Single Sub-Domain: to multiple sites?

Posted on 2012-09-06
Last Modified: 2012-09-10
Hi Guys,

This might be a stab in the dark, but curiousity gets the better of you.

I would like to just have one VPN subdomain:

That all user's of a Windows 2008 domain Nationally/organistation wide, use to connect externally to, regardless of which site they are from.

Of course this is possible, but my setup then involves site-to-site links within the organisation across the different sites. So yes, accessing every site is possible from the point of VPN access.

DNS requires, that this points to a single IP, or we can have more, but it will round-robin, there is no inteligence to this.

MY question is: Is there anyway we can accept the connection on, compare their access to a user/group in AD, and then make them reconnect to the correct IP for their region?

Can NAP do this? Sorry I'm new to NAP!

My thinking is to save bandwidth, by having users connect to the correct VPN for their region and saving us cross site bandwidth... Any ideas appreciated.
Question by:zarok
    LVL 77

    Accepted Solution

    ok from what you have posted I get this impression.

    Lets say user is a member of you want all of the traffic to go to/from via the vpn.. other than having them redirected to all of the traffic will go to/from

    A better solution would be direct access, nap is not applicable in this scenario.

    according to microsoft
    NAP is a client health policy creation, enforcement, and remediation technology. With NAP, system administrators can establish and automatically enforce health policies, which can include software requirements, security update requirements, and other settings. Client computers that are not in compliance with health policy can be provided restricted network access until their configuration is updated and brought into compliance with policy.

    Author Comment

    Yes ve3ofa, you are pretty much right and nailed what im trying to do.

    So Is my thinking is correct, in that without actual routing at upper levels, this not possible?

    What I have done today is create the multiple external site VPN hostnames :


    I have setup group policy to create the correct VPN connections in their Network settings. I have setup Group Policy and NAP to allow connections based on each.

    From testing this seems to work fine. It's not the ideal environment of 1 domain for all!! But it will work and requires staff communication.


    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    Join & Write a Comment

    I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
    New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
    This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now