Solved

VPN recommendation

Posted on 2010-11-29
17
677 Views
Last Modified: 2012-05-10
What hardware and/or software combinations do you recommend to accomplish this?

Three office locations each with AT&T U-verse 12down/1.5up

Two (2) users at each remote location, and 8 users at main location. Would like the two remote offices to connect with VPN to main office server.

Users from remote offices will connect across VPN to:
1. Open, create, save Word & Excel docs
2. Connect to QuickBooks
3. Access their "mapped" network drive
0
Comment
Question by:mwyatt
  • 6
  • 2
  • 2
  • +5
17 Comments
 
LVL 3

Expert Comment

by:amateusn
ID: 34232110
I recommend you to have a medium-hardware(core i3, 500GB, Asus MB) local server in the main office with a windows server installed, wich will has a VPN server installed either. From this server you connect a 16-port switch to share the network in the main offcce. The VPN users will have a client wich will connect to the VPN Server and will be connect to tour network either.
0
 
LVL 6

Expert Comment

by:ajb2222
ID: 34232344
The VPN is usauly part of the Router/Firewall wich connects your office to the network.  

IF you don't mind open source and have a few ald desktops around.  You can build your own.

Look into IPCop and openVPN

http://thinkhole.org/wp/2006/03/28/ipcop-openvpn-howto/
0
 

Author Comment

by:mwyatt
ID: 34232476
amateusn -
I forgot to mention that I already have the server, and desktop PCs in each location, and their access to the internet will be via a router like the Linksys RV042 (don't have routers yet, though).  

ajb2222 -
Any benefit of VPN hardware appliance over software (OpenVPN)?  I haven't tried the VPN features of a router, but I assume I can connect both remote offices to the main office - meaning the PCs at the remote offices don't need a VPN client as the RV042 handles that on both ends, right?
0
 
LVL 3

Accepted Solution

by:
flakier earned 125 total points
ID: 34232604
If you value stability and a "set it and forget it" level of service I recommend getting dedicated routers or firewalls and set up a site-to-site vpn tunnel between the remote sites and the main location.

Check out the Cisco ASA series or Juniper SRX series firewall devices.  With the small number of users, the lower models should have plenty of performance.

Another option is a router with IPSEC capabilities such as the Cisco 881 or 891 series ISR.  These routers also can be ordered with wireless support which may be an additional wanted feature.
0
 
LVL 3

Expert Comment

by:amateusn
ID: 34232651
So it's just use a program to fix your ip by name, then install a VPN Server in the main office and the clients on the other 2 PC's that will access the office.
0
 
LVL 6

Expert Comment

by:ajb2222
ID: 34232842
I don't see any advantages of hardware over software.  We had a second office connected to the main office using two old pentium based pc's running IPCop and OpenVPN.  Once these two machines where installed they created a vpn tunnel between the two sites.  no other client was required on the remote machines.  

The advantage I see in software based routing is the expandability.  There are many plug-ins for IPCop.  Later you could add a Proxy.

0
 

Author Comment

by:mwyatt
ID: 34232850
Yes, a "set and forget" is desired.  Plus, I am concerned about performance.  I've played around with Hamachi and cringed at the excruciating slowness of file transfers and opening/saving even a small Excel file.

I don't expect VPN speed to be just like the local LAN, but I do want those 3 things I originally mentioned to be reasonably accessible.
0
 
LVL 25

Assisted Solution

by:Fred Marshall
Fred Marshall earned 125 total points
ID: 34232884
Assuming that you have a single public IP address per site then a gateway/router like the RV042 should work fine.  Presumably the public IP addresses will all be *static* which you either already have or can work out with your ISP.

Each site must be on a separate LAN subnet.

You may not have name service depending on how you have it set up.  But, that's generally OK as you can use the server IP address(es) for mapping, etc.  That means static addresses on the LAN as well in those places that need it.

1.5 UP is a limitation in performance as you are likely used to having 100 or 1000 on the LANs.
The UP speed limits *every* transfer on the VPN as while one site is going DOWN, the other site is going UP.

Given the limitation, I don't think that QuickBooks is going to work very well if at all.  Some depends on what you're doing with it remotely.  I've had to replace wireless connections with wired connections to get QuickBooks payroll working well.  Otherwise it was just too slow.  I don't recall the wireless speeds but lets assume they were at least 11mbps.  That's a lot higher than 1.5 so ......  This is something you can read about.  This experience is a few years old so maybe Intuit has changed their bandwidth requirements by now.  I do have systems using QuickBooks with wireless that seem to work OK.  But, you're probably a factor of 40 slower than they would be with your 1.5 UP.

