Branch Office VPN Compared to Mobile User VPN

I understand now that for a Mobile User VPN, a client program is used to create a 'tunnel' to resources behind a firewall.  At that point, if there is a Windows Domain behind the firewall and you have your DNS set up right, Windows will put up its authentication box (GINA I guess).

How does it work in the branch office (site-to-site) VPN scenario.

Does the user have to do anything??  What makes the tunnel come up??  Is his workstation multihomed?   How does he get to the shares on the 'other end'?  How does it look to him?  I've never participated in a VPN so I don't know.
LVL 1
supportorangesAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rick_O_ShayCommented:
With a branch office VPN tunnel everything is done between the VPNs at each end of the connection and the clients have the appearance of just being like any other routed network.
 
The user doesn't have to do anything and does not need any extra client software like they do in a user tunnel set up.

Generally the VPNs are configured to bring up the tunnel and use keepalives to keep it active in a semi-permanent state.

The workstation is not multihomed.

All shares and access to remote resources are done the same as any other IP routed environment and controlled by the local administrator.

The tunnel is transparent to the remote user.
0
supportorangesAuthor Commented:
So in the following scenario:
  1.  domain named midtowndomain in internally 192.168.1.x
  2.  domain named downtowndomain is internally 192.168.16.x
  3.  hardware appliances set up for multidirectional branch office VPN

say i am sitting in midtown
i run explorer on an XP machine
i go to Microsoft Networks
would I see downtowndomain listed?
should I be able to ping 192.168.16.9 if that machine was up, networked and healthy in downtown?
would I be able to do run>\\192.168.16.9\sharename
would an authentication box pop up?
if so how is it that a machine in 192.168.1.x can even ping a machine in 192.168.16.x?
Is that because the VPN appliance in the computer room will correctly route it?
0
supportorangesAuthor Commented:
I think I see what you are saying.

I've been away from the corporate world for a while

but I remember that

you can have different subnets for

different departments of a company.

In the home office world it's usually a single subnet.

So if I imagine just multiple subnets within midtown it may help me to understand.
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

supportorangesAuthor Commented:
I have done some poking around in an old firewall.

Since IPSEC has routing policies...

I guess the firewall in midtown searches IPSEC routing to understand that traffic addressed to downtown must go through the tunnel.

Would this be correct?

So in this way the Firewall in front of the router of midtown ROUTES traffic out through the gateway all the way to downtown.

Have I got this right?

The way names are resolved I guess is that the VPN tunnel holds enough DNS info because the DNS info is buried within the firewalls.
0
Rick_O_ShayCommented:
You are correct. It looks like just another subnet. As long as the routers at each side have access to the networks at the other sites you can get to them. If the only routers involved are the two VPN's then you are OK with just the normal operation of the branch office tunnel which basically routes to each side's private network.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Rick_O_ShayCommented:
You can set up the remote site's client PCs to use the DNS server at the local site if you want to. You could also use DHCP through the tunnel to the remote private side network if you want to assign addresses and DNS that way.
0
supportorangesAuthor Commented:
Thank you for drawing to my attention "IP Routed environment".

Come time to troubleshoot I think I have enough of an understanding to begin to troubleshoot why "one machine can't see another" if it comes up.

Gee people out there seem to be having a lot of trouble with VPNs which makes them a bit intimidating!
0
supportorangesAuthor Commented:
With the mobile VPN connection I am putting in place, the internal network behind the firewall uses static ip addressing.  My understanding is that the mobile VPN client program 'gets' DNS info from the firewall (Watchguard x750e) as well as a Virtual IP address from the 'pool'.

But now I am worried about how the site-to-site will get DNS information for name resolution.

Oh I know.  I betcha it will occur because the DNS values are buried in the firewalls.

I betcha site-to-site VPN must use the DNS settings in the firewalls.  

I'm not concerned with addressing because midtown network is run by third party (that has yet to ever call me) but I do have control over downtown hardware.

I do have big concerns about DNS because it seems everybody on the net has troubles with VPN and DNS.

I would guess that if somebody in downtown tried to go to \\downtowncomputer\shareA that the midtown firewall would resolve this because it has address of dns server downtown.

Your feedback is valuable.

0
supportorangesAuthor Commented:
last sentence should read:

I would guess that if somebody in midtown tried to go to \\downtowncomputer\shareA that the midtown firewall would resolve this because it has address of dns server downtown.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.