Solved

Gateway to Gateway IPsec VPN with Active Directory

Posted on 2010-08-23
3
503 Views
Last Modified: 2013-12-23
Need to get a level set on what I know and what I think I know.

We have our main office that has 25 users and 1 Windows 2003 SMB Server that handles Active Directory etc.  The main office already has a firewall that does the DHCP side of things as well as web filtering etc.

Our remote site is going to be coming online soon and will have 5-6 users and at this point no servers at least for now.  

What I would like to do is connect both locations via firewalls using IPsec VPN, but my question becomes can I set up the Active Directory Server with the user accounts for our remote site and have it work like it currently does for our users in the main office (domain authentication, groups, share mapping etc).
0
Comment
Question by:jdk098
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 58

Accepted Solution

by:
Cliff Galiher earned 250 total points
ID: 33507132
The two issues are unrelated, but I'll answer both:
IPSec VPNs do not traverse NAT, so you will need a firewall capable of setting up the tunnel at each site. You've given no indication on whether your current firewall supports this functionality, so you may need to look at getting a second firewall of the same brand, or you may have to look at replacing the firewall. Regardless, your IPSec tunnel will exist separately from your SBS server.
To answer your second question, yes you *can* set up authentication to traverse the VPN link, but generally speaking it is slow and logon times will be poor. If at all possible, it would be better to set up a second server at the remote site and make it an domain controller and use the AD tools to organize your sites appropriately. This will provide a much better user experience.
For applications, you can always set up a terminal server so that heavy network traffic does not have to traverse the WAN.
-Cliff
 
0
 
LVL 16

Assisted Solution

by:JammyPak
JammyPak earned 250 total points
ID: 33521288
Cliff is correct, just make sure that your remote clients are querying a DNS server that is for your internal AD DNS and they will 'find' a DC across the tunnel just fine. Whether you need a DC in the remote site..."it depends"...if the performance is fine then no biggie. I've done both ways, and for 5-6 users I wouldn't spend a lot of money. Remember even if your tunnel is down users can still login using cached credentials to their PC so no one will be locked out if they can't find a DC.
0
 

Author Comment

by:jdk098
ID: 33523744
Cliff - Apologies, to clarify I have a SmoothWall UTM-300 in the main office, and looking to either get the same model for the remote office, or upgrade the main office to the UTM-1000 model and send the UTM-300 to the remote office.  The functionality of both are identical, just one can handle more bandwidth than the other.

JammyPak - Good point I didn't think about the cached credentials on their system.

Also for the sake of clarity both units support IPsec NAT-T, which based on my research allows communication which normally would be lost to what would be a double NAT and because of that should allow the AD Authentication, DNS etc.
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A common practice in small networks is making file sharing easy which works extremely well when intra-network security is not an issue. In essence, everyone, that is "Everyone", is given access to all of the shared files - often the entire C: drive …
Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question