I can relate this actual experience:  
- Very similar situation with 3 sites served by DSL with 3Mbps DOWN / 0.5Mbps UP.
- The UP speed was so poor that the system was only used for a few critical things and not so generally as you describe here.  Consider that your UP speed is only 3X better than this one.  I don't think that's enough to help all that much.
- An occasional Word document of the typical size will probably be OK with what you plan.
- I wouldn't count on it to support file backups of large volume.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:mwyatt
ID: 34233110
fmarshall -
Yes, these will be static IP at each location. I had read in another thread that Quickbooks was "chatty", yielding poor performance over VPN. So I'm bummed to hear about your Quickbooks story. What was your solution to that scenario?

To anyone -
Is there an alternative where each remote site can connect to the main office with the look and feel of being on the local LAN?
0
 
LVL 4

Assisted Solution

by:SteveeB
SteveeB earned 125 total points
ID: 34233848
SSL VPN, no client VPN software, end users go to a website, login and have links to resources you assign them. It may be network shares, RDP, internal websites etc.

Look at http://www.sonicwall.com/us/products/5109.html

0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 34235015
The solution in the one case was to wire the computer using ethernet 100.
In another, wireless at likely 54Mbps seems to be working.  This is a more recent experience.  But at 1.5 I'd not take any bets.

It depends on what you mean by "look and feel".
If you have peer-to-peer name service then it seems it's not recommended to have it traverse the VPNs.  But, I've done it with an RV042 by turning on the NetBIOS traffic.  Caveat emptor.
I think what happens is that one computer becomes the Master Browser for the entire set of sites and that may trouble you ... or not.  I *hate* losing the Master Browser for any reason at all and, as I said, I think doing this is generally discouraged but I can't articulate why.
Or, if you have some kind of server-based name service then that may work.
Or, I guess you could use WINS or LMHOSTS or some other method....
Without peer-to-peer name service it just means that you have to address remote computer by their IP address.  So, it helps to have static addresses for this.

Instead of seeing a computer in "My Network Places", you open it up this way:

Start / Run
\\ipaddress

where ipaddress is the actual ip address of the computer you want to open up.
You can also map computers this way so the access is more permanent.
You can also make desktop icons to do this for you so it's like mapping without mapping.
If any of the file servers are XP Pro or the like then this is a way to stretch the "10 connection" limit by not being connected much of the time as people tend to close unused windows but "maps" are permanent.

So, I don't find this very limiting re "look and feel"

Also, any internal http accesses look exactly the same as if on the same subnet / LAN.
0
 
LVL 5

Assisted Solution

by:OOsorio
OOsorio earned 125 total points
ID: 34239495
I would suggest you consider Terminal Service. The reason for this is performance. Your remote users would open a Terminal Service session on a server in the main office and in the session do their Quickbooks, Excel, Word, etc. with very little performance degradation.
0
 

Author Comment

by:mwyatt
ID: 34240149
fmarshall and OOsorio -
Considering the QuickBooks (or probably any database) performance issues, RDP may be the only way to satisfy that element.  It sounds as if Excel files over VPN won't be as big a deal.

SteveeB -
I have not experienced SSL-based access. Still, the VPN overhead is still there, right? How would QuickBooks fare?
0
 
LVL 5

Expert Comment

by:OOsorio
ID: 34240275
Anything that has to travel over the wire will be slow compared to keyboard entries and screen shots. I had a similar situation using Solomon and a web portal was the solution. Terminal Server also reduces user down time due to PC failure. Just replace the PC and your user is back up and working.
0
 

Author Comment

by:mwyatt
ID: 34266529
Well after lots of discussion with the owners, seems like we might be able to arrange for a fiber connection between locations so we could avoid the VPN approach.  I will know more by next week.  If fiber is our direction, then VPN is moot since they'll be on a local loop. I should conclude this question by then.
0
 
LVL 1

Expert Comment

by:MrMagoo
ID: 34337928
I'm a big fan of the riverbed technology, they can sit as a gateway on each site and really speed up any traffic between the sites, it compresses and decompresses any data that flows between the sites.  A little pricey but the return on investment will be there within a few months.
0
 

Author Closing Comment

by:mwyatt
ID: 34380442
We were able to get a fiber connection between two buildings, so LAN speeds will be fine there. The third building will connect thru VPN for now, although we've concluded that Quickbooks and other database access will not be possible. I don't want to risk data corruption. To boot, we can only get AT&T's fastest (read: sucky) DSL of 6M down/768k up. Whatever.

Anyway, looks like I have a solution. Thanks for all the comments.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Are you one of those front-line IT Service Desk staff fielding calls, replying to emails, all-the-while working to resolve end-user technological nightmares? I am! That's why I have put together this brief overview of tools and techniques I use in o…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now