Q: Adding a small remote office to a domain?


Recommended Posts

Hey all,

Am I correct in assuming the following situation would require:

1. A VPN setup

2. Is setting up a VPN difficult?

The situation:

Essentially we have a main office that runs a Win2K Domain controller. We just purchased a small company, it only has 3-4 pc's/staff so pretty small, but it will operate remotely. They will however require access to our network data and network based applications (again only a cpl of apps and one main networked storage area).

Would this be quite difficult to setup?

Cheers in advance,

Well #1 is a good start as it is a valid assumption. But #2 is just confusing... That's a question. Do you need a question?

Since you've acquired a 3-4 person company I'm going to assume that your company isn't very large with a good IT budget so I'll keep my options on the cheap side. VPN's are good but there are a few things you'll want to look at before deciding VPN is the way to go. How bandwidth intensive is this application? If you are pulling a lot of information or large amounts of data a VPN might be troublesome as you are going to be restricted by the slowest link (upload or download speed on either side) that you have on either end.

If VPN will work for you, there are 2 different ways of setting VPN up. You can either a) purchase/acquire hardware/software that will allow individuals to VPN in to it. For example, you purchase a Linksys router that comes with software that you install on the remote computers. When they need to connect to your office they fire up the application and it "dials" you and connects them to your local infrastructure. Or b) purchase/acquire hardware/software that will let you create a tunnel between both sites. Since there would be a piece of hardware on the network managing the VPN connection you wouldn't need to install software on the clients and the VPN would be "always on". By that I mean that if the connection drops for whatever reason, the hardware will automatically attempt to reconnect because that is its job. If you do end up going with my b) route, you'll want to keep the remote internet traffic off the VPN tunnel as that would just be a waste of precious precious bandwidth so that option can get a little more complex when it comes to routing.

However..... if VPN won't work because of bandwidth restraints, since you already have a Windows 2000 domain controller, look to purchase Terminal Server licenses. Terminal Services will essentially allow your remote users to virtually connect in to the Win2k server and receive a virtual desktop within that server and will be able to use the program on the local lan and view it over the internet. It works kind of (conceptually) like GoToMyPC in the fact that you are just remote controlling a computer across the internet. When Terminal Services is activated and licensed it just lets you do that for multiple users. So your 3-4 users would open the Remote Desktop Connection software, type in the public IP or domain name of your server (you'll have to forward TCP port 3389 from your external router to this machine) and viola, they'd be right in. This route you'll have to purchase enough licenses for them and possibly have to upgrade the ram inside the machine since it will be running additional virtual desktops within it.

So really, whatever it is you'll want to do is really first going to depend on the application and then on what works best for your environment, users and administrators.

It's a lot to digest. Fire off any follow-up's you've got. I'm sure there will be at least a few.

Wow thanks for the indepth reply Stunod.

Due to the time constraints involved in setting this up, I feel that this terminal services may be the way to go. Im glad to hear there is a further software option as opposed to all these routers and network tunnels.

I will look into the terminal services software, once again very appreciated :)

Yes Terminal sessions would be an option.. But remember that brings up some security concerns.. You will want to make sure that only your users can access the terminal sessions -- won't you? Or would you care if billy bob found your server - guessed a simple username password combo, an then decided to delete all your data. An use your server to download his porn to?

Quite an easy way would be to lock down access to only the IP address this remote address will be coming from. Or you can look into using TLS for the client to auth with vs just a username an password.

IF you do terminal services then it s easy enough to lock everything down with group policy. I did it at the last place i worked for. Made it so they can only get to internet explorer and the app they needed to use.

I think terminal server would be your best choice.

Isnt the Terminal services basically the bone structure of the remote desktop? In which doesnt remote desktop require a physical station at the main office for them to log in to? ie we would have to have a spare workstation here for them to log into.

Our part time network admin previously set up a remote system for one of our employees who moved away but we wanted to keep - in any case - the setup he used requires her to still have a phsyical station here to remotely log into. Is that the case, or can a virtual desktop that doesnt require a physical workstation be created within the terminal service structure?

  Osiris said:
Isnt the Terminal services basically the bone structure of the remote desktop? In which doesnt remote desktop require a physical station at the main office for them to log in to? ie we would have to have a spare workstation here for them to log into.

Our part time network admin previously set up a remote system for one of our employees who moved away but we wanted to keep - in any case - the setup he used requires her to still have a phsyical station here to remotely log into. Is that the case, or can a virtual desktop that doesnt require a physical workstation be created within the terminal service structure?

When you enable Terminal Services on a server, you aren't dealing with a 1:1 ratio. So you don't need 1 internal computer for every 1 external user. Terminal Services, hosted on a Win2k/Win2k3 server is a 1:many... So the 1 server can create multiple virtual desktops for your remote users. So all 3-4 of them would remote desktop into the 1 server running Terminal Services. Remote Desktop is what Microsoft calls the client you use to connect to a Terminal Server. Windows XP Pro is a Terminal Server with 1 built in license to allow 1 person to connect to it. You can license a full Win2k/2k3 server to accept multiple connections and host multiple full featured desktops. Licenses, last time I checked, ran about $75 a piece with a minimum of 5 purchased, but Microsoft changes their licensing model pretty frequently so I'm not sure what it is right now.

