Questions

WAN setup

Tags:
+
0 Votes
Locked

WAN setup

3phatladies
We have our HQ at one location with 20 users (XP & Vista) on a SBS2008 domain.

We have just taken over a satellite office of 13 users (xp & vista) working off a XP Fileserver (workgroup) and wish to intergrate these users into our existing domain.

So i was wondering what methods others were using/recommend before we go about implementing a WAN network.

for example: As we have an Untangle server at HQ should we look at installing another untangle server at the 2nd location and using site to site vpn?
Do we need to change this workgroup over to our domain with the same subnet but different ip range?

Many thanks in advance for any recommendations.
  • +
    0 Votes
    CG IT

    that also has the global catalog role so that users use that to log on.

    Note: SBS main box must have all FMSO roles, you can't delegate them to another box, but you can have a DC with Global catalog role.

    For access to email, you could use RWW or I recommend OWA for the remote site. Lot less overhead on the WAN if using RWW or OWA for mail and internal web site access instead of VPN. VPN will tax both systems because the tunnel will only take so much traffic where the internet traffic is only limited to your connection and router throughput.

    +
    0 Votes
    Nimmo

    Preferably you'd want to put another straight server not SBS in and promote it to a domain controller/global catalog, also join all the workstations to the domain.

    Create another subnet (same mask), with the range make sure you have enough IP's available for the current nodes and for growth in that office.

    Create a site to site VPN to carry only data that is destined to each subnet, allowing all other data to go out onto the internet.

    Then create a new site in AD sites and services and assign the branch office server to the new site.

    Been that the new office is currently using a XP workstation for a file server I'm guessing they are also using POP mail accounts.

    You should create a POP connector for each user on the server whilst transitioning them to Exchange.

    Export their current .pst files, create their new domain profiles, get them logged in and setup, then import their .pst into Outlook (I'm pretty sure Outlook will want to run a conversion on the imported files).

    The overhead of the data going to each users Outlook wont be that great since only the changes will be sent through the VPN.(it's not like they will be receiving gigs of data each day).

    One issue you may see is that people try dragging down files or using resources on the head office from the site office so make sure you keep as much as you can locally.

    +
    0 Votes
    BizIntelligence

    to shape traffic you would need two internet connection. One for VPN and other for browsing (8080).

    please correct me If I am wrong...

    Cheers !

    +
    0 Votes
    Nimmo

    When you setup the VPN your specifying what subnets are connected so for example if you have say:

    Site A - 192.168.1.x & site B - 192.168.2.x

    In your setup you're specifying these two addresses therefore any traffic from 192.168.2.x destined to 192.168.1.x will go through the VPN and the rest will go out onto the internet.

    Once you have setup the VPN test it by using tracert from say the head office server to a PC on the site office, then tracert to something on the internet for example google.com.

    I forgot one other thing, if they do need access to resources located on the head office server you may want to consider setting up DFS (again the initial setup may consume alot of bandwidth depending on what your replicating, but after that it's just changes).

    One other thing if you're worried about what people store on the server, you can setup quota's and content restrictions. (on the 08 server when creating the shares).

    +
    0 Votes
    3phatladies

    Thanks guys.
    So by sticking another DC with the GC role and making sure the SBS at HQ is FMSO is the go.
    Both sites have only business adsl (8Mb DL/1Mb UL), Static ips.
    Yes currently all staff are using POP3 and we did trial the POP3 connector on the SBS box at the wkend but it froze due to a user having excessive attached files. So we disconnected for now until we get the remote office all setup then we'll reconnect whilst transistioning to Exchange.
    The remote users can use the new 'Outlook Anywhere' for their mail and RWW.
    hmmm I've just seen that in OWA you can add a network share inside the 'Documents' folder so now wondering if VPN is needed at all?

    +
    0 Votes
    Nimmo

    Yeah definitely having another server in the other office is the way to go, adding it as a global catelog server and an Active Directory replica will allow the remote PC's to authenticate locally rather than over the VPN (if you didn't have a VPN they wouldn't authenticate at all since all).

    Which also shows why using a VPN is an advantage, in the event that the local server is down or can't authenticate the users the traffic can then go across the VPN and authentication can be done on the 08 server.

    8mb/1mb is good connection most of our clients run either 2mb/2mb or 4mb/4mb (premium SHDSL) and they don't have any issues (mind you we have GPO's and firewall rules to stop certain browsing/streaming.

    In some of our sites we have also put a separate connection in but that's for VOIP purposes only.

    Off the top of my head I'm not too sure what you can do about the attachments; how big are they? Are there always going to be emails this size or is it just during the transition?

    If it's just for the transition just setup one POP connector and then increase the size limit to see what happens, if that goes ok then I'd try another one or two.

