Site to Site VPN tunnel (Different domain)

Server: Microsoft Small Business Server 2011
Firewall (VPN): Check Point UTM-1 132 Appliance
Ok this is the situation. I have two individual sites with their own Domain Controller and Exchange at each site (Microsoft Small Business Server).
The two sites wish to share files and documents. I figured we could do this using VPN.
1) Since the two sites are on the their own separate domain, how do we achieve this with regards to authentication etc? Is this configured on the appliance that is configuring the VPN (Check Point for example)
2) What needs to be configured on the server side to ensure users can share documents on between servers successfully?
Thank you
Who is Participating?
Cliff GaliherCommented:
Three distinct possibilities. Which you choose will depend on your user count, cost, comfort with "the cloud" vs desire to stay on-premises, and whether the site wants to use the same email domain name as the other sites (, for example, can be anywhere in the world and they have many exchange servers, but would change the infrastructure and planning significantly.) Unfortunately without knowing a lot more, and sitting down and doing a full topology inspection and planning session (something that enterprises pay for to engage my skills), I cannot get more specific or say with certainty which is right for you. But the three options I see are as follows:

1) Use VPN, DirectAccess, or Outlook Anywhere (or a combination thereof) to allow site users to access their mail at the existing Exchange site(s). Optionally deploy one ore more standard/enterprise/datacenter editions of windows for other resources such as file and print services, domain services, or other resource access as required.

2) Deploy standard/enterprise/datacenter editions of windows and use those installations to host file services as well as one more Exchange servers hosting mailbox, client access, and transport roles, based on need, bandwidth available, and other factors.

3) Employ a hosted Exchange (cloud) solution such as Office 365. Optionally deploy one ore more standard/enterprise/datacenter editions of windows for other resources such as file and print services, domain services, or other resource access as required.

In none of these would I usually consider SBS. You already have an SBS server and therefore a second one would *likely* put you in a illegal state and would *definitely* make administration unneccessarily complex.

Cliff GaliherCommented:
Depending on your circumstances, you have two legal possibilities:

1) If these two sites are both part of the same legal entity (company, non-profit, etc) then legally you can only have one SBS server. The proper way to resolve this is to migrate one site to a windows standard server and join it to the SBS domain. Then authentication will work as expected. There will be migration work to be done to merge the two AD and Exchange infrastructures, and planning should be done to decide if you want an RODC and other items at the site being migrated. Also, if merging the two sites puts you above the 75 CAL limit of SBS, then both sites will need to be migrated to standard servers to remain legal.

2) If these are two separate legal entities that are collaborating on a project then for many reasons revolving around CAL assignment and security, you don't want to have users having direct access to each other's servers. It'll be unnecessarily insecure and *expensive* considering you'd have duplicate CALs for every user. You'd be better served setting up a collaboration product (SharePoint, for example) with external connector licenses or a cloud based solution already licensed for such collaboration. This avoids the CAL issue, the VPN, and allows for a better managed experience on both parties.

Either way, doing what you want to do at a high level is ill advised at best (and potentially illegal), and the details of what you want to do (having the VPN handle the authentication) is not even possible.

the_omnificAuthor Commented:
Thanks for the advise Cliff
I have just been advised that one of the sites is actually running Server Enterprise (based in Singapore). The other NEW site (based in Sydney, is not live yet) we were intending to have a Microsoft Small Business Server 2011 installed due to the fact that they wanted to host their own Exchange server onsite.
Without over complicating matters and since they only want to share files and documents between sites. In your personal opinion, what do you recommend if you were put in this situation? Bearing in mind that the potential Small Business Server has not even been purchased yet.
I am not sure about the "legal" side so will not discuss further on that issue.

Technically yes you can use a VPN tunnel to sharing files. I believe in your case, all the "sharing" files/documents will be stored on Site1 - so I believe you only nee to purchase CALs for users (who base in Site2) who access these files. Site1 should already have sufficient CALs installed.

You don't need to purchase CALs for everyone who base in Site2, just those who need access.

Yes there will be concern about security of letting "outsider" to having access to your server. However I believe there must be a certain amount of "trust" between you guys before sharing a project. All above suggested are correct but do involve costs; you need to strike a balance and make your decsion.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.