Also, please keep in mind everything everyone else said. As BudMan said, passwords are a huge concern. It would be possible for someone to connect to your Terminal Server but good usernames/passwords and patching of the should keep them out. If you have a nice enough router, and the remote office has a static IP, you can only accept Terminal Services traffic from their remote office and pass it through to that port. Also majortom has good advice on locking the machines down with AD. Keep in mind... These users will be connecting to your server and it would not be unheard of for a user to screw that machine up with a virus/spyware/etc so locking it down will be essential. Either that or if you can somehow get a second server to function as your TS server, that would be nice too.

Okay thats handy and excellent to know, but are there any advantage to having a 1:1 ratio. As I mentioned the parttime network admin has setup that 1 employees remoting so she logs into her physical computer, ie we have an internal workstation that just sits outback specifically for her to remotely log in to. If I understand correctly and many virtual desktops can be created, isnt it inefficient to have a 1:1 setup as we have?

Again, I would like to thank those that have contributed, already been a big help.

The only advantage I can think of is that lets say your Terminal Server (TS) server goes down or offline for some reason. Then all remote users are down. 1:1 you don't have that but you have to have a stack of computers that are used to service a group of users, but that is why servers exist. To provide multiple services to multiple users. We support several hundred users over TS. We have 3 servers that serve all those people rather than stacks upon stacks of individual machines. Plus we don't have to worry about how we provide them 1:1 connections. They just connect to the server and whammo. In.

Also, when it comes to TS, it (by default) works on port 3389. It can be changed... So if you are 1:1 you'd not only have to configure each machine to have non-default ports but you'll have to configure the remote side to connect to these different port numbers. It is completley doable but is a bit goofy. I'd liken it to hosting a single simple website with all of your directories on different servers with different ports. Also doable but goofy.

Let me throw the tinfoil hat on again for a second.. Unless you can lock down the TS traffic from only trusted IPs.. Username/password is not really a secure method to control access.. If that is all you using make sure you have a very strict lockout policy, an VERY strong passwords. using TLS to auth would be better an would remove the threat of bruteforce attack.

But if possible have the the clients VPN into your network to get access to the terminal session. An any type of VPN would either be tunnel from a trusted location, or if allow road warriers - it should be 2 factor at a min.. ie something they have, ie a laptop, dongle, etc.. an something they know - password, etc.

Keep in mind -- "Password1" meets MS stong password policy ;) 3 out 4 and over 7 characters, etc.. Do you want your Company data only "Password1" away from someone thinking its funny in deleting your data? Do you think normal users use strong passwords on their own?? What is your password to log onto your network for example ;)

Before you make your network available from the public net, you need to make sure that only trusted people can access it. I'm curious how you have this machine currently setup being accessed? Is it open to the public net?

I am completely in agreeance on the need for security and much appreciate your concerns. Unfortunately you are correct and I dont doubt there are already aspects of security which need a severe looking into, I've just recently debated that with the powers that be since cleaning up this mess has now become my responsibility.

In any case my main concern for the moment must be to find the best method to connect 1-2 of the computers at this new site into the domain. Then I can work on the security and then on why the other 2 ppl have physical computers here taking up space when better methods are available. I agree not the best order of incidence but why the Boss signs the cheques he's the one setting the Agenda.

I would install a Sonicwall VPN Router at each end and create a VPN tunnel between your offices. That is the easiest, most secure method that I can think of. The new Sonicwall TZ180's are nice and not too expensive. I have 9 or 10 offices using these vpn routers and have had no issues with them at all. I even have one office in WA state that is using these to connect their remote offices in Hawaii, Arizona, Oregon without a hitch.

Good luck!

  Stunod7 said:
However..... if VPN won't work because of bandwidth restraints, since you already have a Windows 2000 domain controller, look to purchase Terminal Server licenses. Terminal Services will essentially allow your

He won't need to buy Terminal Services licensing if that is the route he is taking because he is using a windows 2000 server. Windows 2000 terminal server licenses are free for Windows 2000+ clients, enjoy!

Microsoft did not start charging for these until Server 2003.

I personally like the idea of throwing a vpn router on both ends and just setting up the vpn between the two. For small offices like that any of the SonicWall or Netgear out of the box vpn's work just fine and are actually really easy to setup. And then the clients on the other end don't have to install the vpn software and remember to turn it on to connect, etc etc. And then you can also just setup drive mappings for them on their desktop for the shared folders and apps to run and/or attatch them to the domain (idealy). It just eleviates more headaches and stuff to do in the long run really. That doesn't mean you shouldn't implement some good passwords though either.

Why not RDP over VPN.

And I don't really see much point in buying Windows 2000 Server Terminal Server licenses as Windows 2000 is already obsolete. Windows 2008 is around the corner so that may be the way to go for Terminal Server.

As far as a solution now... Might be best that the PCs run as Standalones (not Domain connected) and use VPN solely to access Windows File Shares from the server until you have the resources to implement a managed environment. VPNs can be done from within Windows or using 'VPN' routers.

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.