Solved

Browsing - Site-to-site VPN

Posted on 2008-10-29
12
848 Views
Last Modified: 2012-05-05

I'm currently deploying a new network for a client. There are two sites, two DCs, and there will be a site-to-site VPN link between the two sites. I will be using the Windows Server 2008 RRAS for the VPN endpoint in HQ, and the router in the branch office for the other end of the VPN.

My question is what happens about browsing? I want - in each office - to be able to browse to servers in the other site. I.e. \\Oxygen would resolve to a server in HQ (which happens to be the RRAS server). What configuration do I need in RRAS to enable this to work? Can I make browsing such as \\oxygen fail over to DNS? Do I need WINS?
0
Comment
Question by:tigermatt
  • 4
  • 4
  • 3
  • +1
12 Comments
 
LVL 5

Expert Comment

by:Dawilliams
ID: 22833577
You will need dns entries for both sites or have DNS replicate between sites, also routing tables on the rras, and the remote router.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 22833975
Browsing relies primarily on NetBIOS broadcasts within a network segment. Because Broadcast packets are not routable they cannot (generally) be forwarded over a VPN. Therefore, as a rule the only way to have actual "browsing" work between the two sites is to enable WINS servers at both sites, that replicate WINS tables between each other. WINS is becoming less and less important in a modern domain environment. It does still exist in 2008 but it is not even considered a 'role" anymore but rather a feature. It has to be enabled/added. If you don't have a WINS server at each site, it is generally not possible to browse. Having said that some VPN routers do forward NetBIOS traffic.

Access to resources is no problem using DNS, and as a rule you do not need to browse as you are connecting to known sources. Most often you simply add drive mappings to remote resources for users through logon scripts. Though it doesn't directly address your issue, an article regarding VPN name resolution on my blog may be of some use:
http://msmvps.com/blogs/robwill/archive/2008/05/10/vpn-client-name-resolution.aspx

Personally I would recommend VPN routers at each site rather than using the server as a VPN server. It more secure, much easier to configure, and offloads the service to a dedicated appliance. VPN routers these days are very affordable.
0
 
LVL 58

Author Comment

by:tigermatt
ID: 22834087

Thanks for that Rob. I will have to evaluate the previous network hardware and see if I can do a hardware VPN between the sites...

I was expecting the answer to be that I will most likely need WINS; the old network had that, but the new one won't be getting it! :) I don't like it and prefer for everything to go through DNS.

Just one final thing, if you could: I am deploying drive maps through GPP (Group Policy Preferences) to various servers and NAS boxes in either site. I.e. \\Nitrogen\Storage on our NAS box is mapped through GPP to drive J:. Will Windows be able to resolve \\Nitrogen in the branch office? I presume when NetBIOS fails it will fail back to using DNS for lookups, but just wanted a Yes or No :)

Thanks, Matt

0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 22834713
\\Nitrogen should resolve properly but you might have to manually make the entry in your DNS server.

So long as all clients (remote and local) point to your DNS servers, and not the ISP's even as an alternate, and you assign the DNS suffix to clients using DHCP (scope option 15), you should have no problem with name resolution. Browsing is another story.

Then of course the issue is if your DNS server is not available to the remote users via the VPN, users cannot access the Internet, assuming you do not have a local server. The only solution there is to add a local DNS server. With 2008, a read only DNS server is an ideal choice for that purpose.
0
 
LVL 58

Author Comment

by:tigermatt
ID: 22834944

Cheers Rob, the fact \\Nitrogen can be resolved by DNS (+ the suffix configured) has confirmed things :)

These points are well deserved,
Matt
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 22834966
Thanks Matt,
Good luck with it.
--Rob
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 5

Expert Comment

by:Dawilliams
ID: 22834998
Not for nothing, but I do believe I mentioned DNS earlier....
0
 
LVL 58

Author Comment

by:tigermatt
ID: 22835164

Thanks for that, however I was really looking for a definite clarification though that DNS could be used to resolve the remote site's server + PC names.

And yes, I do use names in the Periodic Table for naming servers and workstations!

Matt
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 22836096
You should watch out for DNS that just works over the VPN "accidentally".  I've had that happen with no intent on my part.  So, I don't know why it worked.  There was no WINS or......

Our solution is to do this:

Start / Run
\\[IP address of target on the other side]

This will open the computer drive structure with shares.
Drives can be mapped using the display that results.

Because we use static IP addresses and because our need for site-to-site connectivity is rather low, not having name service works great for us.
Now, how do I get some of those points??  :-)
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 22836211
Not that I am at all concerned about the points, feel free to split those up as you wish, but I guess the issue is what was the question.
1) Can you browse over a VPN with DNS, or 2) can you resolve a name over a VPN with DNS :-)
1) no, 2) yes
This assumes by browsing one means browsing My Network Neighbourhood.
0
 
LVL 58

Author Comment

by:tigermatt
ID: 22836493

Thanks for all your answers gentlemen. Rob still provided the answer to my question though (even though I didn't make it clear to start with!) - I intended to say 'Can you resolve a name over a VPN with DNS?' and he subsequently pointed me to all the appropriate DHCP options for doing so. We need DNS name resolution over the VPN, so that is what I wanted to confirm.

-Matt
0
 
LVL 5

Expert Comment

by:Dawilliams
ID: 22842907
Guy's don't get me wrong, the important thing is that the question got answered. I was merely stating  the DNS info provided would work for the unc "\\Server". Glad you got your answer.
Dar.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now