Link to home
Start Free TrialLog in
Avatar of supportoranges
supportorangesFlag for United States of America

asked on

Branch Office VPN Compared to Mobile User VPN

I understand now that for a Mobile User VPN, a client program is used to create a 'tunnel' to resources behind a firewall.  At that point, if there is a Windows Domain behind the firewall and you have your DNS set up right, Windows will put up its authentication box (GINA I guess).

How does it work in the branch office (site-to-site) VPN scenario.

Does the user have to do anything??  What makes the tunnel come up??  Is his workstation multihomed?   How does he get to the shares on the 'other end'?  How does it look to him?  I've never participated in a VPN so I don't know.
Avatar of Rick_O_Shay
Rick_O_Shay
Flag of United States of America image

With a branch office VPN tunnel everything is done between the VPNs at each end of the connection and the clients have the appearance of just being like any other routed network.
 
The user doesn't have to do anything and does not need any extra client software like they do in a user tunnel set up.

Generally the VPNs are configured to bring up the tunnel and use keepalives to keep it active in a semi-permanent state.

The workstation is not multihomed.

All shares and access to remote resources are done the same as any other IP routed environment and controlled by the local administrator.

The tunnel is transparent to the remote user.
Avatar of supportoranges

ASKER

So in the following scenario:
  1.  domain named midtowndomain in internally 192.168.1.x
  2.  domain named downtowndomain is internally 192.168.16.x
  3.  hardware appliances set up for multidirectional branch office VPN

say i am sitting in midtown
i run explorer on an XP machine
i go to Microsoft Networks
would I see downtowndomain listed?
should I be able to ping 192.168.16.9 if that machine was up, networked and healthy in downtown?
would I be able to do run>\\192.168.16.9\sharename
would an authentication box pop up?
if so how is it that a machine in 192.168.1.x can even ping a machine in 192.168.16.x?
Is that because the VPN appliance in the computer room will correctly route it?
I think I see what you are saying.

I've been away from the corporate world for a while

but I remember that

you can have different subnets for

different departments of a company.

In the home office world it's usually a single subnet.

So if I imagine just multiple subnets within midtown it may help me to understand.
I have done some poking around in an old firewall.

Since IPSEC has routing policies...

I guess the firewall in midtown searches IPSEC routing to understand that traffic addressed to downtown must go through the tunnel.

Would this be correct?

So in this way the Firewall in front of the router of midtown ROUTES traffic out through the gateway all the way to downtown.

Have I got this right?

The way names are resolved I guess is that the VPN tunnel holds enough DNS info because the DNS info is buried within the firewalls.
ASKER CERTIFIED SOLUTION
Avatar of Rick_O_Shay
Rick_O_Shay
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
You can set up the remote site's client PCs to use the DNS server at the local site if you want to. You could also use DHCP through the tunnel to the remote private side network if you want to assign addresses and DNS that way.
Thank you for drawing to my attention "IP Routed environment".

Come time to troubleshoot I think I have enough of an understanding to begin to troubleshoot why "one machine can't see another" if it comes up.

Gee people out there seem to be having a lot of trouble with VPNs which makes them a bit intimidating!
With the mobile VPN connection I am putting in place, the internal network behind the firewall uses static ip addressing.  My understanding is that the mobile VPN client program 'gets' DNS info from the firewall (Watchguard x750e) as well as a Virtual IP address from the 'pool'.

But now I am worried about how the site-to-site will get DNS information for name resolution.

Oh I know.  I betcha it will occur because the DNS values are buried in the firewalls.

I betcha site-to-site VPN must use the DNS settings in the firewalls.  

I'm not concerned with addressing because midtown network is run by third party (that has yet to ever call me) but I do have control over downtown hardware.

I do have big concerns about DNS because it seems everybody on the net has troubles with VPN and DNS.

I would guess that if somebody in downtown tried to go to \\downtowncomputer\shareA that the midtown firewall would resolve this because it has address of dns server downtown.

Your feedback is valuable.

last sentence should read:

I would guess that if somebody in midtown tried to go to \\downtowncomputer\shareA that the midtown firewall would resolve this because it has address of dns server downtown.