Best method for networking branch offices

The first decision oyu have to make is whether you want each location to go out directly to the Internetr, or through the main office first.  This is a security issue as well as a bandwidth issue.
The current trend for many companies is to either go with MPLS between mutiple locations (for larger operations that have less $ constraints) or to go with VPN's from remote locations back to the main office.  If you are going to use cable modem or DSL at the remote locations to save money (if they have few users) then you will want a Sonic Wall firewall at ytour main location (such as the NSA 3500/4500) and then smaller Sonic Wall firewalls (such as the TZ180/190 at locations with 25 users or so) and connect everything with VPN.  This can support direct connection to the Internet form the locations, or sending all Internet requests back to the main office.
There is no good reason to use an ISA server, as this complicates things a great deal for little added value.  The file server at each end should be a basic DC connected back to the main DC at your corporate office.
 
Another thing to consider also might be using a WAN compression device, such as a riverbed http://www.riverbed.com/products/appliances/small_office.php
this can give you much greater bandwidth, and has an option fort placing the DC (for authentication) directly on the riverbed, rather than having a server there.
 

The MPLS option is more robust, as it gives you dedicated bandwidth.  The problem is that it comes in 1.5Mb/s chunks, and is relatively expensive compared to VPN over public Internet options.  If you have VOPI phone systems between your locations, you will need to go thris route (or put a dedicated T1 for phone) at each location, as Internet/VPN options cannot give you satisfactory quality of service (QOS) for the phones.

Yes I want each remote location to have direct internet access and not coming through the main office. The reason why I wanted ISA server vpn is because I have the software already.
If each site has dynamic address will the sonicwall solution work ?
Also, would I need to join the remote computers to the domain ?

SStone, would you like to qualify your comment on why ISA would be of little gain in this situation or why there is no reason to install it?

Thanks

Keith

Anarine, do you have a level of budget for the activity?
If you want to control at the file level by AD groups then yes, the remote computer equipment will need to be joined to a domain. It does not need to be the same domain as your head office as trusts etc can be set up to allow inter-domain or forest controls from the head office.

Are you likely to have applications at the head office that you will want users at the remote office to access/run or are you thinking about just transferring files between locations?

Knowing some more about your 'design' view of how you want things to look when completed will give a much better position for us to comment upon.

Keith
ISA MVP MCT

AI am offering my opinion, I recognize that other people have differing opinions.  ISA is a software based firewall.  An applicance based firewall is often faster, more robust, easier to fix when there is a problem, fewer problems.
I am certified with ISA, as well as with Sonic Wall, and an CISSP, and even though an appliance device is not free, you can get much better value with an appiance device.  One of the biggest reasons is that the management interface is much easier to use for your average user, you don't have to pay someone like me if you want to add a rule to your firewall.  Also, the hardware VPN in a Sonic Wall, or comparable appliance is very fast compared to the software encryption in a software based firewall.
In several cases I have seen where the ISA server has crashed and it has taken days to get back up and running.  A Sonic Wall device, you call, they ship, you get a replacement the next day, you load the config file that you saved, and you are up and running -- no OS to install and reconfigure like with ISA.   Also, when you have some glitch, you power cycle, and it is back running in two or three minutes.
 
That's just my view.  I think, pretty much industry wide, people have abandoned software based firewalls for appliances.
 

All fair points but as ISA is also an appliance I am not sure they hold up. As you say though, everyone has their view.

ISA is an appliance?  Hmmm.  Microsoft ISA server is installed on top of Windows server, it is not an appliance device.  Are you thinking of Cisco ASA?  Appliance devices usually are firmware based, and have no hard drives to crash.  That laso maked them faster to boot and harder to attack.

Firmware is still software though. The real disctinction is between software/firmware and *real* hardware based devices such as ASICs.  Build an ISA server using solid state drives and it would meet the same 'appliance' criteria ;-)

Anyway I would go with ISA myself, join the branch offices to the domain and put an ISA server at each site. Link the branch ISA servers to the main office ISA server using site-to-site VPN links over your choice of internet medium.

