Solved

Site to Site VPN tunnel (Different domain)

Posted on 2011-09-20
4
303 Views
Last Modified: 2012-08-14
 
Server: Microsoft Small Business Server 2011
Firewall (VPN): Check Point UTM-1 132 Appliance
 
Ok this is the situation. I have two individual sites with their own Domain Controller and Exchange at each site (Microsoft Small Business Server).
 
The two sites wish to share files and documents. I figured we could do this using VPN.
 
1) Since the two sites are on the their own separate domain, how do we achieve this with regards to authentication etc? Is this configured on the appliance that is configuring the VPN (Check Point for example)
 
2) What needs to be configured on the server side to ensure users can share documents on between servers successfully?
 
Thank you
0
Comment
Question by:the_omnific
  • 2
4 Comments
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 36570894
Depending on your circumstances, you have two legal possibilities:

1) If these two sites are both part of the same legal entity (company, non-profit, etc) then legally you can only have one SBS server. The proper way to resolve this is to migrate one site to a windows standard server and join it to the SBS domain. Then authentication will work as expected. There will be migration work to be done to merge the two AD and Exchange infrastructures, and planning should be done to decide if you want an RODC and other items at the site being migrated. Also, if merging the two sites puts you above the 75 CAL limit of SBS, then both sites will need to be migrated to standard servers to remain legal.

2) If these are two separate legal entities that are collaborating on a project then for many reasons revolving around CAL assignment and security, you don't want to have users having direct access to each other's servers. It'll be unnecessarily insecure and *expensive* considering you'd have duplicate CALs for every user. You'd be better served setting up a collaboration product (SharePoint, for example) with external connector licenses or a cloud based solution already licensed for such collaboration. This avoids the CAL issue, the VPN, and allows for a better managed experience on both parties.

Either way, doing what you want to do at a high level is ill advised at best (and potentially illegal), and the details of what you want to do (having the VPN handle the authentication) is not even possible.

-Cliff
0
 
LVL 1

Author Comment

by:the_omnific
ID: 36570942
Thanks for the advise Cliff
 
I have just been advised that one of the sites is actually running Server Enterprise (based in Singapore). The other NEW site (based in Sydney, is not live yet) we were intending to have a Microsoft Small Business Server 2011 installed due to the fact that they wanted to host their own Exchange server onsite.
 
Without over complicating matters and since they only want to share files and documents between sites. In your personal opinion, what do you recommend if you were put in this situation? Bearing in mind that the potential Small Business Server has not even been purchased yet.
0
 
LVL 56

Accepted Solution

by:
Cliff Galiher earned 300 total points
ID: 36570991
Three distinct possibilities. Which you choose will depend on your user count, cost, comfort with "the cloud" vs desire to stay on-premises, and whether the site wants to use the same email domain name as the other sites (me@microsoft.com, for example, can be anywhere in the world and they have many exchange servers, but me@singapore.microsoft.com would change the infrastructure and planning significantly.) Unfortunately without knowing a lot more, and sitting down and doing a full topology inspection and planning session (something that enterprises pay for to engage my skills), I cannot get more specific or say with certainty which is right for you. But the three options I see are as follows:

1) Use VPN, DirectAccess, or Outlook Anywhere (or a combination thereof) to allow site users to access their mail at the existing Exchange site(s). Optionally deploy one ore more standard/enterprise/datacenter editions of windows for other resources such as file and print services, domain services, or other resource access as required.

2) Deploy standard/enterprise/datacenter editions of windows and use those installations to host file services as well as one more Exchange servers hosting mailbox, client access, and transport roles, based on need, bandwidth available, and other factors.

3) Employ a hosted Exchange (cloud) solution such as Office 365. Optionally deploy one ore more standard/enterprise/datacenter editions of windows for other resources such as file and print services, domain services, or other resource access as required.

In none of these would I usually consider SBS. You already have an SBS server and therefore a second one would *likely* put you in a illegal state and would *definitely* make administration unneccessarily complex.

-Cliff
0
 
LVL 23

Assisted Solution

by:ormerodrutter
ormerodrutter earned 200 total points
ID: 36572464
I am not sure about the "legal" side so will not discuss further on that issue.

Technically yes you can use a VPN tunnel to sharing files. I believe in your case, all the "sharing" files/documents will be stored on Site1 - so I believe you only nee to purchase CALs for users (who base in Site2) who access these files. Site1 should already have sufficient CALs installed.

You don't need to purchase CALs for everyone who base in Site2, just those who need access.

Yes there will be concern about security of letting "outsider" to having access to your server. However I believe there must be a certain amount of "trust" between you guys before sharing a project. All above suggested are correct but do involve costs; you need to strike a balance and make your decsion.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

If you are a user of the discontinued Microsoft Office Accounting 2008 (MSOA) and have to move to a new computer running Windows 8, you will be unhappy to discover that it won't install.  In particular, Microsoft SQL Server 2005 Express Edition (SSE…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now