• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 534
  • Last Modified:

Network branch offices

Hi all,
  The company intends to connect all branch offices throughout the world, so that Files
can be shared and computers can be remotely managed.

One way is to setup a site to site VPN between all branches eg. using Cisco firewalls.
Are there any other ways to connect the branches eg. Citrix......??

I am looking for the best option that should be easy to configure.
0
anarine
Asked:
anarine
  • 9
  • 7
  • 4
  • +2
1 Solution
 
hodgeyohnCommented:
citrix is a usefull technology for remote access.
if you have applications, and data files that are remote from the users, you can use citrix for remote access to the applications, and file.

vpns are more for direct connectivity.

hope this helps.
0
 
kdtreshCommented:
From a hardware side, you could drop an ASA 5505 at each site, the default bundle comes with 10 IPSec VPN peers, so you could connect 10 sites to each ASA. It would probably run you $400-500 per unit, and it would be hard if you didn't have static IPs at all the locations. You can also use a software VPN client at dynamic locations to connect to a home office ASA, which would only require the home office unit.
0
 
HerrmannatorCommented:
Your stated objective is file sharing amongst people in various branch offices and management of the client computers.  We have this same situation and have used 2 products:  1) Citrix to provide a "remote desktop" type of experience whereby users remote control a session in our HQ office, and therefore have access to all the same stuff as people in the HQ office, and 2) SMS for desktop management and application deployment.  And even though we use Citrix for the field users, we also use SMS to give them all the same applications and updates as everyone else, so the have the option of working locally when they want to.
The standard Citrix approach would be to put your file servers in an HQ office of datacenter, and then set up Citrix servers in that office so that your remote users in effect remote controlling sessions to get network performance "as if" they were located in the HQ office.  This could be done by published desktop (very similar to Remote Desktop but with better WAN performance and other advantages), or published applications.  Citrix also offers other products like application streaming but we use SMS to deploy apps.
Another approach would be to rely on just having the a VPN to each field office, but then investing in "WAN Acceleration" appliances which basically cache copies of files people are using so they don't have to pull them across the WAN unless they change.
Different approaches depend on what kind of expertise you have in house and where you want to spend your money / resources.
 
 
0
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
anarineAuthor Commented:
Ok so this comes down to what are the advantages/disadvantages of site to site VPNs Versus Citrix or any other technology. Can anyone shed some light ?
0
 
hodgeyohnCommented:
based on what you wrote above, i would say that a vpn is probably the correct option for you.
the initial setup of a vpn isn't that hard.  you will have to work out some details such as name resolution.
a vpn will put your computer on the network.  this will give you maximum flexibility.
0
 
HerrmannatorCommented:
Bandwidth is the main issue.  Do your users work on large powerpoint decks or other large files?  Where do you want them to store the files?  Locally on their PC is not good because if their hard drive crashes the data is lost.  But if you don't plan on file servers in each office, and expect them to store things on a remote server, then you better either provide lots of expensive bandwidth, or use some other technology like Citrix or WAN acceleration.
Citrix requires an investment in expertise to learn and manage it, but then costs go down.  Bandwidth is an ongoing cost, but if you can afford huge bandwidth, then you dont need to learn Citrix.  Or if your users really only use tiny files anyway, and would not be burdoned by slow WAN performance, than maybe just T1's to each office is adequate.
0
 
anarineAuthor Commented:
I do plan to place file servers in each branch. Each site has a 1 MB connection at least to the internet.
Each site has about 20 Users. 10 Sites in all.

Is the training for Citrix really necessary ? I've configured cisco routers before.
Can you provide the name of the Citrix  product that I can research ?
0
 
kdtreshCommented:
If you go with the hardware VPN units, each one could connect to all the others and once it was all configured, connectivity between the properties would be transparent to the users. You could also just connect them all to the home office, rather than to each other, if they don't need to talk between offices.
0
 
HerrmannatorCommented:
I did not mean to suggest Citrix training is necessary, just that there is a significant learning curve.  If you are going to use file servers in each office, then you may not need Citrix because users can store files on those local file servers.  Citrix is great when you have smaller branch offices that are too small to justify servers.
So I guess the question is, will each office pretty much have its own stuff they work on and store on the file servers, or does everyone truely need to store everything on the HQ file servers where it is therefore available to everyone?  Assuming the local file servers meet 90% of the need, then maybe you could have an HQ server that is used for "Common" storage.  For example maybe everyone has a U drive (Universal) that maps to this HQ server, where common stuff is stored and accessible to everyone via vpn.  
And to clarify the bottom line issue with an example, consider this:  
Scenario #1:  Lets say you have users in Texas working on files located in NY that are several hundred megs in size.  That will be challenging across a VPN link, because it would take substantail time just to copy the file across the WAN.  So the user would need to copy the file across the WAN to his local PC, then work on it, then copy it back to the NY server.  In the mean time, someone else might have modified it on the NY server, so now you have version control issues.
Scenario #2;  Now lets say the same users use Citrix (just like "remote desktop")  to remote control a session on a computer located in the NY office.  Since the large file is also located in the NY office, they can open it, work on it, and save it instantaneously, and they would get performance as good as if they worked in the NY office.
But if those scenarios are not they way your users work anyway, then you may not need Citrix.  And regardless, I would say VPN is the way to start.  Then if you find it does not meet the need, you can consider adding Citrix.
 
