Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1098
  • Last Modified:

Single Sub-Domain: VPN.domain.com to multiple sites?

Hi Guys,

This might be a stab in the dark, but curiousity gets the better of you.

I would like to just have one VPN subdomain:

VPN.domain.com

That all user's of a Windows 2008 domain Nationally/organistation wide, use to connect externally to, regardless of which site they are from.

Of course this is possible, but my setup then involves site-to-site links within the organisation across the different sites. So yes, accessing every site is possible from the point of VPN access.

DNS requires, that this VPN.domain.com points to a single IP, or we can have more, but it will round-robin, there is no inteligence to this.


MY question is: Is there anyway we can accept the connection on vpn.domain.com, compare their access to a user/group in AD, and then make them reconnect to the correct IP for their region?

Can NAP do this? Sorry I'm new to NAP!

My thinking is to save bandwidth, by having users connect to the correct VPN for their region and saving us cross site bandwidth... Any ideas appreciated.
0
zarok
Asked:
zarok
1 Solution
 
David Johnson, CD, MVPOwnerCommented:
ok from what you have posted I get this impression.
vpn.company.com
ny.company.com
nj.company.com
ak.company.com
hi.company.com

Lets say user is a member of hi.company.com you want all of the traffic to go to/from hi.company.com via the vpn.. other than having them redirected to vpn.hi.company.com all of the traffic will go to/from vpn.company.com..

A better solution would be direct access, nap is not applicable in this scenario.

according to microsoft
NAP is a client health policy creation, enforcement, and remediation technology. With NAP, system administrators can establish and automatically enforce health policies, which can include software requirements, security update requirements, and other settings. Client computers that are not in compliance with health policy can be provided restricted network access until their configuration is updated and brought into compliance with policy.
0
 
zarokAuthor Commented:
Yes ve3ofa, you are pretty much right and nailed what im trying to do.


So Is my thinking is correct, in that without actual routing at upper levels, this not possible?

What I have done today is create the multiple external site VPN hostnames :

vpn-wkl.X.com
vpn.wgn.X.com

etc.

I have setup group policy to create the correct VPN connections in their Network settings. I have setup Group Policy and NAP to allow connections based on each.

From testing this seems to work fine. It's not the ideal environment of 1 domain for all!! But it will work and requires staff communication.


-Dave
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now