Solved

Gateway to Gateway IPsec VPN with Active Directory

Posted on 2010-08-23
3
450 Views
Last Modified: 2013-12-23
Need to get a level set on what I know and what I think I know.

We have our main office that has 25 users and 1 Windows 2003 SMB Server that handles Active Directory etc.  The main office already has a firewall that does the DHCP side of things as well as web filtering etc.

Our remote site is going to be coming online soon and will have 5-6 users and at this point no servers at least for now.  

What I would like to do is connect both locations via firewalls using IPsec VPN, but my question becomes can I set up the Active Directory Server with the user accounts for our remote site and have it work like it currently does for our users in the main office (domain authentication, groups, share mapping etc).
0
Comment
Question by:jdk098
3 Comments
 
LVL 56

Accepted Solution

by:
Cliff Galiher earned 250 total points
Comment Utility
The two issues are unrelated, but I'll answer both:
IPSec VPNs do not traverse NAT, so you will need a firewall capable of setting up the tunnel at each site. You've given no indication on whether your current firewall supports this functionality, so you may need to look at getting a second firewall of the same brand, or you may have to look at replacing the firewall. Regardless, your IPSec tunnel will exist separately from your SBS server.
To answer your second question, yes you *can* set up authentication to traverse the VPN link, but generally speaking it is slow and logon times will be poor. If at all possible, it would be better to set up a second server at the remote site and make it an domain controller and use the AD tools to organize your sites appropriately. This will provide a much better user experience.
For applications, you can always set up a terminal server so that heavy network traffic does not have to traverse the WAN.
-Cliff
 
0
 
LVL 16

Assisted Solution

by:JammyPak
JammyPak earned 250 total points
Comment Utility
Cliff is correct, just make sure that your remote clients are querying a DNS server that is for your internal AD DNS and they will 'find' a DC across the tunnel just fine. Whether you need a DC in the remote site..."it depends"...if the performance is fine then no biggie. I've done both ways, and for 5-6 users I wouldn't spend a lot of money. Remember even if your tunnel is down users can still login using cached credentials to their PC so no one will be locked out if they can't find a DC.
0
 

Author Comment

by:jdk098
Comment Utility
Cliff - Apologies, to clarify I have a SmoothWall UTM-300 in the main office, and looking to either get the same model for the remote office, or upgrade the main office to the UTM-1000 model and send the UTM-300 to the remote office.  The functionality of both are identical, just one can handle more bandwidth than the other.

JammyPak - Good point I didn't think about the cached credentials on their system.

Also for the sake of clarity both units support IPsec NAT-T, which based on my research allows communication which normally would be lost to what would be a double NAT and because of that should allow the AD Authentication, DNS etc.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

This article is in response to a question (http://www.experts-exchange.com/Networking/Network_Management/Network_Analysis/Q_28230497.html) here at Experts Exchange. The Original Poster (OP) requires a utility that will accept a list of IP addresses …
The Need In an Active Directory enviroment, the PDC emulator provide time synchronization for the domain. This is important since Active Directory uses Kerberos for authentication.  By default, if the time difference between systems is off by more …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now