Few questions regarding DHCP on branch office connected via VPN to head office
I am planning to install a windows server 2008 r2 server at an office 3000 miles from our head office.
connect the two sites with hardware VPNs
I was then planning to install DHCP and DNS role on the server.
Question.. would clients at the head office ever be assigned an address from this remote DHCP server?
Is my planned setup the best way for us to connect our offices?
The server will host applications, files and printers.
Accessing the applications purely over vpn without a local server is too slow, and citrix/remote desktop services is also too slow.
connect the two sites with hardware VPNs
I was then planning to install DHCP and DNS role on the server.
Question.. would clients at the head office ever be assigned an address from this remote DHCP server?
Is my planned setup the best way for us to connect our offices?
The server will host applications, files and printers.
Accessing the applications purely over vpn without a local server is too slow, and citrix/remote desktop services is also too slow.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
mgpremkumar
You mentioned that the server will host applications, files and printers, would these services be using authentication?
ASKER
The application will require authentication.
I'm now thinking of using a dial on vpn from the branch office server to dial-in to a server at the head office.
the head office cannot ping the ip or name of the branch office in this manner though, how do i resolve this?
I'm now thinking of using a dial on vpn from the branch office server to dial-in to a server at the head office.
the head office cannot ping the ip or name of the branch office in this manner though, how do i resolve this?
I would go back to your original thinking and do hardware VPN. That way you can have a different subnet at the branch office.
ASKER
thanks agonza07, I will implement a hardware vpn. however for now I need to get the sites connected without one.
Do you have Win2008 R2 at each site? Multiple NICs available? Can you configure the routers to do passthrough?
Check this out and see if it helps.
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/450d6149-d8fd-497e-959d-ed9fe332456d/
Check this out and see if it helps.
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/450d6149-d8fd-497e-959d-ed9fe332456d/
It's possible to create a site-to-site VPN using just RRAS but you have to be very careful with setting it up. The static routes which route traffic from one site to the other must bind properly to the demand-dial interfaces when the connection is made. You have to set this up manually. Only when this happens will the routing work between sites. Each site must have a static route to the other site through the VPN connection.
RRAS Demand-Dial Connections
http://technet.microsoft.com/en-us/library/dd315852(WS.10).aspx
RRAS Demand dial interface <interface name> should support encryption of the data
http://technet.microsoft.com/en-us/library/ee922630(WS.10).aspx
Unable to ping the tunnel address of a Demand Dial Connection on Windows Server 2008 RRAS
As a best practice recommendation a server hosting RRAS should contain two NICs and be hosted on its own server. This helps keep the networking simple and if the server is compromised it keeps it a step away from sensitive data that may exist on other servers.
A Quick Review – Setting up a RRAS Demand Dial Connection
http://blogs.technet.com/b/networking/archive/2008/11/07/unable-to-ping-the-tunnel-address-of-a-demand-dial-connection-on-windows-server-2008-rras.aspx
How do I... Configure a network to use demand dial routing?
http://www.techrepublic.com/article/how-do-i-configure-a-network-to-use-demand-dial-routing/6103901
ASKER
Unfortunately one of the servers only has one NIC.
for now am using a dial-in vpn connection, i've set the server to auto-login as administrator and used windows task scheduler to run rasdial to sign in the vpn connection.
for now am using a dial-in vpn connection, i've set the server to auto-login as administrator and used windows task scheduler to run rasdial to sign in the vpn connection.
Let's break it down again.
Win2008R2 at the branch office with auto-login and rasdial for VPN connetion. Right?
You can ping the main office, but the main office can't ping the server at the branch office?
What type of server do you have at the main office?
What IP address are you getting at the branch office for the VPN?
Win2008R2 at the branch office with auto-login and rasdial for VPN connetion. Right?
You can ping the main office, but the main office can't ping the server at the branch office?
What type of server do you have at the main office?
What IP address are you getting at the branch office for the VPN?
ASKER
Yep, win2008r2 at branch, auto-logon and rasdial for vpn. Works fine.
I can ping the main office, the main office can ping the "assigned ip" but not the actual ip of the local lan.
Main office is 2008r2 too.
Main office ip range is 192.168.58.0/24
branch office ip range is 192.168.0.0/16
I can ping the main office, the main office can ping the "assigned ip" but not the actual ip of the local lan.
Main office is 2008r2 too.
Main office ip range is 192.168.58.0/24
branch office ip range is 192.168.0.0/16
What's the assigned IP? Is it within the main office ip range?
I think your trying to configure a site to site over a dial-in VPN and it doesnt work that way.
The VPN will only work with the assigned IP. If you wanted to route the entire branch network, then you need to do a site to site VPN and I've really only done them with hardware vpn units and not on windows servers.
Check out the links above if you want to try and make it work.
I think your trying to configure a site to site over a dial-in VPN and it doesnt work that way.
The VPN will only work with the assigned IP. If you wanted to route the entire branch network, then you need to do a site to site VPN and I've really only done them with hardware vpn units and not on windows servers.
Check out the links above if you want to try and make it work.