Solved

Gateway to Gateway IPsec VPN with Active Directory

Posted on 2010-08-23
3
478 Views
Last Modified: 2013-12-23
Need to get a level set on what I know and what I think I know.

We have our main office that has 25 users and 1 Windows 2003 SMB Server that handles Active Directory etc.  The main office already has a firewall that does the DHCP side of things as well as web filtering etc.

Our remote site is going to be coming online soon and will have 5-6 users and at this point no servers at least for now.  

What I would like to do is connect both locations via firewalls using IPsec VPN, but my question becomes can I set up the Active Directory Server with the user accounts for our remote site and have it work like it currently does for our users in the main office (domain authentication, groups, share mapping etc).
0
Comment
Question by:jdk098
3 Comments
 
LVL 57

Accepted Solution

by:
Cliff Galiher earned 250 total points
ID: 33507132
The two issues are unrelated, but I'll answer both:
IPSec VPNs do not traverse NAT, so you will need a firewall capable of setting up the tunnel at each site. You've given no indication on whether your current firewall supports this functionality, so you may need to look at getting a second firewall of the same brand, or you may have to look at replacing the firewall. Regardless, your IPSec tunnel will exist separately from your SBS server.
To answer your second question, yes you *can* set up authentication to traverse the VPN link, but generally speaking it is slow and logon times will be poor. If at all possible, it would be better to set up a second server at the remote site and make it an domain controller and use the AD tools to organize your sites appropriately. This will provide a much better user experience.
For applications, you can always set up a terminal server so that heavy network traffic does not have to traverse the WAN.
-Cliff
 
0
 
LVL 16

Assisted Solution

by:JammyPak
JammyPak earned 250 total points
ID: 33521288
Cliff is correct, just make sure that your remote clients are querying a DNS server that is for your internal AD DNS and they will 'find' a DC across the tunnel just fine. Whether you need a DC in the remote site..."it depends"...if the performance is fine then no biggie. I've done both ways, and for 5-6 users I wouldn't spend a lot of money. Remember even if your tunnel is down users can still login using cached credentials to their PC so no one will be locked out if they can't find a DC.
0
 

Author Comment

by:jdk098
ID: 33523744
Cliff - Apologies, to clarify I have a SmoothWall UTM-300 in the main office, and looking to either get the same model for the remote office, or upgrade the main office to the UTM-1000 model and send the UTM-300 to the remote office.  The functionality of both are identical, just one can handle more bandwidth than the other.

JammyPak - Good point I didn't think about the cached credentials on their system.

Also for the sake of clarity both units support IPsec NAT-T, which based on my research allows communication which normally would be lost to what would be a double NAT and because of that should allow the AD Authentication, DNS etc.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Enterprise networks where VoIP phones have been deployed frequently use port configurations that allow both a computer and an IP phone to be plugged into the same switch port but use different VLANs. On Cisco equipment I'm referring to the "native V…
Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
In a recent question (https://www.experts-exchange.com/questions/28997919/Pagination-in-Adobe-Acrobat.html) here at Experts Exchange, a member asked how to add page numbers to a PDF file using Adobe Acrobat XI Pro. This short video Micro Tutorial sh…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question