Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Gateway to Gateway IPsec VPN with Active Directory

Posted on 2010-08-23
3
Medium Priority
?
524 Views
Last Modified: 2013-12-23
Need to get a level set on what I know and what I think I know.

We have our main office that has 25 users and 1 Windows 2003 SMB Server that handles Active Directory etc.  The main office already has a firewall that does the DHCP side of things as well as web filtering etc.

Our remote site is going to be coming online soon and will have 5-6 users and at this point no servers at least for now.  

What I would like to do is connect both locations via firewalls using IPsec VPN, but my question becomes can I set up the Active Directory Server with the user accounts for our remote site and have it work like it currently does for our users in the main office (domain authentication, groups, share mapping etc).
0
Comment
Question by:jdk098
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 59

Accepted Solution

by:
Cliff Galiher earned 1000 total points
ID: 33507132
The two issues are unrelated, but I'll answer both:
IPSec VPNs do not traverse NAT, so you will need a firewall capable of setting up the tunnel at each site. You've given no indication on whether your current firewall supports this functionality, so you may need to look at getting a second firewall of the same brand, or you may have to look at replacing the firewall. Regardless, your IPSec tunnel will exist separately from your SBS server.
To answer your second question, yes you *can* set up authentication to traverse the VPN link, but generally speaking it is slow and logon times will be poor. If at all possible, it would be better to set up a second server at the remote site and make it an domain controller and use the AD tools to organize your sites appropriately. This will provide a much better user experience.
For applications, you can always set up a terminal server so that heavy network traffic does not have to traverse the WAN.
-Cliff
 
0
 
LVL 16

Assisted Solution

by:JammyPak
JammyPak earned 1000 total points
ID: 33521288
Cliff is correct, just make sure that your remote clients are querying a DNS server that is for your internal AD DNS and they will 'find' a DC across the tunnel just fine. Whether you need a DC in the remote site..."it depends"...if the performance is fine then no biggie. I've done both ways, and for 5-6 users I wouldn't spend a lot of money. Remember even if your tunnel is down users can still login using cached credentials to their PC so no one will be locked out if they can't find a DC.
0
 

Author Comment

by:jdk098
ID: 33523744
Cliff - Apologies, to clarify I have a SmoothWall UTM-300 in the main office, and looking to either get the same model for the remote office, or upgrade the main office to the UTM-1000 model and send the UTM-300 to the remote office.  The functionality of both are identical, just one can handle more bandwidth than the other.

JammyPak - Good point I didn't think about the cached credentials on their system.

Also for the sake of clarity both units support IPsec NAT-T, which based on my research allows communication which normally would be lost to what would be a double NAT and because of that should allow the AD Authentication, DNS etc.
0

Featured Post

Turn your laptop into a mobile console!

The CV211 Laptop USB Console Adapter provides a direct Laptop-to-Computer connection for fast and easy remote desktop access with no software to install.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A common practice in small networks is making file sharing easy which works extremely well when intra-network security is not an issue. In essence, everyone, that is "Everyone", is given access to all of the shared files - often the entire C: drive …
I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question