Solved

Best method for networking branch offices

Posted on 2008-10-07
19
760 Views
Last Modified: 2012-06-21
Hi all,
 Our company has one main office, and 20 branch offices. The computers in the branch office
are not part of the windows domain in the main office. Each branch site has an internet connection
with dynamic ip address. The main office has a static external ip address and ISA server that
provides clients with internet acces.
Can someone guide me as to how best to network all the sites? I want branch users to each have a file server at their site, however I want to restrict access to files by active directory groups. I also want to be able to remote desktop into the computers.  I am thinking of placing an ISA server in each site, but don't know how to configure it in my scenario.
The solution should involve using ISA server and VPNs. How should I go about this ?
0
Comment
Question by:anarine
  • 6
  • 5
  • 4
  • +1
19 Comments
 
LVL 8

Expert Comment

by:sstone55423
Comment Utility
The first decision oyu have to make is whether you want each location to go out directly to the Internetr, or through the main office first.  This is a security issue as well as a bandwidth issue.
The current trend for many companies is to either go with MPLS between mutiple locations (for larger operations that have less $ constraints) or to go with VPN's from remote locations back to the main office.  If you are going to use cable modem or DSL at the remote locations to save money (if they have few users) then you will want a Sonic Wall firewall at ytour main location (such as the NSA 3500/4500) and then smaller Sonic Wall firewalls (such as the TZ180/190 at locations with 25 users or so) and connect everything with VPN.  This can support direct connection to the Internet form the locations, or sending all Internet requests back to the main office.
There is no good reason to use an ISA server, as this complicates things a great deal for little added value.  The file server at each end should be a basic DC connected back to the main DC at your corporate office.
 
Another thing to consider also might be using a WAN compression device, such as a riverbed http://www.riverbed.com/products/appliances/small_office.php
this can give you much greater bandwidth, and has an option fort placing the DC (for authentication) directly on the riverbed, rather than having a server there.
 
0
 
LVL 8

Expert Comment

by:sstone55423
Comment Utility
The MPLS option is more robust, as it gives you dedicated bandwidth.  The problem is that it comes in 1.5Mb/s chunks, and is relatively expensive compared to VPN over public Internet options.  If you have VOPI phone systems between your locations, you will need to go thris route (or put a dedicated T1 for phone) at each location, as Internet/VPN options cannot give you satisfactory quality of service (QOS) for the phones.
0
 

Author Comment

by:anarine
Comment Utility
Yes I want each remote location to have direct internet access and not coming through the main office. The reason why I wanted ISA server vpn is because I have the software already.
If each site has dynamic address will the sonicwall solution work ?
Also, would I need to join the remote computers to the domain ?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
SStone, would you like to qualify your comment on why ISA would be of little gain in this situation or why there is no reason to install it?

Thanks

Keith
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
Anarine, do you have a level of budget for the activity?
If you want to control at the file level by AD groups then yes, the remote computer equipment will need to be joined to a domain. It does not need to be the same domain as your head office as trusts etc can be set up to allow inter-domain or forest controls from the head office.

Are you likely to have applications at the head office that you will want users at the remote office to access/run or are you thinking about just transferring files between locations?

Knowing some more about your 'design' view of how you want things to look when completed will give a much better position for us to comment upon.

Keith
ISA MVP MCT
0
 
LVL 8

Expert Comment

by:sstone55423
Comment Utility
AI am offering my opinion, I recognize that other people have differing opinions.  ISA is a software based firewall.  An applicance based firewall is often faster, more robust, easier to fix when there is a problem, fewer problems.
I am certified with ISA, as well as with Sonic Wall, and an CISSP, and even though an appliance device is not free, you can get much better value with an appiance device.  One of the biggest reasons is that the management interface is much easier to use for your average user, you don't have to pay someone like me if you want to add a rule to your firewall.  Also, the hardware VPN in a Sonic Wall, or comparable appliance is very fast compared to the software encryption in a software based firewall.
In several cases I have seen where the ISA server has crashed and it has taken days to get back up and running.  A Sonic Wall device, you call, they ship, you get a replacement the next day, you load the config file that you saved, and you are up and running -- no OS to install and reconfigure like with ISA.   Also, when you have some glitch, you power cycle, and it is back running in two or three minutes.
 
That's just my view.  I think, pretty much industry wide, people have abandoned software based firewalls for appliances.
 
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
All fair points but as ISA is also an appliance I am not sure they hold up. As you say though, everyone has their view.
0
 
LVL 8

Expert Comment

by:sstone55423
Comment Utility
ISA is an appliance?  Hmmm.  Microsoft ISA server is installed on top of Windows server, it is not an appliance device.  Are you thinking of Cisco ASA?  Appliance devices usually are firmware based, and have no hard drives to crash.  That laso maked them faster to boot and harder to attack.
0
 
LVL 11

Expert Comment

by:EricTViking
Comment Utility
Firmware is still software though. The real disctinction is between software/firmware and *real* hardware based devices such as ASICs.  Build an ISA server using solid state drives and it would meet the same 'appliance' criteria ;-)

Anyway I would go with ISA myself, join the branch offices to the domain and put an ISA server at each site. Link the branch ISA servers to the main office ISA server using site-to-site VPN links over your choice of internet medium.

