VPN between windows servers
Hello,
I am a computer tech at a company that just opened a second branch.
Both branches have a dell server with windows server foundation 2008.
They need to comunicate, so I managed to get single computers to connect via VPN to the other branch, but I could not get the best solution to work, which is have both windows server connect to each other via vpn, so both networks can see each other transparently to the users.
I have configured an independent domain in each branch with names: domain.office1 and domain.office2. The office2 server can connect to the office1 server through vpn but for some reason I could not get the dns to work properly via vpn on the office1.
The server in office1 cannot connect to the office2 via vpn, it stops at verifyng username and password.
Individual clients can connect to both offices. Dns is working fine in office2, but not in office1.
Office2 is using dhcp from the router, because I could not get the clients to get ips from the dhcp from windows server.
Office1 is using dhcp from the server, and seems to work fine.
Please help!
I am a computer tech at a company that just opened a second branch.
Both branches have a dell server with windows server foundation 2008.
They need to comunicate, so I managed to get single computers to connect via VPN to the other branch, but I could not get the best solution to work, which is have both windows server connect to each other via vpn, so both networks can see each other transparently to the users.
I have configured an independent domain in each branch with names: domain.office1 and domain.office2. The office2 server can connect to the office1 server through vpn but for some reason I could not get the dns to work properly via vpn on the office1.
The server in office1 cannot connect to the office2 via vpn, it stops at verifyng username and password.
Individual clients can connect to both offices. Dns is working fine in office2, but not in office1.
Office2 is using dhcp from the router, because I could not get the clients to get ips from the dhcp from windows server.
Office1 is using dhcp from the server, and seems to work fine.
Please help!
Rob Williams
A site to site VPN between two Windows servers is quite involved and really has become obsolete since Server 2000. There is a lot more to it than a simple VPN client connection. Using two VPN capabale routers is now very affordable, more secure, more efficient, and much easier to configure, monitor, and support.
I know this is just my opinion, but I would use a Cisco ASA5505 at each banch office with a site to site VPN tunnel configured.
They are cheap, easy to configure, and rock solid stable. Allowing your servers to do other things. In addition, if one server goes down, users in the downed site would still be able to communicate with the server on the up site.
Hope this helps.
They are cheap, easy to configure, and rock solid stable. Allowing your servers to do other things. In addition, if one server goes down, users in the downed site would still be able to communicate with the server on the up site.
Hope this helps.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you for the tips.
I didnt want to use specific routers because I just bought a dual wan router for the office1.
I wanted to try the site-to-site vpn because it seems that I already have most of the configuration and hardware ready.
I will read the microsoft step-by-step guide. Thank you
I didnt want to use specific routers because I just bought a dual wan router for the office1.
I wanted to try the site-to-site vpn because it seems that I already have most of the configuration and hardware ready.
I will read the microsoft step-by-step guide. Thank you
It works, but a bit of a pain even when set up as it doesn't always automatically reconnect if there is a internet connection drop or power outage. Quite seriously it is dead technology, but I appreciate your predicament.
It also will only work with the one WAN port unless you manualy reconfigure.
What dual WAN did you buy? Most support IPSec VPN's.
It also will only work with the one WAN port unless you manualy reconfigure.
What dual WAN did you buy? Most support IPSec VPN's.
I am assuming that you are still running a firewall behind that router right?
ASKER
Aw I see...
When I bought it, they didnt tell me they would open a second branch, so I bought the TL-R480T, which I think only has VPN pass through.
When I bought it, they didnt tell me they would open a second branch, so I bought the TL-R480T, which I think only has VPN pass through.
ASKER
I dont have dmz configured on the router, but after that, I only have windows firewall. Is that bad?
You can also look into if your ISP has an MPLS option. This can help you out too.
Myself, I like the site to site with Cisco or Sonic walls, both are fairly easy nowadays.
Myself, I like the site to site with Cisco or Sonic walls, both are fairly easy nowadays.
>>"I dont have dmz configured on the router, but after that, I only have windows firewall. Is that bad? "
No need for DMZ, and the router is a firewall so that should be fine.
It does appear that model does not have VPN capability.
No need for DMZ, and the router is a firewall so that should be fine.
It does appear that model does not have VPN capability.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I don't believe the Netgear will work as a VPN appliance behind a NAT device.
My site to site prefernce is also the ASA 5505, but unfamilar with configuring it behind a NAT router.
My site to site prefernce is also the ASA 5505, but unfamilar with configuring it behind a NAT router.
just do a static nat mapping and treat everything else the same. The ports on the forward router would have to open for the IP address that is statically mapped.
But, in this scenario, if he is not doing load balancing, I would simply put the asa5505 as the edge device.
But, in this scenario, if he is not doing load balancing, I would simply put the asa5505 as the edge device.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Wow, I really liked the RV042 suggestion, apart from the price, it has the dual wan capability.
Can anyone think of any cons about this equipment? Its not a big company, about 30 users tops.
Can anyone think of any cons about this equipment? Its not a big company, about 30 users tops.
I use them for simple, workhorse app's quite frequently. If things start to get a bit fancier then they sometimes don't do what *you think* they should. So, it's best to not get too complicated. I have never used the DMZ capability. I have used the dual-WAN capability though and would suggest you stick with load balancing (maybe with binding) and avoid the failover mode. I found that the failover would work but would not "switch back" on its own in many cases. Then I'd find a facility "stuck" in a mode/path that I didn't expect to find. So that's why I'd avoid it. Network analysis is hard enough without wildcards like that. With load balancing, except for any binding, it's just "always on" to both WANs. When you think about it, that should be as good as failover and maybe better.
ASKER
Yeah, I have my dual wan set to load balance, and found it to be better than fail over.
I would not use DMZ, I just need traffic sent from one office to the other (file sharing, and some tcp applications, nothing fancy).
I would not use DMZ, I just need traffic sent from one office to the other (file sharing, and some tcp applications, nothing fancy).
I have 14 RV042's set up in various locations supporting multi-site VPN's.. I have been very pleased with them. Keep in mind the load balancing will not apply to the VPN it will only use the primary WAN connection
ASKER
Thank you experts. I Split points because you all helped with great info.