Branch Office VPN Compared to Mobile User VPN

I understand now that for a Mobile User VPN, a client program is used to create a 'tunnel' to resources behind a firewall.  At that point, if there is a Windows Domain behind the firewall and you have your DNS set up right, Windows will put up its authentication box (GINA I guess).

How does it work in the branch office (site-to-site) VPN scenario.

Does the user have to do anything??  What makes the tunnel come up??  Is his workstation multihomed?   How does he get to the shares on the 'other end'?  How does it look to him?  I've never participated in a VPN so I don't know.
Who is Participating?
You are correct. It looks like just another subnet. As long as the routers at each side have access to the networks at the other sites you can get to them. If the only routers involved are the two VPN's then you are OK with just the normal operation of the branch office tunnel which basically routes to each side's private network.
With a branch office VPN tunnel everything is done between the VPNs at each end of the connection and the clients have the appearance of just being like any other routed network.
The user doesn't have to do anything and does not need any extra client software like they do in a user tunnel set up.

Generally the VPNs are configured to bring up the tunnel and use keepalives to keep it active in a semi-permanent state.

The workstation is not multihomed.

All shares and access to remote resources are done the same as any other IP routed environment and controlled by the local administrator.

The tunnel is transparent to the remote user.
supportorangesAuthor Commented:
So in the following scenario:
  1.  domain named midtowndomain in internally 192.168.1.x
  2.  domain named downtowndomain is internally 192.168.16.x
  3.  hardware appliances set up for multidirectional branch office VPN

say i am sitting in midtown
i run explorer on an XP machine
i go to Microsoft Networks
would I see downtowndomain listed?
should I be able to ping if that machine was up, networked and healthy in downtown?
would I be able to do run>\\\sharename
would an authentication box pop up?
if so how is it that a machine in 192.168.1.x can even ping a machine in 192.168.16.x?
Is that because the VPN appliance in the computer room will correctly route it?
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

supportorangesAuthor Commented:
I think I see what you are saying.

I've been away from the corporate world for a while

but I remember that

you can have different subnets for

different departments of a company.

In the home office world it's usually a single subnet.

So if I imagine just multiple subnets within midtown it may help me to understand.
supportorangesAuthor Commented:
I have done some poking around in an old firewall.

Since IPSEC has routing policies...

I guess the firewall in midtown searches IPSEC routing to understand that traffic addressed to downtown must go through the tunnel.

Would this be correct?

So in this way the Firewall in front of the router of midtown ROUTES traffic out through the gateway all the way to downtown.

Have I got this right?

The way names are resolved I guess is that the VPN tunnel holds enough DNS info because the DNS info is buried within the firewalls.
You can set up the remote site's client PCs to use the DNS server at the local site if you want to. You could also use DHCP through the tunnel to the remote private side network if you want to assign addresses and DNS that way.
supportorangesAuthor Commented:
Thank you for drawing to my attention "IP Routed environment".

Come time to troubleshoot I think I have enough of an understanding to begin to troubleshoot why "one machine can't see another" if it comes up.

Gee people out there seem to be having a lot of trouble with VPNs which makes them a bit intimidating!
supportorangesAuthor Commented:
With the mobile VPN connection I am putting in place, the internal network behind the firewall uses static ip addressing.  My understanding is that the mobile VPN client program 'gets' DNS info from the firewall (Watchguard x750e) as well as a Virtual IP address from the 'pool'.

But now I am worried about how the site-to-site will get DNS information for name resolution.

Oh I know.  I betcha it will occur because the DNS values are buried in the firewalls.

I betcha site-to-site VPN must use the DNS settings in the firewalls.  

I'm not concerned with addressing because midtown network is run by third party (that has yet to ever call me) but I do have control over downtown hardware.

I do have big concerns about DNS because it seems everybody on the net has troubles with VPN and DNS.

I would guess that if somebody in downtown tried to go to \\downtowncomputer\shareA that the midtown firewall would resolve this because it has address of dns server downtown.

Your feedback is valuable.

supportorangesAuthor Commented:
last sentence should read:

I would guess that if somebody in midtown tried to go to \\downtowncomputer\shareA that the midtown firewall would resolve this because it has address of dns server downtown.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.