Solved

VPN Configuration

Posted on 2013-01-11
12
526 Views
Last Modified: 2013-01-14
Hi,

We have the following setup:

Head Office with a VPN firewall router on the ip address range of 172.16.168.0 - 254

We then have two remote works, one on the ip range of 192.168.11.0 - 254 (Site 1) and the other 192.168.13.0 - 254. (Site 2)

I have established a hardware vpn between the remote sites and the head office.

I can access the resouces via ip address on the head office from each remote location. However I cannot access then via UNC. How can I do this?

Also, If I am at Site 2 and want to access a resource at Site 1 should I be able to do it with the existing setup given that they are linked via their VPN connection to head office or will I need to create a separate VPN connection Site 1 and Site 2?

Thank you in advance....
0
Comment
Question by:lukestclair55
  • 4
  • 3
  • 2
  • +2
12 Comments
 
LVL 39

Expert Comment

by:als315
Comment Utility
1. Seems you have no domain controllers in site 1 and 2. Look at this article:
http://technet.microsoft.com/en-us/library/dd737255(v=ws.10).aspx
2. You should add correct routing in all sites to routers. For example: site1: route to 192.168.13.0 - 254 across gateway to head office. Head office should allow routing from site 1 to site 2 and vice versa.
0
 
LVL 12

Expert Comment

by:TomRScott
Comment Utility
The firewalls/VPN routers may already have the routing needed between Sites 1 and 2. Try a ping in each direction to confirm that works if needed.

However, your access rules, if any, may need modification to allow access between Site 1 & 2.

Once the pings work, the next items are DNS and allowing the required services (including DNS) to access UNCs and shares between the sites. If you can map a drive using \\IP\share, it looks like DNS is the remaining missing link.

Based on your outline of the networks, it would appear that DNS is not functioning properly at Sites 1 & 2 with regard to Head Office. How you resolve that issue depends on how those sites are setup.  You probably already have domain controllers (DCs) at those sites.  Whether or not they are in the same domain as the Head Office, changes how they need to be configured to resolve DNS requests for Head Office equipment.

If the remote site DCs are members of the Head Office domain, simply configure them to include the Head Office DNS server(s) for domain resolutions.

If the remote site DCs are not members of the  Head Office domain add a forwarder for requests in the headoffice.yourdomain.local in each of thier DNS servers.

 - Tom
0
 
LVL 11

Expert Comment

by:diprajbasu
Comment Utility
1. in site to site vpn you need to create to and fro rules(same rules for both the sites)
2. you need to open specific port for specific application...or else you can open all the ports for vpn between site A and site B.
0
 

Author Comment

by:lukestclair55
Comment Utility
Ink response to comments, firstly thank you very much so far.

At the remote sites, there is only a router, one PC and a telephone (Access company PBX via VOIP). There is no server or anything like this, therefore no DNS server at the remote sites.

The head office consists of an SBS 2008 box and 20 users withPC and various other equipment such as iPads, printer and scanners.
0
 
LVL 39

Expert Comment

by:als315
Comment Utility
You can add unc paths to hosts file:
c:\Windows\System32\drivers\etc\hosts
or set head office's DNS as the only DNS, but if link between offices will be broken, small offices could not browse at all.

other suggestions (add routes to routers) will work.
0
 
LVL 12

Accepted Solution

by:
TomRScott earned 500 total points
Comment Utility
I avoid hosts file changes as much as possible. It is a recipe for frustration at a later date when the next technician comes along. Hosts is rarely used anymore and easy to forget about. You have to take vacation sometime. If someone has to come in when you are not there, they will waste some or a lot of their time. When asked by management what took so long or what was the problem will probably say some unkind things about "whoever put X in the hosts file..." You don't want that.

If the two remote workstations have Internet access, take note of their current DNS settings.

Join the remote stations  into the domain at head office with the DNS set to the SBS server. If they previously had Internet access, add the previous DNS server(s) AFTER the DNS on the SBS server. The last part will allow Internet access if they lose their VPN link.

The latter configuration should solve your problem and it will look like any run of the mill WAN setup for any technician that follows you.

 - Tom
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 

Author Comment

by:lukestclair55
Comment Utility
Okay, so on our router for the remote locations we just need to make the primary DNS the DNS server of the Head Office. And then the secondary DNA server one of the ones handed to us by the ISPs of the remote location ?
0
 

Author Comment

by:lukestclair55
Comment Utility
Thanks, I have specified the DNS server for our head office server in the primary DNS for DHCP and it works a treat. Thank you
0
 
LVL 12

Expert Comment

by:TomRScott
Comment Utility
To your last question, the answer MAY be yes.  However, some routers use the ISP's DNS servers but as DHCP server will supply DHCP leases to internal hosts with the router itself as the DNS server. It is not always easy to figure that out until the first DHCP client receives a lease and you run "ipconfig /all" from the command line to see what DNS server is designated by the DHCP server.

I should have started noted that if you are using DHCP at the remote sites with the routers providing the DHCP service to change the DNS settings in the DHCP scope on the router in the manner described.

I'd still join the remote computers into the domain regardless.

Glad it worked out for you.

 - Tom
0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
als315,
you can't add UNC paths to hosts file, only IP addresses and names (fully qualified or not).

lukestclair55,
some router software is not able to support hair-pinning for VPN traffic, that is sending traffic out the same interface it comes in. And that is required for a branch-office-branch connection.
But if it is, you will always have to set up proper routes for all sites on all sites.

Using a WINS server in HQ, and setting it up to be used by as many devices as possible, will help in resolving names. You can also set up static WINS entries. The pro of using WINS versus DNS is that you do not need to care about domain names, and it is just an additional name resolution method (meanwhile), so if WINS is not reachable, DNS does still resolve e.g. Internet addresses.
0
 
LVL 12

Expert Comment

by:TomRScott
Comment Utility
I took it for granted that Als315 was writing about the host name portion of the UNC. Even though I disagreed about using the hosts file to resolve the issue for support reasons, doing so does work in a real pinch.  I have had to do so temporarily during a server recovery response until I could get the DNS server back up. As a temporary measure, it does not hurt because one does not have to worry about the next support session long after the changes to the hosts file have been reversed back to standard.

The problem with WINS is that, last I used it years ago, it had a number of issues with tombstone records, database stability and other little issues especially in a multiple subnet network.

It has become a legacy service that I have not seen in use for years in most locations. In the few I found it, I removed it with no ill affects and some improvements at some.

Microsoft carried the WINS banner but has since dropped it and consolidated their efforts on DNS. Back when WINS was required, Microsoft issued a number of Service Packs and hotfixes and many were supposed to fix some or all the aforementioned issues but never seemed to fix them all. The WINS tombstone and other issues may have finally been addressed by Microsoft later with Server 2003 and newer, but I have not seen it in use enough since Server 2000 to know if that is the case.

Finally, WINS is just one more service to have to maintain and just that little bit more load for the network to handle. Unless you need to support a legacy host somewhere, why support a service you do not need?

 - Tom
0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
I recommend WINS only for VPN connections, in particular HO. And there it helps a lot maintaining easy name resolution without much ado. Internally, I would not rely on it, DNS works much better. But since MS did never care to implement Split DNS on clients, WINS works best with VPN clients. And if DNS resolution works, it is preferred automatically anyway.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Let’s list some of the technologies that enable smooth teleworking. 
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now