    If it's going to be all the time I'd try and keep most email to the 5mb limit at most, or schedule to send email over that size after hours (which can be a pain since people want email NOW not later, so you'll most likely have people complain).

    Another option is DFS and FTP depending on what you want to achieve. If users what to be able to access files in both locations you should use DFS, but if it's that they just want to send people large files you'd be better off setting up and FTP site

    (Preferabley on a separate box doesn't need to be a server an XP workstation will do the trick but remember that there is a total maximum number of 10 connections to a FTP server that is hosted on a XP workstation at the onetime)

    I'd definitely keep the VPN for the simple fact that all company data will be encrypted including Active Directory replication, DFS file system (which will be intergrated into the AD replication if you set it up) along with another information.

    Basically I think you should sit down and work out exactly what users needs are and then decide on what option to take, there are so many different ways to go about setting up WAN's but it all comes down to what the user's needs are.

    Let me know how you get on with the POP connector, I'll give it better thought and get back to you if I have any better idea's.

    Personally my preference for this setup would be something like setting the second server as an Active Directory replica/global catelog, configuring the VPN to pass the replica traffic and another company data.

    Depending on what the client's needs are I'd be inclined to setup either FTP or DFS and show users how to send large files rather than through email.

    Also I still think Outlook is the way to go for users Email, it's much easier and covenant for them to simply open Outlook and there is their email rather than open their browser log into and read/send email.

    Oh yeah backup's have you considered how and what you will use to backup, also what you are going to backup?

    With the remote site if you do use Outlook, get the users .pst files and move them accross to the local server so they get backed up with your nightly server backup (if that's how you do your backups).

    You don't want to have a PC fail and then need to post or worse yet get the user to pull down their mailbox to their new machine or profile.

    +
    0 Votes
    CG IT

    Namely it tends to have more overhead usage. With RWW and OWA users simply access via the internet securely using SSL on HTTP.

    +
    0 Votes
    Nimmo

    But if you're going to be sending & receiving company data including replicating AD you'll want to use a VPN.

    As for RWW & OWA, well RWW is just that remote you're never going to use it when you're in the office, even if users are going to be on a Terminal server full time you'd setup a RDC connection to the Terminal server on their desktop for them to use.

    OWA definitely has advantages over Outlook in regards to bandwidth but seen that most users won't be getting huge amounts of email and they (should) be caching their mailbox locally there really won?t be much bandwidth taken up by it.

    I guess you could always set Outlook users up to use Outlook over HTTP but I still don't see much of an issue using the VPN.

    I guess the setup chosen comes down to how much traffic is going in and out of the network, what the traffic is, and how many users are on the network.

  • +
    0 Votes
    CG IT

    that also has the global catalog role so that users use that to log on.

    Note: SBS main box must have all FMSO roles, you can't delegate them to another box, but you can have a DC with Global catalog role.

    For access to email, you could use RWW or I recommend OWA for the remote site. Lot less overhead on the WAN if using RWW or OWA for mail and internal web site access instead of VPN. VPN will tax both systems because the tunnel will only take so much traffic where the internet traffic is only limited to your connection and router throughput.

    +
    0 Votes
    Nimmo

    Preferably you'd want to put another straight server not SBS in and promote it to a domain controller/global catalog, also join all the workstations to the domain.

    Create another subnet (same mask), with the range make sure you have enough IP's available for the current nodes and for growth in that office.

    Create a site to site VPN to carry only data that is destined to each subnet, allowing all other data to go out onto the internet.

    Then create a new site in AD sites and services and assign the branch office server to the new site.

    Been that the new office is currently using a XP workstation for a file server I'm guessing they are also using POP mail accounts.

    You should create a POP connector for each user on the server whilst transitioning them to Exchange.

    Export their current .pst files, create their new domain profiles, get them logged in and setup, then import their .pst into Outlook (I'm pretty sure Outlook will want to run a conversion on the imported files).

    The overhead of the data going to each users Outlook wont be that great since only the changes will be sent through the VPN.(it's not like they will be receiving gigs of data each day).

    One issue you may see is that people try dragging down files or using resources on the head office from the site office so make sure you keep as much as you can locally.

    +
    0 Votes
    BizIntelligence

    to shape traffic you would need two internet connection. One for VPN and other for browsing (8080).

    please correct me If I am wrong...

    Cheers !

    +
    0 Votes
    Nimmo

    When you setup the VPN your specifying what subnets are connected so for example if you have say:

    Site A - 192.168.1.x & site B - 192.168.2.x

    In your setup you're specifying these two addresses therefore any traffic from 192.168.2.x destined to 192.168.1.x will go through the VPN and the rest will go out onto the internet.

