Network branch offices

citrix is a usefull technology for remote access.
if you have applications, and data files that are remote from the users, you can use citrix for remote access to the applications, and file.

vpns are more for direct connectivity.

hope this helps.

From a hardware side, you could drop an ASA 5505 at each site, the default bundle comes with 10 IPSec VPN peers, so you could connect 10 sites to each ASA. It would probably run you $400-500 per unit, and it would be hard if you didn't have static IPs at all the locations. You can also use a software VPN client at dynamic locations to connect to a home office ASA, which would only require the home office unit.

Your stated objective is file sharing amongst people in various branch offices and management of the client computers.  We have this same situation and have used 2 products:  1) Citrix to provide a "remote desktop" type of experience whereby users remote control a session in our HQ office, and therefore have access to all the same stuff as people in the HQ office, and 2) SMS for desktop management and application deployment.  And even though we use Citrix for the field users, we also use SMS to give them all the same applications and updates as everyone else, so the have the option of working locally when they want to.
The standard Citrix approach would be to put your file servers in an HQ office of datacenter, and then set up Citrix servers in that office so that your remote users in effect remote controlling sessions to get network performance "as if" they were located in the HQ office.  This could be done by published desktop (very similar to Remote Desktop but with better WAN performance and other advantages), or published applications.  Citrix also offers other products like application streaming but we use SMS to deploy apps.
Another approach would be to rely on just having the a VPN to each field office, but then investing in "WAN Acceleration" appliances which basically cache copies of files people are using so they don't have to pull them across the WAN unless they change.
Different approaches depend on what kind of expertise you have in house and where you want to spend your money / resources.
 
 

Ok so this comes down to what are the advantages/disadvantages of site to site VPNs Versus Citrix or any other technology. Can anyone shed some light ?

based on what you wrote above, i would say that a vpn is probably the correct option for you.
the initial setup of a vpn isn't that hard.  you will have to work out some details such as name resolution.
a vpn will put your computer on the network.  this will give you maximum flexibility.

Bandwidth is the main issue.  Do your users work on large powerpoint decks or other large files?  Where do you want them to store the files?  Locally on their PC is not good because if their hard drive crashes the data is lost.  But if you don't plan on file servers in each office, and expect them to store things on a remote server, then you better either provide lots of expensive bandwidth, or use some other technology like Citrix or WAN acceleration.
Citrix requires an investment in expertise to learn and manage it, but then costs go down.  Bandwidth is an ongoing cost, but if you can afford huge bandwidth, then you dont need to learn Citrix.  Or if your users really only use tiny files anyway, and would not be burdoned by slow WAN performance, than maybe just T1's to each office is adequate.

I do plan to place file servers in each branch. Each site has a 1 MB connection at least to the internet.
Each site has about 20 Users. 10 Sites in all.

Is the training for Citrix really necessary ? I've configured cisco routers before.
Can you provide the name of the Citrix  product that I can research ?

If you go with the hardware VPN units, each one could connect to all the others and once it was all configured, connectivity between the properties would be transparent to the users. You could also just connect them all to the home office, rather than to each other, if they don't need to talk between offices.

training for users is minimal for either solution.
the good news with a vpn is that once it is setup you do not need to know much else.
Citrix there is a whole new product that you need to understand.  unless you are looking for an outside party to manage it.

Right -- I can't see any reason you would not want a VPN as a minimum requirement, so you should do that as step #1 then evaluate whether you still need other solutions.

Oh -- you had asked the name of the relevent Citrix product.  The new name is Citrix XenApp (used to be called Citrix Presentation server, and Citrix Metaframe before that).  But I would still focus on the VPN at this point!

I'll second (or third?) the VPN solution.

Drop a Cisco ASA5505 in each site.

About $500 for a ASA5505-50-BUN-K9
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html

Will the VPN solution work behind a DSL modem  in each of the sites?
And are there any alternatives to a VPN or Citrix solution ?

Are these ADSL or SDSL modems?  ADSL is better for networks and vpns, but either will "work".  If it is the cheaper ADSL, then your through-put (up and down) is different, typically download speed is much faster than upload, and the same pipe gets used for both upload and download which creates traffic bottlenecks.
But you will want so type of firewall protecting each office anyway, so VPN will be part of that implementation, so there is still not reason not to do VPN as step #1.  If you can do T1's to each office, you'll get better performance and a more stable network.  But it can be done no matter what the connectivity constraints.
As far as other solutions, it depends.  Is it a REQUIREMENT to be able to directly manage the computers at the other sites?  If so, you should have a VPN.  Will their be servers that need to connect back to the home office in each office?  If so, you should have a VPN.  Do you want any centrally managed items (like a cental Symantec Antivirus server) to keep tabs on AV for all computers?  if so you should have a VPN.
There are cheaper alternatives that can meet the file sharing need such as "just put up FTP server in the home office and let everyone use it to share files" but that has security downsides.  Or maybe you could just put a firewall in your home office, and then give everyone a VPN client so that they can connect back the home office if/when they need to.  So depends what your REQUIREMENTS are, and your budget.  The standard answer most would choose is to start with a VPN between the offices.  But if that is not a buget option, let us know.

Sorry -- I meant "SDSL is better for networks and vpns, but either will "work".  If it is the cheaper ADSL, then...."
But really it depends on what you will try to do with it.  If you have a home office that will want to manage the remote office computers with products like SMS, then you need the dedicated bandwidth both ways that SDSL would provide.  But if they mostly need high speed internet and rarely need conectivity between offices, ADSL may be fine.
Here's a link describing the characteristics of each if not familiar:
http://www.buytelco.net/NetworkApplications.asp?ID=609 

Yes we need to remotely manange branch office computers, because we
may need to install software eg. Ms Office on the clients. Yes we are using ADSL. After reading your comments, I intend to go with ASA 5505 routers in each site. I hope the ASA 5505 can operate as a 'hardware vpn client' since this I beleive is easier to setup than a site to site vpn.

The only problem is that remote sites each have their own local windows domain.
Is this a problem ?

There own domain all within the same forrest?  Or completely independent of each other with no knowledge of the other domains?  You can set up "trusts" between domains, but you will probably want to migrate all users onto a single domain in the future, and then you would still have separate sights within the domain.

With the ASA5505, setting up site-to-site VPNs is relatively easy.

I think the more difficult part of the project will be the file sharing, domain trusts, etc.

It may be easy to setup the ASA to ASA Vpn in a test lab, but it becomes more difficult to passthrough IPSEC traffic when ADSL modem running NAT is in front of the ASA. So we have a double NAT situation - on the modem and on the ASA. I've read about this being a problem, any thoughts ?

Will I be able to get tech support from Cisco with this issue?

It's usually a god idea to put the ADSL modem in bridge mode.
That way the ASA is the only L3 device and it has a public IP.

In the branch office, the ADSL router has a static public ip. The Windows NAT server behind
the ADSL modem has a private ip.
If I put the ADSL modem in bridged mode, will the public ip then be assigned to the Windows computer ?
I am not sure how the bridge works. Please explain

Well, you're going to want to put the ASA in front of the server so protects the network and it gets the public IP

Boy, this is lots of work by lots of people for 75 points - maybe you can boost the points!

I cannot bridge the DSL router. since it cannot bridge a PPPoA connection, only PPPoE
I'll try purchasing adslnation's X-modem or buy another DSL router that can bridge PPPoA.
Thanks to all for the help.