VPN recommendation

What hardware and/or software combinations do you recommend to accomplish this?

Three office locations each with AT&T U-verse 12down/1.5up

Two (2) users at each remote location, and 8 users at main location. Would like the two remote offices to connect with VPN to main office server.

Users from remote offices will connect across VPN to:
1. Open, create, save Word & Excel docs
2. Connect to QuickBooks
3. Access their "mapped" network drive
Who is Participating?
If you value stability and a "set it and forget it" level of service I recommend getting dedicated routers or firewalls and set up a site-to-site vpn tunnel between the remote sites and the main location.

Check out the Cisco ASA series or Juniper SRX series firewall devices.  With the small number of users, the lower models should have plenty of performance.

Another option is a router with IPSEC capabilities such as the Cisco 881 or 891 series ISR.  These routers also can be ordered with wireless support which may be an additional wanted feature.
I recommend you to have a medium-hardware(core i3, 500GB, Asus MB) local server in the main office with a windows server installed, wich will has a VPN server installed either. From this server you connect a 16-port switch to share the network in the main offcce. The VPN users will have a client wich will connect to the VPN Server and will be connect to tour network either.
The VPN is usauly part of the Router/Firewall wich connects your office to the network.  

IF you don't mind open source and have a few ald desktops around.  You can build your own.

Look into IPCop and openVPN

On-Demand: Securing Your Wi-Fi for Summer Travel

Traveling this summer?Check out our on-demand webinar to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

mwyattAuthor Commented:
amateusn -
I forgot to mention that I already have the server, and desktop PCs in each location, and their access to the internet will be via a router like the Linksys RV042 (don't have routers yet, though).  

ajb2222 -
Any benefit of VPN hardware appliance over software (OpenVPN)?  I haven't tried the VPN features of a router, but I assume I can connect both remote offices to the main office - meaning the PCs at the remote offices don't need a VPN client as the RV042 handles that on both ends, right?
So it's just use a program to fix your ip by name, then install a VPN Server in the main office and the clients on the other 2 PC's that will access the office.
I don't see any advantages of hardware over software.  We had a second office connected to the main office using two old pentium based pc's running IPCop and OpenVPN.  Once these two machines where installed they created a vpn tunnel between the two sites.  no other client was required on the remote machines.  

The advantage I see in software based routing is the expandability.  There are many plug-ins for IPCop.  Later you could add a Proxy.

mwyattAuthor Commented:
Yes, a "set and forget" is desired.  Plus, I am concerned about performance.  I've played around with Hamachi and cringed at the excruciating slowness of file transfers and opening/saving even a small Excel file.

I don't expect VPN speed to be just like the local LAN, but I do want those 3 things I originally mentioned to be reasonably accessible.
Fred MarshallPrincipalCommented:
Assuming that you have a single public IP address per site then a gateway/router like the RV042 should work fine.  Presumably the public IP addresses will all be *static* which you either already have or can work out with your ISP.

Each site must be on a separate LAN subnet.

You may not have name service depending on how you have it set up.  But, that's generally OK as you can use the server IP address(es) for mapping, etc.  That means static addresses on the LAN as well in those places that need it.

1.5 UP is a limitation in performance as you are likely used to having 100 or 1000 on the LANs.
The UP speed limits *every* transfer on the VPN as while one site is going DOWN, the other site is going UP.

Given the limitation, I don't think that QuickBooks is going to work very well if at all.  Some depends on what you're doing with it remotely.  I've had to replace wireless connections with wired connections to get QuickBooks payroll working well.  Otherwise it was just too slow.  I don't recall the wireless speeds but lets assume they were at least 11mbps.  That's a lot higher than 1.5 so ......  This is something you can read about.  This experience is a few years old so maybe Intuit has changed their bandwidth requirements by now.  I do have systems using QuickBooks with wireless that seem to work OK.  But, you're probably a factor of 40 slower than they would be with your 1.5 UP.

