?
Solved

site to site vpn connection to sbs server

Posted on 2010-01-06
9
Medium Priority
?
328 Views
Last Modified: 2012-05-08
I have a client who is opening a second location for their business. They have a sql based application that they wish to access from the remote location. There will be approx 4 pc's to start at the remote location. THe main office will have sbs2003 premium. I plan on setting up 2 sonic wall vpn firewall appliances and connecting them with a site to site vpn tunnel. I have never configured this before, but support several networks where it was setup already. I understand that you have to have 2 separate IP address ranges for each location. 192.168.1.x and 192.168.2.x for example. Where it gets confusing for me is when you setup the remote office you have to use the router/firewall for DHCP and a default gateway for internet. Why couldn't you just setup the whole network on the same subnet and have your primary sbs server provide dhcp services for the remote site as well? I'm finding that I have dns issues with the current setups and have to modify the lmhosts files on the remote pc's in order for services such as joining the domain through the connect computer wizard to work properly......
0
Comment
  • 4
  • 3
  • 2
9 Comments
 
LVL 78

Expert Comment

by:Rob Williams
ID: 26197044
Routing is based on subnets. If the local and remote subnets are the same the packets are retained locally and never forwarded to the remote site. They MUST be different. I would also recommend avoid using common subnets like 192.168.0.x and 192.168.1.x in case you ever have software VPN clients connecting from home subnets that may conflict.

It is possible to use a DHCP helper and have the SBS as the DHCP server for local and remote  clients but defining and configuring the two subnets is difficult.

If the remote clients are assigned the SBS, and only the SBS as their DNS server there should be no problem with name resolution and joining the domain.
0
 
LVL 9

Expert Comment

by:tl121000
ID: 26197336
After you establish a tunnel - you can set up DHCP relay between the f/w.
The two networks can have the same subnet and they will communicate as if they are one logical.
http://www.sonicwall.com/downloads/Site_to_Site_VPN_Using_DHCP_over_VPn__SonicOS_Enhanced_at__.pdf
 
 
 
0
 
LVL 9

Expert Comment

by:tl121000
ID: 26197355
Let me clarify - the two networks can have the same internal subnet (192.168.x.x, 10.x.x.x, 172.16-31.x.x).  They can be the same.  The distinct public IP addresses will allow the two locations to route and establish a VPN connection.
http://www.sonicwall.com/downloads/Site_to_Site_VPN_Using_DHCP_over_VPn__SonicOS_Enhanced_at__.pdf
 
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 78

Expert Comment

by:Rob Williams
ID: 26199073
I am afraid the subnets need to be different and they are in your example tl121000.
The WAN subnets are the same in the example because in a test environment or if connected by some form of direct link they would be the same. But in williamstechnologyg& that will be replaced by the Internet.
0
 
LVL 9

Expert Comment

by:tl121000
ID: 26204955
RobWill
Duh - You know what...  you're right!  The packets will not transverse the router interface, since the network will believe they are "local".
OKAY so two different subnets - but what you need is two  set up DHCP on the main (central) F/W and allow forward DHCP request to that server.    
 
http://www.sonicwall.com/downloads/Site_to_Site_VPN_Using_DHCP_over_VPn__SonicOS_Enhanced_at__.pdf 
0
 

Author Comment

by:williamstechnologygroup
ID: 26293151
Thanks, after thinking about this- maybe i'm making this too difficult. Would the standard way of setting this up be to have the sbs server at the main location handle dhcp and have the router at the remote location handle dhcp for it's clients?
As RobWill mentioned, as long as I have the sbs server as the only dns server at both locations I should be ok with name resolution.
0
 
LVL 78

Accepted Solution

by:
Rob Williams earned 2000 total points
ID: 26293787
>>"Would the standard way of setting this up be to have the sbs server at the main location handle dhcp and have the router at the remote location handle dhcp for it's clients?"
Yes

>>"as long as I have the sbs server as the only dns server at both locations I should be ok with name resolution."
Yes.
If your router (at the remote site supports it add a s many scope options as possible
SBS as DNS (ONLY)
SBS as WINS
domain suffix of the SBS site  MyDomaiin.local
If the last option is not present it is a good idea to add it to the remote clients manually, under the NIC advanced DNS tab. If they are members of the domain the suffix will already be present.
0
 

Author Closing Comment

by:williamstechnologygroup
ID: 31673864
thanks for the help, it will be a while before I setup, but now I know why I need to setup the separate subnets and how to setup dns
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 26418999
Thanks williamstechnologygr. Good luck with the project.
Cheers!
--Rob
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question