such can have the traffic forwarded through the router to the SBS, and actually gives you double protection.
You can also put the router alongside the SBS, but may require some static routes be added to the network. This is quite common.
0
 

Author Comment

by:thomp361
ID: 18865823
Ok, just so I can make the best decision here.

In the second scenario.  If I put the router between SBS and the internet, the VPN would have to "go through" SBS.  Is that hard to configure?  Plus that would require SBS resources.  So maybe the first scenario is better...?

Lastly, what Linksys routers would you recommend?

Thanks!
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18866473
>>"If I put the router between SBS and the internet, the VPN would have to "go through" SBS.  "
No sorry I may have mis-phrased that.
-The VPN connection is made to the router itself. No actual VPN traffic passes through the SBS.
-All VPN configuration is done on the router only.
-If Internet based users want to connect, you need to configure some port forwarding on the router. For example if you have Remote Web Workplace enabled you need to forward ports 4125 and 3389 to the SBS. This i s very easy to do.
-In most cases the remote users, at the other site, only want to access the SBS, but if they want to access other devices on the SBS's LAN, this traffic has to pass through the SBS. One common scenario for this would be a Terminal Server on the LAN side of the SBS.
-where are you located, I'll drop down and we can configure together <G> Actually one of the most complicated parts is just deciding which method you want to use. There are several and all are quite acceptable.

My personal favorite in the "affordable"price range is the Linksys RV042, at least for this configuration. Very easy to configure, allows you to use dynamic IP public addresses, up to about 50 tunnels, though that can be increased, no licensing fees, no support fees, allows 2 Internet connections if you should want some built-in redundancy, and has 2 mobile VPN client options. Most importantly I have at least 20 of these in place and never had a problem. They also frequently come out with firmware updates for these, which add features.
The one common problem with these units is their IPSec VPN client for mobile users. I have never had a problem with it but a lot of people have. They have recently added PPTP mobile client access using the built-in Windows VPN client, which works extremely well if you need that option.
One note: I highly recommend the primary site have a static public IP address. Though the RV042 works well with dynamic IP's it can be a little flaky, as can all VPN's, if both are dynamic. Looks like yours is already static, if you have 5, so you should be all set.

For the record Linksys has a new RVL200 that has some very nice features for this purpose, but I always buy one of the newer units for testing and the RVL200 seems to have a lot of bugs. I'm sure they will be fixed in time with firmware updates, but for now the RV042 is very stable and the one I would recommend.
http://www.linksys.com/servlet/Satellite?c=L_Product_C2&childpagename=US%2FLayout&cid=1123638171618&pagename=Linksys%2FCommon%2FVisitorWrapper&lid=7161822279B08
0
 

Author Comment

by:thomp361
ID: 18867269
Right, the VPN connection is made with the router.  

I would prefer using this scenario rather then the,  "VPN acting as the default gateway/all PCs (including SBS w/WAN disabled) on a switch."

In my preferred scenario (internet -> router -> SBS -> LAN), the router's LAN is then plugged into the SBS's WAN?  Now the remote office will essentially see the WAN side of the SBS?  Is that correct?  Doesn't seem like they would be able to log into the domain and etc.

Located in MI

Thanks for your help!
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18867619
>>"Now the remote office will essentially see the WAN side of the SBS?  Is that correct?"
Yes.

>>"Doesn't seem like they would be able to log into the domain and etc."
Correct, as is. You would then need to reconfigure the WAN side to allow access, and routing. It does have the advantage of being able to restrict some traffic if you like, by using the Windows firewall, but limited at best, and most services are required for authentication and file access, so it's not a major bonus. As a result, though this configuration is quite acceptable and common, I usually go with the single network adapter option.

I'm NS, east coast of Canada. Fair jaunt for a couple of days but what the heck, eh! <G>
0
 

Author Comment

by:thomp361
ID: 18867627
Single NIC it is!

Thanks for all of your help, I really appreciate it!
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18867711
Very welcome. Thank you.
If during your configuration you have any other questions, and you want me to have a look, just send an e-mail with a pointer to the question, to the address on my profile (click on RobWill).
Cheers !
--Rob
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Learn about cloud computing and its benefits for small business owners.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now