Announcement

Collapse
No announcement yet.

VPN Solution, evaluation & decision process !!!

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • VPN Solution, evaluation & decision process !!!

    Hil,

    Our entreprise plan to grow its network to multi-remote site country and world wide.
    Each site have to update and retrieve files on the primary server located in the main office.
    Everywhere around the world, including inter-remote site, from main-office or even hotel to give support to each site.
    The administration decision concept is to have the extended network to teleworkers, making their automatic backup at the main-office and flexible support at cheaping price and solid solution!. We do not plan the inter-connect any SQL servers!

    ** Current setup **

    Main-Office:
    SERVER_A: DC,DS,AD, DNS, WINS, DHCP, RRAS(VPN), file and print, own tape backup
    SERVER_B: SQL, file and print, tape backup
    Workstations are W2KPro and WinXP Pro.
    SOHO remote firewall (with port forwarding) and internet cable
    On demand some on-road users have their laptop and connect VPN.

    I have proposed the following solution. However I do not know want will be the best setup to interconnect sites with on demand VPN, using RRAS from W2K/W2003 server or some kind of boxed router/firewall/vpn solution like Cisco PIX or 3COM VPN gateway/firewall or something else.

    Main-Office: (192.168.111.0/24)
    SERVER_A: DC,DS,AD, DNS, WINS, DHCP, TS, file and print, own tape backup
    SERVER_B: DC,DS,AD, DNS, SQL, TS, file and print, tape backup
    SERVER_C: RRAS, TS, file and print, ftp, backup server for remote sites
    Workstations are W2KPro and WinXP Pro with TridiaVNC and RDP client
    SOHO remote firewall (with ports forwarding) and internet cable
    SOHO remote firewall (with ports forwarding) and internet DSL (backup link)
    On demand some on-road users have their laptop and connect VPN.

    Remote offices (about 25 to 30)
    192.168.2xx.1/29, 2 to 4 networked device max. so 30 subnets by segments 6 hosts each
    SERVER_R-A: RRAS, TS, SQL, file and print, ftp, VNC client
    * or *
    SERVER_R-A': RRAS, TS, file and print, ftp, VNC client
    Workstations are W2KPro and WinXP Pro, VNC Server
    SOHO remote firewall (with ports forwarding) and internet DSL

    Any comments, recommandations are welcomes !

    Thank You

  • #2
    Some very important details are missing:
    1) Does each remote site has it's own Internet link or is it a dedicated WAN link to central office ?
    2) What is the link bandwidth between the remote site and the central site ?

    Couple of notes:
    1) It's a VERY BAD idea to put TS in application mode on a DC. You DO NOT want users accessing your DC and running application off it.
    2) You should consider centralized backup solution instead of plugging a tape into each DC.
    3) Personally, I would try to avoid in every means of building your WAN based on Microsoft's RRAS. Keep the RRAS solely for VPN access and build your WAN based on hardware solutions. This will give you much more flexibility in the future.

    Some suggestions:
    1) For building your WAN you might want to look into Cisco's EasyVPN - you can build your WAN based on IPSec based VPN using Cisco routers. Simillar solution exist from other vendors.

    2) Do not "choke" the remote sites by giving them only couple of IP addresses. I would go for Class A based IP namespace:
    10.1.0.0/16 for central site
    10.2.x.0/24 for remote sites

    or:
    192.168.x.0/24 for each site in the enterprise. One of the major benefits of using the default Class C subnet masks is that the routing is much easier (remember that routing protocols like RIP or RIPv2 do not propogade subnet masks).
    In any case, I would suggest you to consult a network architect. There are too many issues to consider when designing a WAN.

    3) Having each site it's own Internet connection will turn into a administration nightmare. Consider setting up dedicated links between the sites.

    4) The AD part:
    a) Consider setting up at least one DEDICATED Domain Controller (no RRAS, no TS, no FTP). The less services you have running on it - the better.
    b) You will want a second DC in the central office for redundency. Again: I would try to avoid running FTP or VNC on it. If you are short on budget, RRAS will probably live in peace on that DC.
    c) If you need a TS server in application mode, do not set it up on a DC. TS usually requires some heavy GPOs to be applied and I would not recommend applying those GPOs to DCs. Suggest to aquire additional server for TS, FTP, etc...
    d) Setup a centralized backup solution.
    e) Avoid at any cost running VNC on DCs: I have more than once seen VNC flavours which caused memory leaks or even blue-screened.

    Happy holidays to all...
    Guy Teverovsky
    "Smith & Wesson - the original point and click interface"

    Comment

    Working...
    X