VPN Setup Advice

[hcotech]

I'm looking for a book or web resource that can guide me through connecting my branches to the private NT 4 network behind our Netgear NAT-enabled RO318 Router.

I'm hoping to be able to connect the branches to our main location for intranet access at the very least and if possible somehow push security and software updates as well.

I probably should give a serious look at upgrading W2K in the process, but I know this isn't all software either.

 

[247admin]

My company just went through this- I don't have a recommendation on good books, but I'll let you know what we did:

We have a Win2k domain at the main office. Branch offices were not domain members, but were accessing email and other services from the main office.

We implemented a hardware VPN using Netscreen 5XPs at all of the remote offices, and a netscreen 25 at the main office. (we have a total of about 150 users so you might get bigger devices if you have larger offices).
We preconfigured all of the devices to "drop in" to the remote office setups (usually just inside the dsl router or what-have-you that was there) and wrote an instruction sheet explaining how to make the connections. The easiest method by far was to make sure that each office had a block of 5 public IP addresses from the ISP. The DSL router would have public ip's on the internal and external interfaces, and we'd give a public IP to the "untrusted" side of the Netscreen device.

Since all of the VPN policies were configured in advance, it was pretty much plug and play, and the offices came up one after another as they were connected to the Netscreens.
Once that was done, we were free to treat all offices as one big network with domain logon, software updates, shared folders, etc. We then moved domain controllers out to a couple of larger offices and expanded the domain a bit.

First suggestion: set up your internal addressing for each office ahead of time, so that when the VPN is activated, the IP's won't overlap, but the PC's will still see each other as being on the same network.

Second Suggestion. If you go with a hardware VPN, ask the manufacturer to recommend a local security consulting company, and have them assist in the configuration and design. If you haven't configured a VPN before (we hadn't), they can make it happen quickly, and can help you avoid any configuration errors before it becomes a mess.
It cost us more to do it that way, but we went from start to finish in under 30 days with no unresolved issues at the end of it all. I think we came out ahead in savings on downtime and support!

 

[hcotech]

Thanks for the reply 247admin.

I've kind of talked myself out of the VPN idea all together now. I really want more functionality and I can see that will most likely require a dedicated WAN connection.

Expensive, but not entirely unrealistic as we could definitely use more bandwidth at the branch locations anyways.

 

[247admin]

We looked at doing leased lines also. The overall structure is definitely much simpler, I hope that goes well for you.

Here's what I found are benefits/drawbacks of going with IP based VPN:

1. If hub office goes down, all spoke offices still have internet connectivity (Versus a common leased-line layout of having all offices connect to the internet through the central office)

2. Ability to choose and switch providers for each office. independently, reconfiguration is minimal (just change IP entries at each end).

3. Low initial and recurring costs (DSL vs. Leased line costs). I think we're saving about $24,000 a year on connection costs. If our offices were all in the same region Leased line would probably be more cost effective.

4. Ease of integrating remote users with VPN client software

5. Dealing with multiple ISPs over a wide geographic area can be a pain!

6. Ability to add new locations as fast as I can plug them in, as long as they have an existing inet connection.

7. Ability to create "full mesh" networks for "free" limited only by the capacity of the VPN hardware.

Cheers!

 

[hcotech]

Yikes! I hadn't given thought to the central failure point the dedicated WAN would invlove. Glad you mentioned that. I guess in reality, though we have had the least amount of downtime on our central office T-1, than at any of the branch leased 56k lines.

We're a county library. The farthest branch is 30 miles. Not extreme in terms line distance. (I think

I'm not sure what a "mesh" network is, but if it means that I could have all the branches effectively on the same network as the central office and therefore under central management (using W2k Domain or ActiveDir), then I'm interested for sure.

 

[247admin]

the full mesh just means that every office is connected to every other office. if one location goes down, the rest can still talk to each other.

another plus for leased lines is that you can control internet access from one location. When I want to control what people can access at remote offices, I have to edit the policies for each office.

Seems like there are lots of pluses and minuses for each!

If you don't have many computers at the remote connections, you could also use software VPN clients at the remote sites, with one piece of VPN hardware at the central site. That would save on equipment, but I think it would be a headache. With hardware you can just place it and forget it!