I can relate this actual experience:  
- Very similar situation with 3 sites served by DSL with 3Mbps DOWN / 0.5Mbps UP.
- The UP speed was so poor that the system was only used for a few critical things and not so generally as you describe here.  Consider that your UP speed is only 3X better than this one.  I don't think that's enough to help all that much.
- An occasional Word document of the typical size will probably be OK with what you plan.
- I wouldn't count on it to support file backups of large volume.
mwyattAuthor Commented:
fmarshall -
Yes, these will be static IP at each location. I had read in another thread that Quickbooks was "chatty", yielding poor performance over VPN. So I'm bummed to hear about your Quickbooks story. What was your solution to that scenario?

To anyone -
Is there an alternative where each remote site can connect to the main office with the look and feel of being on the local LAN?
SSL VPN, no client VPN software, end users go to a website, login and have links to resources you assign them. It may be network shares, RDP, internal websites etc.

Look at http://www.sonicwall.com/us/products/5109.html

Fred MarshallPrincipalCommented:
The solution in the one case was to wire the computer using ethernet 100.
In another, wireless at likely 54Mbps seems to be working.  This is a more recent experience.  But at 1.5 I'd not take any bets.

It depends on what you mean by "look and feel".
If you have peer-to-peer name service then it seems it's not recommended to have it traverse the VPNs.  But, I've done it with an RV042 by turning on the NetBIOS traffic.  Caveat emptor.
I think what happens is that one computer becomes the Master Browser for the entire set of sites and that may trouble you ... or not.  I *hate* losing the Master Browser for any reason at all and, as I said, I think doing this is generally discouraged but I can't articulate why.
Or, if you have some kind of server-based name service then that may work.
Or, I guess you could use WINS or LMHOSTS or some other method....
Without peer-to-peer name service it just means that you have to address remote computer by their IP address.  So, it helps to have static addresses for this.

Instead of seeing a computer in "My Network Places", you open it up this way:

Start / Run

where ipaddress is the actual ip address of the computer you want to open up.
You can also map computers this way so the access is more permanent.
You can also make desktop icons to do this for you so it's like mapping without mapping.
If any of the file servers are XP Pro or the like then this is a way to stretch the "10 connection" limit by not being connected much of the time as people tend to close unused windows but "maps" are permanent.

So, I don't find this very limiting re "look and feel"

Also, any internal http accesses look exactly the same as if on the same subnet / LAN.
I would suggest you consider Terminal Service. The reason for this is performance. Your remote users would open a Terminal Service session on a server in the main office and in the session do their Quickbooks, Excel, Word, etc. with very little performance degradation.
mwyattAuthor Commented:
fmarshall and OOsorio -
Considering the QuickBooks (or probably any database) performance issues, RDP may be the only way to satisfy that element.  It sounds as if Excel files over VPN won't be as big a deal.

SteveeB -
I have not experienced SSL-based access. Still, the VPN overhead is still there, right? How would QuickBooks fare?
Anything that has to travel over the wire will be slow compared to keyboard entries and screen shots. I had a similar situation using Solomon and a web portal was the solution. Terminal Server also reduces user down time due to PC failure. Just replace the PC and your user is back up and working.
mwyattAuthor Commented:
Well after lots of discussion with the owners, seems like we might be able to arrange for a fiber connection between locations so we could avoid the VPN approach.  I will know more by next week.  If fiber is our direction, then VPN is moot since they'll be on a local loop. I should conclude this question by then.
I'm a big fan of the riverbed technology, they can sit as a gateway on each site and really speed up any traffic between the sites, it compresses and decompresses any data that flows between the sites.  A little pricey but the return on investment will be there within a few months.
mwyattAuthor Commented:
We were able to get a fiber connection between two buildings, so LAN speeds will be fine there. The third building will connect thru VPN for now, although we've concluded that Quickbooks and other database access will not be possible. I don't want to risk data corruption. To boot, we can only get AT&T's fastest (read: sucky) DSL of 6M down/768k up. Whatever.

Anyway, looks like I have a solution. Thanks for all the comments.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.