[kirkcaine]

WAN setup
We have our HQ at one location with 20 users (XP & Vista) on a SBS2008 domain.

We have just taken over a satellite office of 13 users (xp & vista) working off a XP Fileserver (workgroup) and wish to intergrate these users into our existing domain.

So i was wondering what methods others were using/recommend before we go about implementing a WAN network.

for example: As we have an Untangle server at HQ should we look at installing another untangle server at the 2nd location and using site to site vpn?
Do we need to change this workgroup over to our domain with the same subnet but different ip range?

Many thanks in advance for any recommendations.

[zx10guy]

Depending on your WAN link at your HQ AND at your satellite office, I would consider putting in a DC at the satellite office where you replicate between DCs. A site to site VPN tunnel should be used and yes, all your workstations should be part of the same corporate domain. You'll also need to use a different subnet so whatever VPN endpoint servers you're using can have match rules in place to send interesting traffic down the tunnel which needs to be routed. It also helps to have a different subnet for the satellite office when you're looking through logs.

[kirkcaine]

Thanks for the info.
I've been asked if we can do this without further purchasing of MS products plus the hardware

The WAN link would be via dsl line (8Mb) with Untangle boxes setup in router mode at both ends with Open vpn configured as site to site.
Ideally i see where you're coming from replicating between DCS and preferably using Cisco VPNs but unless the remote office becomes permenant then I don't think we'll see the cash for Server 2008 etc.
My only concern until further investigation is whether this will have a dramatic impact on the server/network at HQ?

[zx10guy]

The DSL connection is going to hurt you with this setup. The big issue with DSL is all the services I've seen personally are asymmetrical...meaning the upload speed is only a fraction of the download speed. This includes business level DSL service.

I'm not familiar with the Untangle boxes. I work primarily with Cisco and Netgear products with a smattering of Linksys, HP, 3Com and Dell. I'm also not familiar with Open VPN. If I were to do this setup, I would consider a router/firewall with VPN capability to do my site to site tunnels. Another consideration is getting static IPs for both sites. In the absence of static IPs, you may be able to get away with dynamic DNS on both ends and configuring the VPN to use aggressive mode (again on both ends.) Some VPN end point routers may not support setting up a site to site tunnel through the use of dynamic DNS hosts.

[kirkcaine]

Yeah they're business adsl lines but what you've mentioned regarding asymmetrical setup is true so will this will be pointless....both ends do have static ips though.
Again having a Cisco vpn tunnels would be preferred but due to costs they're keen to look at other methods hence Untangle and Openvpn.
I've messed with Untangle for over 6months now but haven't setup site to site tunnels so I'll try this at the weekend but regardless of using Untangle or Cisco would it still be true on the slow transfer speeds between sites due to upload speeds at both ends?

Basically we would like the 13 remote users to work off the SBS 2008 server back at HQ as the workgroup cannot cope with over 10 users so doing away with the workgroup entirely and everyone working off the files on the server at HQ. As far as Outlook goes they can use 'Outlook Anywhere'.

[srhoades]

In addition to the topology don't forget the extra CALs you will need for SBS.

[kirkcaine]

RE. extra CALS - yeah we've purchased those even though there's the Honour system but it'll be only a matter of time before MS changes that I'm sure.

Also as I'm digging deeper into SBS2008. The remote users can use RWW for sharepoint and 'Outlook Anywhere' for mail and I've just configed a network path in OWA in the 'Documents' tab which seems to work but again I'm not sure off the impact this will have on the internal netwrk if say 10-20 remote users are logged on..Plus these users wish to have this window open during BHrs so I guess OWA is not so good...hmm

[zx10guy]

If tough for me to say how good or poor the performance is going to be without knowing more about the traffic profile the users are going to push through the tunnel. In the end, it's still better than nothing unless you can find another broadband service like FIOS or even cable with higher upload speeds.

As far as keeping costs down, I understand this requirement. But I can flip it around and say that using products which have no factory support, requires hardware to run it on which uses a mechanical device like a hard drive among other things that can fail just raises the cost bar. Not to mention using products which are really not mainstream so it would require some time for you or another IT person to get up to speed whcih means labor hours you're charging to get this "low cost" option up and running.

If cost is really a big concern, I would look into something like a Netgear FVS338 which goes for around $170. This router works very and is pretty rock solid. I have one of these personally and haven't had any problems with it and VPN tunnels.

[kirkcaine]

Mate you're spot on with those comments. I supoose because we already use the Untangle as our UTM then should we utilize the Openvpn on it as well...meanwhile I'll check out that Netgear..I've come across them before but never configured them personally.
Cheers

[kirkcaine]

Discussion right now is placing the utm in bridge mode on the lan and sticking in something in a vpn router as you mentioned....another model that's within budget: Cisco RV042...have you any comments on this or are you pretty solid on the Netgear?

[zx10guy]

The only Linksys gear I've touched (the RV router is a Linksys product before Cisco had bought them out) are their line of SMB smart switches. So I can't be of more specific help with you there.

The only gear I've set up VPNs on are Cisco firewalls and routers, Netgear routers, and Firebox firewalls (they were miserable to set up by the way and we never really got them to work right.) The Netgear setup I put together just supported remote client connections. But the tunnel stayed up and running for hours. I would suspect the same would apply to a site to site setup.