Solved

Browsing - Site-to-site VPN

Posted on 2008-10-29
12
849 Views
Last Modified: 2012-05-05

I'm currently deploying a new network for a client. There are two sites, two DCs, and there will be a site-to-site VPN link between the two sites. I will be using the Windows Server 2008 RRAS for the VPN endpoint in HQ, and the router in the branch office for the other end of the VPN.

My question is what happens about browsing? I want - in each office - to be able to browse to servers in the other site. I.e. \\Oxygen would resolve to a server in HQ (which happens to be the RRAS server). What configuration do I need in RRAS to enable this to work? Can I make browsing such as \\oxygen fail over to DNS? Do I need WINS?
0
Comment
Question by:tigermatt
  • 4
  • 4
  • 3
  • +1
12 Comments
 
LVL 5

Expert Comment

by:Dawilliams
ID: 22833577
You will need dns entries for both sites or have DNS replicate between sites, also routing tables on the rras, and the remote router.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 22833975
Browsing relies primarily on NetBIOS broadcasts within a network segment. Because Broadcast packets are not routable they cannot (generally) be forwarded over a VPN. Therefore, as a rule the only way to have actual "browsing" work between the two sites is to enable WINS servers at both sites, that replicate WINS tables between each other. WINS is becoming less and less important in a modern domain environment. It does still exist in 2008 but it is not even considered a 'role" anymore but rather a feature. It has to be enabled/added. If you don't have a WINS server at each site, it is generally not possible to browse. Having said that some VPN routers do forward NetBIOS traffic.

Access to resources is no problem using DNS, and as a rule you do not need to browse as you are connecting to known sources. Most often you simply add drive mappings to remote resources for users through logon scripts. Though it doesn't directly address your issue, an article regarding VPN name resolution on my blog may be of some use:
http://msmvps.com/blogs/robwill/archive/2008/05/10/vpn-client-name-resolution.aspx

Personally I would recommend VPN routers at each site rather than using the server as a VPN server. It more secure, much easier to configure, and offloads the service to a dedicated appliance. VPN routers these days are very affordable.
0
 
LVL 58

Author Comment

by:tigermatt
ID: 22834087

Thanks for that Rob. I will have to evaluate the previous network hardware and see if I can do a hardware VPN between the sites...

I was expecting the answer to be that I will most likely need WINS; the old network had that, but the new one won't be getting it! :) I don't like it and prefer for everything to go through DNS.

Just one final thing, if you could: I am deploying drive maps through GPP (Group Policy Preferences) to various servers and NAS boxes in either site. I.e. \\Nitrogen\Storage on our NAS box is mapped through GPP to drive J:. Will Windows be able to resolve \\Nitrogen in the branch office? I presume when NetBIOS fails it will fail back to using DNS for lookups, but just wanted a Yes or No :)

Thanks, Matt

0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 22834713
\\Nitrogen should resolve properly but you might have to manually make the entry in your DNS server.

So long as all clients (remote and local) point to your DNS servers, and not the ISP's even as an alternate, and you assign the DNS suffix to clients using DHCP (scope option 15), you should have no problem with name resolution. Browsing is another story.

Then of course the issue is if your DNS server is not available to the remote users via the VPN, users cannot access the Internet, assuming you do not have a local server. The only solution there is to add a local DNS server. With 2008, a read only DNS server is an ideal choice for that purpose.
0
 
LVL 58

Author Comment

by:tigermatt
ID: 22834944

Cheers Rob, the fact \\Nitrogen can be resolved by DNS (+ the suffix configured) has confirmed things :)

These points are well deserved,
Matt
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 22834966
Thanks Matt,
Good luck with it.
--Rob
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 5

Expert Comment

by:Dawilliams
ID: 22834998
Not for nothing, but I do believe I mentioned DNS earlier....
0
 
LVL 58

Author Comment

by:tigermatt
ID: 22835164

Thanks for that, however I was really looking for a definite clarification though that DNS could be used to resolve the remote site's server + PC names.

And yes, I do use names in the Periodic Table for naming servers and workstations!

Matt
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 22836096
You should watch out for DNS that just works over the VPN "accidentally".  I've had that happen with no intent on my part.  So, I don't know why it worked.  There was no WINS or......

Our solution is to do this:

Start / Run
\\[IP address of target on the other side]

This will open the computer drive structure with shares.
Drives can be mapped using the display that results.

Because we use static IP addresses and because our need for site-to-site connectivity is rather low, not having name service works great for us.
Now, how do I get some of those points??  :-)
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 22836211
Not that I am at all concerned about the points, feel free to split those up as you wish, but I guess the issue is what was the question.
1) Can you browse over a VPN with DNS, or 2) can you resolve a name over a VPN with DNS :-)
1) no, 2) yes
This assumes by browsing one means browsing My Network Neighbourhood.
0
 
LVL 58

Author Comment

by:tigermatt
ID: 22836493

Thanks for all your answers gentlemen. Rob still provided the answer to my question though (even though I didn't make it clear to start with!) - I intended to say 'Can you resolve a name over a VPN with DNS?' and he subsequently pointed me to all the appropriate DHCP options for doing so. We need DNS name resolution over the VPN, so that is what I wanted to confirm.

-Matt
0
 
LVL 5

Expert Comment

by:Dawilliams
ID: 22842907
Guy's don't get me wrong, the important thing is that the question got answered. I was merely stating  the DNS info provided would work for the unc "\\Server". Glad you got your answer.
Dar.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

912 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now