0
 
hodgeyohnCommented:
training for users is minimal for either solution.
the good news with a vpn is that once it is setup you do not need to know much else.
Citrix there is a whole new product that you need to understand.  unless you are looking for an outside party to manage it.
0
 
HerrmannatorCommented:
Right -- I can't see any reason you would not want a VPN as a minimum requirement, so you should do that as step #1 then evaluate whether you still need other solutions.
0
 
HerrmannatorCommented:
Oh -- you had asked the name of the relevent Citrix product.  The new name is Citrix XenApp (used to be called Citrix Presentation server, and Citrix Metaframe before that).  But I would still focus on the VPN at this point!
0
 
kdearingCommented:
I'll second (or third?) the VPN solution.

Drop a Cisco ASA5505 in each site.

About $500 for a ASA5505-50-BUN-K9
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html
0
 
anarineAuthor Commented:
Will the VPN solution work behind a DSL modem  in each of the sites?
And are there any alternatives to a VPN or Citrix solution ?
0
 
HerrmannatorCommented:
Are these ADSL or SDSL modems?  ADSL is better for networks and vpns, but either will "work".  If it is the cheaper ADSL, then your through-put (up and down) is different, typically download speed is much faster than upload, and the same pipe gets used for both upload and download which creates traffic bottlenecks.
But you will want so type of firewall protecting each office anyway, so VPN will be part of that implementation, so there is still not reason not to do VPN as step #1.  If you can do T1's to each office, you'll get better performance and a more stable network.  But it can be done no matter what the connectivity constraints.
As far as other solutions, it depends.  Is it a REQUIREMENT to be able to directly manage the computers at the other sites?  If so, you should have a VPN.  Will their be servers that need to connect back to the home office in each office?  If so, you should have a VPN.  Do you want any centrally managed items (like a cental Symantec Antivirus server) to keep tabs on AV for all computers?  if so you should have a VPN.
There are cheaper alternatives that can meet the file sharing need such as "just put up FTP server in the home office and let everyone use it to share files" but that has security downsides.  Or maybe you could just put a firewall in your home office, and then give everyone a VPN client so that they can connect back the home office if/when they need to.  So depends what your REQUIREMENTS are, and your budget.  The standard answer most would choose is to start with a VPN between the offices.  But if that is not a buget option, let us know.
0
 
HerrmannatorCommented:
Sorry -- I meant "SDSL is better for networks and vpns, but either will "work".  If it is the cheaper ADSL, then...."
But really it depends on what you will try to do with it.  If you have a home office that will want to manage the remote office computers with products like SMS, then you need the dedicated bandwidth both ways that SDSL would provide.  But if they mostly need high speed internet and rarely need conectivity between offices, ADSL may be fine.
Here's a link describing the characteristics of each if not familiar:
http://www.buytelco.net/NetworkApplications.asp?ID=609 
0
 
anarineAuthor Commented:
Yes we need to remotely manange branch office computers, because we
may need to install software eg. Ms Office on the clients. Yes we are using ADSL. After reading your comments, I intend to go with ASA 5505 routers in each site. I hope the ASA 5505 can operate as a 'hardware vpn client' since this I beleive is easier to setup than a site to site vpn.

The only problem is that remote sites each have their own local windows domain.
Is this a problem ?
0
 
HerrmannatorCommented:
There own domain all within the same forrest?  Or completely independent of each other with no knowledge of the other domains?  You can set up "trusts" between domains, but you will probably want to migrate all users onto a single domain in the future, and then you would still have separate sights within the domain.
0
 
kdearingCommented:
With the ASA5505, setting up site-to-site VPNs is relatively easy.

I think the more difficult part of the project will be the file sharing, domain trusts, etc.
0
 
anarineAuthor Commented:
It may be easy to setup the ASA to ASA Vpn in a test lab, but it becomes more difficult to passthrough IPSEC traffic when ADSL modem running NAT is in front of the ASA. So we have a double NAT situation - on the modem and on the ASA. I've read about this being a problem, any thoughts ?

Will I be able to get tech support from Cisco with this issue?
0
 
kdearingCommented:
It's usually a god idea to put the ADSL modem in bridge mode.
That way the ASA is the only L3 device and it has a public IP.
0
 
anarineAuthor Commented:

In the branch office, the ADSL router has a static public ip. The Windows NAT server behind
the ADSL modem has a private ip.
If I put the ADSL modem in bridged mode, will the public ip then be assigned to the Windows computer ?
I am not sure how the bridge works. Please explain
0
 
kdearingCommented:
Well, you're going to want to put the ASA in front of the server so protects the network and it gets the public IP
0
 
HerrmannatorCommented:
Boy, this is lots of work by lots of people for 75 points - maybe you can boost the points!
0
 
anarineAuthor Commented:
I cannot bridge the DSL router. since it cannot bridge a PPPoA connection, only PPPoE
I'll try purchasing adslnation's X-modem or buy another DSL router that can bridge PPPoA.
Thanks to all for the help.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

  • 9
  • 7
  • 4
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now