You would be better off using static IPs at the branch offices, is there a reason why you have to stick with dynamic IPs?

No, ISA can be bought either in traditional software form or as an appliance. True it is not ASIC-based but it is fully hardened and locked down as a turnkey system/solution with three interfaces. It's sold under barracuda as I recall.

Personally I am not a fan of the appliance (ISA anyway) but I had to cover it to become a Microsoft Certified Trainer for ISA Server. The same approach has been taken for IAG (which is not even available as software at all).

All the branch offices are using broadband DSL internet with a dynamic ip. Can the site to site vpn work in this case ?

I am assuming I will join the remote ISA to the domain, and configure site to site vpn to the main office ISA.  

I am also assuming that remote clients will obtain ip addresses from the dhcp server at the main office and logon to the DC at the main office. Does this make sense ?

I wish that the remote client will have direct internet access from their own DSL.

Should the brach office Domain controller be a child domain or full catalog server ?
Will I need to configure any  dhcp relay agents, and port forwarding for remote desktop ?
Will any configuration need to be done on the remote branch's DSL router ?
 

1. Depends on your business architecture. Easiest is to make the DC a full catalogue server and use a single domain. But largely depends on how many users, administrattion politics etc... ;-)

2. You won't need DHCP relay agents if you use a DHCP server at each branch. Also you won't need port forwarding as the site-to-site VPN will provide a route between branch and main office.

3. You will need to configure the branch office DSL routers to ensure the VPN endpoint correctly terminates to the ISA server. Best way is to present a public IP address to the external NIC of the ISA server - if you try to use port forwarding from the router to the ISA box you can run into problems.

Keep in mind that you want to connect everything together, but keep it loosely coupled enough that a link failure won't bring down all your branches i.e. keep DHCP, & GCs local to each branch. Try to make each branch integrated with the main, yet loosely coupled enough to remain operative in the case of a main office glitch.

3. " present a public IP address to the external NIC of the ISA " 
Unfortunately I cannot do this. The dsl on the remote branch office has a dynamic public ip.
The external interface of the isa  in the remote branch has a private ip.
I have tried to configure the site to site vpn using pptp but got an error trying to ping accross. How do I know if the vpn has been successfully established ? The remote branch ISA is not part of the domain.

You can look at the state of the interfaces in RRAS. That will tell you whether they are connected.

PPTP will probably work at a push, but my experience of L2TP is you need to run it between end points and not through any kind of NAT device or 'port forwarder'.

The site to site vpn is working
I joined the remote computer to the domain.
The group policy login scripts are not running after I login.
Other registry policies however take effect.
How do I get the login scripts to run ?

I respect your decision, as you had to go in some direction, and the solution you chose sounds plausible.
I caution you again though,  You want an appliance firewall, and not ISA.  There is a reason that almost all companies have abandoned software based firewall solutions in favor of appliance based firewalls.  Also, the solution suggested, making the lone server the file server, the DNS and DHCP server as well as the ISA server may be the least expensive up front solution, but the most difficult to manage and maintain, and certainly a higher total cost solution over the long term.
A small appliance firewall at each location for under a $1000 per location could offer you fast, bulletproof VPN that is not dependent on the server requiring almost no maintenance.  The VPN encryption is done in hardware, rather than in slower software on your server, taking up valuable server CPU cycles.

Personally, If I were to go with a  hardware appliance I would go with CISCO device, as I am ccna certified.
The reason why I hesitate to implement this however, is because there are so many modules - pix, routers, asa, vpn concentrators, I am not sure which device or ISO feature set will cost effectively provide exactly what I need for the number of lisences required :
I would be happy if you or someone could recommed a device model or website link.  I intend to firstly implement pptp vpn, (ipsec deployed later). Each remote site will have approx 20 users. Sites will be connected using site to site vpn.