You would be better off using static IPs at the branch offices, is there a reason why you have to stick with dynamic IPs?
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
No, ISA can be bought either in traditional software form or as an appliance. True it is not ASIC-based but it is fully hardened and locked down as a turnkey system/solution with three interfaces. It's sold under barracuda as I recall.

Personally I am not a fan of the appliance (ISA anyway) but I had to cover it to become a Microsoft Certified Trainer for ISA Server. The same approach has been taken for IAG (which is not even available as software at all).

0
 

Author Comment

by:anarine
Comment Utility
All the branch offices are using broadband DSL internet with a dynamic ip. Can the site to site vpn work in this case ?

I am assuming I will join the remote ISA to the domain, and configure site to site vpn to the main office ISA.  

I am also assuming that remote clients will obtain ip addresses from the dhcp server at the main office and logon to the DC at the main office. Does this make sense ?

I wish that the remote client will have direct internet access from their own DSL.
0
 
LVL 11

Accepted Solution

by:
EricTViking earned 50 total points
Comment Utility
Your best bet would be to ask your ISP for a static IP for your DSL connection. If not you *may* be able to use a Dynamic DNS Service (but I haven't tried this on a site-site VPN link, and wouldn't recommend it).

If you make the file server at each site a Domain Controller, join it to the main domain and make it a global catalogue server, a DNS server and a DHCP server.  The branch office clients will then login to their local DC and will obtain DHCP addresses from it too. This gives you an element of redundancy should the link go down (people can still login locally).

If you use a site to site VPN link in ISA, the clients will use their own local branch DSL line for internet access. Just traffic between main office and branch will be routed over the VPN.
0
 

Author Comment

by:anarine
Comment Utility
Should the brach office Domain controller be a child domain or full catalog server ?
Will I need to configure any  dhcp relay agents, and port forwarding for remote desktop ?
Will any configuration need to be done on the remote branch's DSL router ?
 
0
 
LVL 11

Expert Comment

by:EricTViking
Comment Utility
1. Depends on your business architecture. Easiest is to make the DC a full catalogue server and use a single domain. But largely depends on how many users, administrattion politics etc... ;-)

2. You won't need DHCP relay agents if you use a DHCP server at each branch. Also you won't need port forwarding as the site-to-site VPN will provide a route between branch and main office.

3. You will need to configure the branch office DSL routers to ensure the VPN endpoint correctly terminates to the ISA server. Best way is to present a public IP address to the external NIC of the ISA server - if you try to use port forwarding from the router to the ISA box you can run into problems.

Keep in mind that you want to connect everything together, but keep it loosely coupled enough that a link failure won't bring down all your branches i.e. keep DHCP, & GCs local to each branch. Try to make each branch integrated with the main, yet loosely coupled enough to remain operative in the case of a main office glitch.
0
 

Author Comment

by:anarine
Comment Utility
3. " present a public IP address to the external NIC of the ISA "
Unfortunately I cannot do this. The dsl on the remote branch office has a dynamic public ip.
The external interface of the isa  in the remote branch has a private ip.
I have tried to configure the site to site vpn using pptp but got an error trying to ping accross. How do I know if the vpn has been successfully established ? The remote branch ISA is not part of the domain.
0
 
LVL 11

Expert Comment

by:EricTViking
Comment Utility
You can look at the state of the interfaces in RRAS. That will tell you whether they are connected.

PPTP will probably work at a push, but my experience of L2TP is you need to run it between end points and not through any kind of NAT device or 'port forwarder'.
0
 

Author Comment

by:anarine
Comment Utility
The site to site vpn is working
I joined the remote computer to the domain.
The group policy login scripts are not running after I login.
Other registry policies however take effect.
How do I get the login scripts to run ?
0
 
LVL 8

Expert Comment

by:sstone55423
Comment Utility
I respect your decision, as you had to go in some direction, and the solution you chose sounds plausible.
I caution you again though,  You want an appliance firewall, and not ISA.  There is a reason that almost all companies have abandoned software based firewall solutions in favor of appliance based firewalls.  Also, the solution suggested, making the lone server the file server, the DNS and DHCP server as well as the ISA server may be the least expensive up front solution, but the most difficult to manage and maintain, and certainly a higher total cost solution over the long term.
A small appliance firewall at each location for under a $1000 per location could offer you fast, bulletproof VPN that is not dependent on the server requiring almost no maintenance.  The VPN encryption is done in hardware, rather than in slower software on your server, taking up valuable server CPU cycles.
0
 

Author Comment

by:anarine
Comment Utility
Personally, If I were to go with a  hardware appliance I would go with CISCO device, as I am ccna certified.
The reason why I hesitate to implement this however, is because there are so many modules - pix, routers, asa, vpn concentrators, I am not sure which device or ISO feature set will cost effectively provide exactly what I need for the number of lisences required :
I would be happy if you or someone could recommed a device model or website link.  I intend to firstly implement pptp vpn, (ipsec deployed later). Each remote site will have approx 20 users. Sites will be connected using site to site vpn.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now