Announcement

Collapse
No announcement yet.

Splitting Network between 2 sites - Need advice

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Splitting Network between 2 sites - Need advice

    I am in the process of moving most of my servers from my office to a Data Center.

    Current Setup:
    2x DC (Windows 2k)
    1x Exchange 2003
    5x Terminal Servers (Citrix Environment)
    1x Web Server (2008 Web)
    1x SQL Server (Windows 2008, SQL 200
    20+ Workstations (Windows XP Pro)

    I am thinking about relocating almost all the servers to a datacenter and open a Cisco Site to Site VPN with the DataCenter for the 20+ Workstations to still connect with Exchange, etc.

    After the Change my network will look like this:
    Local: (3k up/down internet)
    1x DC (Windows 2k)
    20+ Workstations
    |
    site to site VPN
    |
    DataCenter: (10k up/down internet)
    1x DC (Windows 2k)
    1x Exchange 2003
    5x Terminal Servers (Citrix Environment)
    1x Web Server (2008 Web)
    1x SQL Server (Windows 2008, SQL 200

    Would you recommend I open an additional DC to keep 2 remote and 1 locally?

    Any other issues you might have come accross in such a move?

    Hobie

  • #2
    Re: Splitting Network between 2 sites - Need advice

    You don't need a second DC at the data centre -- probably better at the local site!

    Why are you doing this -- is it to plan for future expansion or is it to allow your TS users faster access?
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Splitting Network between 2 sites - Need advice

      The main reason is to provide future expansion. The majority of my users are TS (Citrix) users.

      We have a few real PCs, but for the most part my users do everything inside the Terminal.

      I know I will have to restructure my file server to move some shares to the local DC and some to the remote to remove the WAN element from everyday life.

      My question for AD is:
      Will my Terminal users authenticate against the local DC or will they autenticate over a WAN connection? (and vice versa)

      I'm trying to not complicate the network by adding subdomains and trusts and whatnot, but if I have to then so be it.

      Thanks,
      Hobie

      Comment


      • #4
        Re: Splitting Network between 2 sites - Need advice

        The problem you have with the proposed solution is that you add another potential point of failure by moving the TS farm from the same site as the clients. In which case you'll have to think about a redundant link to the datacentre.

        The AD authentication would normally be on the DC located on the same site as the TS (providing AD sites are configured, otherwise it'll be the first available DC)
        When logging to a TS, the authentication requests are forwarded by the terminal server as above.
        Your current setup is more resilient in a way because the WAN failure won't affect TS availability and if the DC in the branch office was to fail as well as the WAN link, you could still use the TS with cached credentials.
        Caesar's cipher - 3

        ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

        SFX JNRS FC U6 MNGR

        Comment


        • #5
          Re: Splitting Network between 2 sites - Need advice

          Perhaps I should give more information. (I appologize I did not already)

          I have 10 people in the office that use the Citrix system (via thin clients / win xp over http) and 40 people who come in from the outside (http).

          80% of my users are outside my current building and it seems I have the choice of beefing up my system (backup internet, backup generator power, SAN instead of local storage for HA) or I could move to a datacenter who provides this as part of the monthly leasing.

          Exchange:
          Most people use Citrix or OWA, but I several who just use Outlook and network shares.

          Printers:
          Thin Clients: I need to map several network printers and I fear the traffic will have to go through the vpn to be printed at my local office.
          If I seperate the network but I don't see how the thin clients will be able to print locally inside my office (They run HP Thin Pro)

          What else should I be worried about?

          Hobie

          Comment


          • #6
            Re: Splitting Network between 2 sites - Need advice

            Since most of your users seem to be accessing the datacenter directly, you'll probably want two DCs there. If for no other reason, just for redundancy's sake.

            I'm not familiar with Citrix, does it create a tunnel to your terminal servers for you? I'm curious because do external users need to VPN in first, and then authenticate again to AD? Or is it all integrated somehow? To answer your question regarding which DC your users will authenticate against, you can configure your DNS to give priority to one DC or another. If you have multiple DNS servers (a local DNS server for the office workers, for example) you can have finer control over which DC does authentication for which users.

            One thing to consider for your VPN, for future expansibility, is to leverage something like DMVPN. The main advantage being traffic between sites flow directly to each other, as opposed to through the head-end first. So if you plan to open another office at some point, the configuration change would be minor.

            Or if you have a lot of remote workers who need to VPN in from non-work machines, SSLVPN might be your pick; a truly skinny client. But your choice would affect what type of hardware you buy, typically ISR routers perform better with IPSec/DMVPN/EZVPN, whereas ASAs perform better with SSLVPN. Though this may have changed since the last time I checked.

            Just food for thought

            Comment


            • #7
              Re: Splitting Network between 2 sites - Need advice

              We run with MetaFrame which basically is a http connection that creates an SSL tunnel from the end user to the terminal (wherever they both are).

              I use a ASA 5510 as my firewall (used to use it for SSL VPN when we used RDP) which will work as my Site to Site with the datacenter.

              If I keep it in my location I will have to purchase two NAS devices (to replicate) and install a backup generator for power concerns probably around 10k if I go cheap.

              Just trying to weigh options before I decide which route to go.

              Thanks,
              Hobie

              Comment


              • #8
                Re: Splitting Network between 2 sites - Need advice

                My first suggestion would be to dump citrix entirely and move to using 2008 TS. TSG, RemoteApp and other features are really worth it take a look.

                I agree with another DC. Im a fan of 2 per site. If you dont do alot of updating to your ad and its not huge it shouldnt be that much replication traffic.

                As far as your Citrix servers you can control who they will primarilly authenticate with using sites and services.

                Are you doing backups over the link or at each site?

                Comment


                • #9
                  Re: Splitting Network between 2 sites - Need advice

                  I can't dump citrix at the moment, It would require me to update to Windows 2008, update licenses, etc, etc.

                  I plan to do local backups at each site and copy the backup over the wan during off hours. Luckily my applicaiton is only in use between 8am and 6pm my local time, which gives alot of room for system changes, backups, and wan usage.

                  Hobie

                  Comment

                  Working...
                  X