Site to Site Network

[Jay]

I have two offices that I need to connect.

The main office currently has a Full windows Domain and our new office will be using terminal services to connect.

What i need to know is what hardware do you provide that will allow me to connect the two offices over a VPN on a standard ADSL connection

What routers would you suggest I purchase?

[d3fiant]

when you say full domain, what do you mean, keeping in mind active directory expands to thousands of servers and millions of users. Do you mean physically constrained such is network ports etc. You should remember that ADSL is not very good for site to site, while it has very good dl speeds, upload speeds are much lower, u may want to look at SDSL which has the same speed in both directions, like a leased line, but is more expensive. If its just terminal server then ADSL would be ok for 1 or 2 sessions. Also users would not be able to interact with the domain from the other site via this manner unless you have all your backoffice apps running on TS servers. This post is best suited to the help forum rather than the scan forum

[Moby-Dick]

You could just forward the RDP port for the server to the web , but that does potentiall open up a few security issues.

If you where to have a second branch domain controller at the branch office , then you could establish an IPSEC / L2TP tunnel between them, in addition to providing local authentication services where needed.

If you really only want the main network to be visible from the branch office then something like a vigor draytek 2800 can run as a IPSEC Tunnell mode endpoint , to enable secure RDP sessions from branch to main office.

http://www.draytek.co.uk/products/vigor2800.html

[d3fiant]

well that puts my response firmly in the shade, I'll go get my coat

[Moby-Dick]

well that puts my response firmly in the shade, I'll go get my coat

Its not all bad

depending on what you are doing , a terminal server connection can be quite lean on bandwidth - it only gets heavy if you are doing a lot of printing back to client connected printers.

To be able to give a more complete answer , we'd need to know more about the scenario (number of users , types of application etc. )

EDIT: Also moving this to the Networking forum.

[Jay]

I have about 4 sites that I want to centralise at my HQ. At the moment they are separate sites and to do any work on their server or do the backups i have to drive to the sites or Remote desktop in. Also when a person moves between the sites I need to back their data up and move it to the server on the other sites.

The way I am looking at it now is that if I setup terminal services on a rack system i have here (decent spec as i know it will need to be!) give the clients dial in VPN access over the internet (for encryption) and allow them have remote desktop over terminal services then I need to back up one server, I no longer need to move data from site to site and it should save m lots of time.

Each site will only have between 2 and 4 systems (hot desk situation)

I will first test this with one site and 2 users so HQ's standard ADSL should be ok (512k up). If this all works then I will upgrade HQ to SDSL 2mb/2mb - this is where the main bulk of staff are and they will use the local domain.

each site will have 4meg Cable (384k up)

applications will only be Office

(the reason I posted this in the scan area was so they had the chance to tell me what products I could purchase off them to do this job)

[deviantdave]

Our VPN is setup using a pair of SonicWall 2040 Firewalls. They're incredibly stable!! Also very easy to setup too!

We have a pair of 6mb/s ADSL connections. Not great but it works.

[Jay]

but if i wanted 4 offices to connect to a central office would I need one Sonicwall in the main HQ and then one at each site.

Then get each site to VPN into the main HQ sonicwall?

i mean these things a re £1000 each, bit much for about max of about 10 Termainal Service clients

[Jay]

Our VPN is setup using a pair of SonicWall 2040 Firewalls. They're incredibly stable!! Also very easy to setup too!

We have a pair of 6mb/s ADSL connections. Not great but it works.

also if you get chance tell me a bit more about this network

(number of users, data migration between sites etc)

[Moby-Dick]

As I previously mentioned , the main problem with Office over a Terminal Service connection is printing back to a printer in the branch office. If your users are heavy printers then this will be a pain point for you. ( I've set up entire firms based on hosted TS infrastructures , so I do know what I'm talking about )

If you are just looking at a star type design for your VPN ( ie no redundant routing via the branch office - each branch only has a connection to HQ ) then the draytek routers will do it.

Its always nice to try and keep the endpoints of each VPN from the same vendor ( thus keeping the set of options the same )

For the size of deployment you are looking at , the drayteks should be up to the job as branch routers - not sure what they do in the way of SDSL products though. They do have an enterprise class firewall , but I have a hunch it'll be overkill.

[Jay]

ok



so would this work...

HQ 192.168.0.1 - 100

Main Network, large rack server. Either SDSL 2mb/2mb or a dedicated lease line, Main DNS, Email servers.

Site 1 192.168.0.101 - 110

Standard internet (384k up) Router with DHCP and VPN
3 PCs, Use Terminal services to the main network

Site 2 192.168.0.111 - 120

Standard internet (384k up) Router with DHCP and VPN
4 PCs, Use Terminal services to the main network

Site 3 192.168.0.121 - 140

Standard internet (384k up) Router with DHCP and VPN
4 PCs, Use Terminal services to the main network

Now this should allow all the Sites to appear as if they are on the same network, termainal services allows me to store all the data at HQ and will allow people to roam between sites and still get their Profiles when they log on. Also a central email server will be easier to setup.

I also hope to run the DNS via the main site so i can use 1 content filtering solution

also what router would you suggest and what internet for the main site (you seem to have not used SDSL)

[Moby-Dick]

Each site will be on a different subnet.

ie 192.168.0 , 192.168.1 , 192.168.2 and 192.168.3 ( assuming a /24 subnet mask )

The routing policy should be done by the VPN end points.

I woudl advise very strongly against trying to have roaming profiles over a WAN.

In fact I'd advise against roaming profiles at all.

What Mail server are you planning on using ?

Mapping drives accross the WAN shoudl also be avoided where possible.

what about printers ?

[Jay]

ok i'll use different subnets

Well I assumed that the profiles would not be a problem as Terminal services is just like a remote desktop so no actuall data would be sent to and from the sites other than the projected desktops. I would cheat a bit with the profiles though as i would setup a Drive via Active Directory and have their "my documents" folder on this drive (the drive would just be a direct link to their profile). It saves the copying back and forward etc of the "my docs" folder.

Printing is somthing I will have to think about....

I am looking at using Scalix as i can run it on Redhat and it has webmail etc.

[Moby-Dick]

Terminal Server profiles are not the same as Normal Desktop profiles - you may have problems with that.

What would users in the branches log into the hotdesk machines as ?

In fact you might not even want them to be PC's - why not use WinTerms at the Branch offices to prevent users attempting to log into them ( and causing problems ) It would also make replacing a branch 'Pc' easy as you can have some preconfigred winterms in stock to just swap out as required.

[Moby-Dick]

There are a couple of solutions to the printing problem ( data gets sent back to the local client in a particularly uncompressed format , making large print jobs a real problem. )

I've not come accross that particular mail server before - does it talk to MAPI clients of is it a POP3 / IMAP only job ?

[Jay]

thin clients was somthing I was looking into

At first (during the test phase) I was just going to use standard PCs with a crippled version of Win XP.

How are Terminal Service profiles different?

scalix uses its own MAPI driver, its a fantastic solution as the web based mail is very very good. The only issue I have is that the Mapi is a bit slow. I have also used Samsung Contact and HP open mail.

How would you do all this?