    Once you have setup the VPN test it by using tracert from say the head office server to a PC on the site office, then tracert to something on the internet for example google.com.

    I forgot one other thing, if they do need access to resources located on the head office server you may want to consider setting up DFS (again the initial setup may consume alot of bandwidth depending on what your replicating, but after that it's just changes).

    One other thing if you're worried about what people store on the server, you can setup quota's and content restrictions. (on the 08 server when creating the shares).

    +
    0 Votes
    3phatladies

    Thanks guys.
    So by sticking another DC with the GC role and making sure the SBS at HQ is FMSO is the go.
    Both sites have only business adsl (8Mb DL/1Mb UL), Static ips.
    Yes currently all staff are using POP3 and we did trial the POP3 connector on the SBS box at the wkend but it froze due to a user having excessive attached files. So we disconnected for now until we get the remote office all setup then we'll reconnect whilst transistioning to Exchange.
    The remote users can use the new 'Outlook Anywhere' for their mail and RWW.
    hmmm I've just seen that in OWA you can add a network share inside the 'Documents' folder so now wondering if VPN is needed at all?

    +
    0 Votes
    Nimmo

    Yeah definitely having another server in the other office is the way to go, adding it as a global catelog server and an Active Directory replica will allow the remote PC's to authenticate locally rather than over the VPN (if you didn't have a VPN they wouldn't authenticate at all since all).

    Which also shows why using a VPN is an advantage, in the event that the local server is down or can't authenticate the users the traffic can then go across the VPN and authentication can be done on the 08 server.

    8mb/1mb is good connection most of our clients run either 2mb/2mb or 4mb/4mb (premium SHDSL) and they don't have any issues (mind you we have GPO's and firewall rules to stop certain browsing/streaming.

    In some of our sites we have also put a separate connection in but that's for VOIP purposes only.

    Off the top of my head I'm not too sure what you can do about the attachments; how big are they? Are there always going to be emails this size or is it just during the transition?

    If it's just for the transition just setup one POP connector and then increase the size limit to see what happens, if that goes ok then I'd try another one or two.

    If it's going to be all the time I'd try and keep most email to the 5mb limit at most, or schedule to send email over that size after hours (which can be a pain since people want email NOW not later, so you'll most likely have people complain).

    Another option is DFS and FTP depending on what you want to achieve. If users what to be able to access files in both locations you should use DFS, but if it's that they just want to send people large files you'd be better off setting up and FTP site

    (Preferabley on a separate box doesn't need to be a server an XP workstation will do the trick but remember that there is a total maximum number of 10 connections to a FTP server that is hosted on a XP workstation at the onetime)

    I'd definitely keep the VPN for the simple fact that all company data will be encrypted including Active Directory replication, DFS file system (which will be intergrated into the AD replication if you set it up) along with another information.

    Basically I think you should sit down and work out exactly what users needs are and then decide on what option to take, there are so many different ways to go about setting up WAN's but it all comes down to what the user's needs are.

    Let me know how you get on with the POP connector, I'll give it better thought and get back to you if I have any better idea's.

    Personally my preference for this setup would be something like setting the second server as an Active Directory replica/global catelog, configuring the VPN to pass the replica traffic and another company data.

    Depending on what the client's needs are I'd be inclined to setup either FTP or DFS and show users how to send large files rather than through email.

    Also I still think Outlook is the way to go for users Email, it's much easier and covenant for them to simply open Outlook and there is their email rather than open their browser log into and read/send email.

    Oh yeah backup's have you considered how and what you will use to backup, also what you are going to backup?

    With the remote site if you do use Outlook, get the users .pst files and move them accross to the local server so they get backed up with your nightly server backup (if that's how you do your backups).

    You don't want to have a PC fail and then need to post or worse yet get the user to pull down their mailbox to their new machine or profile.

    +
    0 Votes
    CG IT

    Namely it tends to have more overhead usage. With RWW and OWA users simply access via the internet securely using SSL on HTTP.

    +
    0 Votes
    Nimmo

    But if you're going to be sending & receiving company data including replicating AD you'll want to use a VPN.

    As for RWW & OWA, well RWW is just that remote you're never going to use it when you're in the office, even if users are going to be on a Terminal server full time you'd setup a RDC connection to the Terminal server on their desktop for them to use.

    OWA definitely has advantages over Outlook in regards to bandwidth but seen that most users won't be getting huge amounts of email and they (should) be caching their mailbox locally there really won?t be much bandwidth taken up by it.

    I guess you could always set Outlook users up to use Outlook over HTTP but I still don't see much of an issue using the VPN.

    I guess the setup chosen comes down to how much traffic is going in and out of the network, what the traffic is, and how many users are on the network.