Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 865
  • Last Modified:

Browsing - Site-to-site VPN


I'm currently deploying a new network for a client. There are two sites, two DCs, and there will be a site-to-site VPN link between the two sites. I will be using the Windows Server 2008 RRAS for the VPN endpoint in HQ, and the router in the branch office for the other end of the VPN.

My question is what happens about browsing? I want - in each office - to be able to browse to servers in the other site. I.e. \\Oxygen would resolve to a server in HQ (which happens to be the RRAS server). What configuration do I need in RRAS to enable this to work? Can I make browsing such as \\oxygen fail over to DNS? Do I need WINS?
0
tigermatt
Asked:
tigermatt
  • 4
  • 4
  • 3
  • +1
1 Solution
 
DawilliamsCommented:
You will need dns entries for both sites or have DNS replicate between sites, also routing tables on the rras, and the remote router.
0
 
Rob WilliamsCommented:
Browsing relies primarily on NetBIOS broadcasts within a network segment. Because Broadcast packets are not routable they cannot (generally) be forwarded over a VPN. Therefore, as a rule the only way to have actual "browsing" work between the two sites is to enable WINS servers at both sites, that replicate WINS tables between each other. WINS is becoming less and less important in a modern domain environment. It does still exist in 2008 but it is not even considered a 'role" anymore but rather a feature. It has to be enabled/added. If you don't have a WINS server at each site, it is generally not possible to browse. Having said that some VPN routers do forward NetBIOS traffic.

Access to resources is no problem using DNS, and as a rule you do not need to browse as you are connecting to known sources. Most often you simply add drive mappings to remote resources for users through logon scripts. Though it doesn't directly address your issue, an article regarding VPN name resolution on my blog may be of some use:
http://msmvps.com/blogs/robwill/archive/2008/05/10/vpn-client-name-resolution.aspx

Personally I would recommend VPN routers at each site rather than using the server as a VPN server. It more secure, much easier to configure, and offloads the service to a dedicated appliance. VPN routers these days are very affordable.
0
 
tigermattAuthor Commented:

Thanks for that Rob. I will have to evaluate the previous network hardware and see if I can do a hardware VPN between the sites...

I was expecting the answer to be that I will most likely need WINS; the old network had that, but the new one won't be getting it! :) I don't like it and prefer for everything to go through DNS.

Just one final thing, if you could: I am deploying drive maps through GPP (Group Policy Preferences) to various servers and NAS boxes in either site. I.e. \\Nitrogen\Storage on our NAS box is mapped through GPP to drive J:. Will Windows be able to resolve \\Nitrogen in the branch office? I presume when NetBIOS fails it will fail back to using DNS for lookups, but just wanted a Yes or No :)

Thanks, Matt

0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
Rob WilliamsCommented:
\\Nitrogen should resolve properly but you might have to manually make the entry in your DNS server.

So long as all clients (remote and local) point to your DNS servers, and not the ISP's even as an alternate, and you assign the DNS suffix to clients using DHCP (scope option 15), you should have no problem with name resolution. Browsing is another story.

Then of course the issue is if your DNS server is not available to the remote users via the VPN, users cannot access the Internet, assuming you do not have a local server. The only solution there is to add a local DNS server. With 2008, a read only DNS server is an ideal choice for that purpose.
0
 
tigermattAuthor Commented:

Cheers Rob, the fact \\Nitrogen can be resolved by DNS (+ the suffix configured) has confirmed things :)

These points are well deserved,
Matt
0
 
Rob WilliamsCommented:
Thanks Matt,
Good luck with it.
--Rob
0
 
DawilliamsCommented:
Not for nothing, but I do believe I mentioned DNS earlier....
0
 
tigermattAuthor Commented:

Thanks for that, however I was really looking for a definite clarification though that DNS could be used to resolve the remote site's server + PC names.

And yes, I do use names in the Periodic Table for naming servers and workstations!

Matt
0
 
Fred MarshallCommented:
You should watch out for DNS that just works over the VPN "accidentally".  I've had that happen with no intent on my part.  So, I don't know why it worked.  There was no WINS or......

Our solution is to do this:

Start / Run
\\[IP address of target on the other side]

This will open the computer drive structure with shares.
Drives can be mapped using the display that results.

Because we use static IP addresses and because our need for site-to-site connectivity is rather low, not having name service works great for us.
Now, how do I get some of those points??  :-)
0
 
Rob WilliamsCommented:
Not that I am at all concerned about the points, feel free to split those up as you wish, but I guess the issue is what was the question.
1) Can you browse over a VPN with DNS, or 2) can you resolve a name over a VPN with DNS :-)
1) no, 2) yes
This assumes by browsing one means browsing My Network Neighbourhood.
0
 
tigermattAuthor Commented:

Thanks for all your answers gentlemen. Rob still provided the answer to my question though (even though I didn't make it clear to start with!) - I intended to say 'Can you resolve a name over a VPN with DNS?' and he subsequently pointed me to all the appropriate DHCP options for doing so. We need DNS name resolution over the VPN, so that is what I wanted to confirm.

-Matt
0
 
DawilliamsCommented:
Guy's don't get me wrong, the important thing is that the question got answered. I was merely stating  the DNS info provided would work for the unc "\\Server". Glad you got your answer.
Dar.
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

  • 4
  • 4
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now