Outlook 2010 Cached Mode & Gateway-to-Gateway VPN Connection.

I have a dilemma with a client that has multiple office locations connected via dedicated VPN connections (gateway-to-gateway).  When they (approx. 5 people) travel to the remote offices (once or twice a week), they complain of the latency connecting to the main office via Terminal Services.  At the main office there are no latency problems.  The Internet connections at the remote sites are high bandwidth connections 15/5mbps, and the main office has a 50/15mbps connection.  So the Internet connections are adequate to work efficiently regardless of office location.  

The problem arrises when these users travel with their tablets and company issued Android phones at remote office locations.  Each remote location has wireless access to accommodate their phones and tablets.  By doing so it cuts down on the company data plan usage.  So its a cost savings on the plan, but also affecting network bandwidth.

The tablets are configured with Outlook 2010 Cached Mode, and as soon as Outlook is open it automatically starts syncing all items, and then afterwards as mail with attachments is sent and received the traffic seems to continue saturating the VPN connection.  I am basically saying, the users are noticing performance degradation issues while working in remote offices.  

I have setup ActiveSync to download headers to help reduce the syncing of attachments.  However, Outlook 2010 Cached Mode connected to an Exchange Server 2010 does not seem to have a throttle to download headers to cut down bandwidth consumption.

I was going to propose an additional Internet connection with a wireless router so that the phones and tablets can connect to so that ActiveSync and Outlook Cached Mode traffic have a separate dedicated Internet connection and not interfere with the dedicated VPN connection used for Terminal Services, VOIP connections, and at times remote printing.    

The client's laptops and phones work seamlessly when at home or other locations, and they will not like the idea of having to make changes on their phones and/or tablets when traveling to remote office locations.  I am hoping there is another way to skin this cat!  Any suggestions other than disable wireless access at the remote locations so their tablets and phones can't connect?
cmp119IT ManagerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You could restrict the port traffic at the remote sites so that ONLY the terminal services traffic is allowed to pass.  It depends on your routing/vpn equipment on how to do that.

Alternatively, if the equipment allows it, you could enable QoS and give the terminal services traffic higher priority than the other traffic.  This could in effect be the bandwidth throttle you are looking for.

Keep in mind that it depends on your equipment, and you have to make sure that you configure in such a way that you're filtering traffic before it enters the VPN tunnel, so that may prove to be challenging.
cmp119IT ManagerAuthor Commented:
Right now they have LinkSys RV series routers at all locations.  I can't remember the exact models, but they are no too robust.  They will be getting Cisco ISA 570 routers, but I do not know much of those models.  

Right now all traffic is going through the VPN.  I don't think there is a way to force specific traffic to use the Internet directly and not via the VPN connection.  Regardless, the traffic will still consume bandwidth regardless of direction since it must flow through the single Internet connection.  That's why I was leaning toward another separate Internet connection with wireless access, so that these specific devices can connect to.
I believe that the Cisco ISA 570 will allow you to configure QoS and/or ACL rules to control the traffic the way that you wish.  How long before the ASA's be in place, and are you configuring them or is that being handled by someone else?

If someone else, can you make requests regarding the configuration to shape or filter the traffic to meet your needs?
Minimally, the 570 will allow you to set up a Guest wireless internet VLAN which you could make the iOS/Android tablets/smart devices utilize, and then set QoS lower for that traffic versus the VPN traffic.

I'm assuming that right now that nothing at a remote site bypasses the VPN, and so internet bound traffic is going through the VPN to your "main" site and then routed from there.

Until you get the new Cisco equipment, you might look into reconfiguring your site-to-site VPN to allow split tunneling... meaning that if the traffic is destined for one of your corporate internal addresses it goes through the VPN, otherwise it's routed out to the Internet (by passing the VPN and reducing the saturation of the VPN pipe).  It doesn't give you the full traffic control that you are needing, but it might provide some level of relief while waiting for the new stuff to show up.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
cmp119IT ManagerAuthor Commented:
I figured the only solution was going to be new Cisco routers purchased with wireless access for guest networks.  That seems to be the cleanest approach.  Thank you for all your input!!!!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.