Solved

Gateway to Gateway IPsec VPN with Active Directory

Posted on 2010-08-23
3
514 Views
Last Modified: 2013-12-23
Need to get a level set on what I know and what I think I know.

We have our main office that has 25 users and 1 Windows 2003 SMB Server that handles Active Directory etc.  The main office already has a firewall that does the DHCP side of things as well as web filtering etc.

Our remote site is going to be coming online soon and will have 5-6 users and at this point no servers at least for now.  

What I would like to do is connect both locations via firewalls using IPsec VPN, but my question becomes can I set up the Active Directory Server with the user accounts for our remote site and have it work like it currently does for our users in the main office (domain authentication, groups, share mapping etc).
0
Comment
Question by:jdk098
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 58

Accepted Solution

by:
Cliff Galiher earned 250 total points
ID: 33507132
The two issues are unrelated, but I'll answer both:
IPSec VPNs do not traverse NAT, so you will need a firewall capable of setting up the tunnel at each site. You've given no indication on whether your current firewall supports this functionality, so you may need to look at getting a second firewall of the same brand, or you may have to look at replacing the firewall. Regardless, your IPSec tunnel will exist separately from your SBS server.
To answer your second question, yes you *can* set up authentication to traverse the VPN link, but generally speaking it is slow and logon times will be poor. If at all possible, it would be better to set up a second server at the remote site and make it an domain controller and use the AD tools to organize your sites appropriately. This will provide a much better user experience.
For applications, you can always set up a terminal server so that heavy network traffic does not have to traverse the WAN.
-Cliff
 
0
 
LVL 16

Assisted Solution

by:JammyPak
JammyPak earned 250 total points
ID: 33521288
Cliff is correct, just make sure that your remote clients are querying a DNS server that is for your internal AD DNS and they will 'find' a DC across the tunnel just fine. Whether you need a DC in the remote site..."it depends"...if the performance is fine then no biggie. I've done both ways, and for 5-6 users I wouldn't spend a lot of money. Remember even if your tunnel is down users can still login using cached credentials to their PC so no one will be locked out if they can't find a DC.
0
 

Author Comment

by:jdk098
ID: 33523744
Cliff - Apologies, to clarify I have a SmoothWall UTM-300 in the main office, and looking to either get the same model for the remote office, or upgrade the main office to the UTM-1000 model and send the UTM-300 to the remote office.  The functionality of both are identical, just one can handle more bandwidth than the other.

JammyPak - Good point I didn't think about the cached credentials on their system.

Also for the sake of clarity both units support IPsec NAT-T, which based on my research allows communication which normally would be lost to what would be a double NAT and because of that should allow the AD Authentication, DNS etc.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I’m often asked about newer and larger USB drives connected to SBS2008 and 2011 failing Windows Server Backup vs the older USB drives not failing. As disk space continues to grow and drive technology change SBS2008 and some SBS2011 end up with the f…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question