Best (recommended) extranet setup

We are outsourcing some of our servers to a co-location data center for
increased bandwidth speed.

My problem is that our domain controller will still be at the home office.
So I would assume then that I should put a domain controller at the
co-location site (there are about 3 server that will need the services of a
domain controller).

My question is what is the best way to connect the 2 domain controllers, the
one being at the home office and the other being at the co-location site.
The only connectivity between them is the internet.

Thanks

Lee

VPN would be one of the most secure ways. Are you sure you need domain
functions? If these servers are on the outside, they should have no domain
affiliation.

"Lee" <(E-Mail Removed)> wrote in message
news:128FF1DD-BA65-497B-B65C-(E-Mail Removed)...
> We are outsourcing some of our servers to a co-location data center for
> increased bandwidth speed.
>
> My problem is that our domain controller will still be at the home office.
> So I would assume then that I should put a domain controller at the
> co-location site (there are about 3 server that will need the services of
a
> domain controller).
>
> My question is what is the best way to connect the 2 domain controllers,
the
> one being at the home office and the other being at the co-location site.
> The only connectivity between them is the internet.
>
> Thanks
>
> Lee

Yes we're going to put an exchange server there as well as a windows share
point services server. Both those will be using the domain controller,
behind an ISA server. So we will treat them like they are in out intranet,
and the co-location is more like a branch office. How reliable is a windows
to windows VPN? Will it need frequent manual intervention? I have only used
it on my desktop and usually have fairly frequent disconnects.

Thanks

Lee

"Neteng" wrote:

> VPN would be one of the most secure ways. Are you sure you need domain
> functions? If these servers are on the outside, they should have no domain
> affiliation.
>
> "Lee" <(E-Mail Removed)> wrote in message
> news:128FF1DD-BA65-497B-B65C-(E-Mail Removed)...
> > We are outsourcing some of our servers to a co-location data center for
> > increased bandwidth speed.
> >
> > My problem is that our domain controller will still be at the home office.
> > So I would assume then that I should put a domain controller at the
> > co-location site (there are about 3 server that will need the services of
> a
> > domain controller).
> >
> > My question is what is the best way to connect the 2 domain controllers,
> the
> > one being at the home office and the other being at the co-location site.
> > The only connectivity between them is the internet.
> >
> > Thanks
> >
> > Lee
>
>
>

On 8/2/2005 12:03, Lee wrote:
> Yes we're going to put an exchange server there as well as a windows share
> point services server. Both those will be using the domain controller,
> behind an ISA server. So we will treat them like they are in out intranet,
> and the co-location is more like a branch office. How reliable is a windows
> to windows VPN? Will it need frequent manual intervention? I have only used
> it on my desktop and usually have fairly frequent disconnects.

This sounds like a recipe for disaster. The two servers should be sitting
behind a packet filter at a minimum.

A hardware VPN link would probably prove to be the most reliable. I would
trust a private point-to-point for the domain traffic a bit more.

Something like this:

Co-Lo Facility Across WAN
---------------------------------+ +---------------------
| |
| |
+-----------------+
+------+ | |
| | LAN | Home Office LAN |
|Server| | | |
| A |-----+ +--------+--------+
| | | +---------------+ |
| | | | | |
| | +--+ Router #1 +-----Link-1---+
+------+ | | |
| +---------------+
| _
| +---------------+ #-#-#-##}
+------+ | | Router #2 | {# # # ##}
| | +--+ +-----{# Internet ##}
|Server| | | Packet Filter | {## # # ##}
| B |-----+ +---------------+ {###_##}
| | |
| |
| |
+------+

| |
| |
---------------------------------+ +---------------------

Note: Both servers have Private IP addresses (e.g. 10.x.x.x, 192.168.x.x,
etc...) Link-1 could be a VPN or could be truly private--point-to-point
frame relay over ds1 or ds3 or something like that. Router #2 would do
filtering and port forwarding as necessary for your applications (Web,
mail, Remote admin, etc...

Depending on your mail setup it might be a good idea to have a Unix based
mail switch/smtp filter in front of your exchange server.

~Jason

--

Here is how I was going to do it,

Server A - Exchange, DC, SQL Server
2 NICs - 1 To Server B and 1 to VPN to Homeoffice

Server B - IIS, ISA (Proxying to Server A)
2 NICs - 1 To Server A and 1 to Internet

But what you are saying is both should be behind a dedicated packet
filter/firewall. What do you recommend for firewall hardware for this?
What do you recommend for a point to point VPN?

Thanks

"Jason Gurtz" wrote:

> On 8/2/2005 12:03, Lee wrote:
> > Yes we're going to put an exchange server there as well as a windows share
> > point services server. Both those will be using the domain controller,
> > behind an ISA server. So we will treat them like they are in out intranet,
> > and the co-location is more like a branch office. How reliable is a windows
> > to windows VPN? Will it need frequent manual intervention? I have only used
> > it on my desktop and usually have fairly frequent disconnects.
>
> This sounds like a recipe for disaster. The two servers should be sitting
> behind a packet filter at a minimum.
>
> A hardware VPN link would probably prove to be the most reliable. I would
> trust a private point-to-point for the domain traffic a bit more.
>
> Something like this:
>
> Co-Lo Facility Across WAN
> ---------------------------------+ +---------------------
> | |
> | |
> +-----------------+
> +------+ | |
> | | LAN | Home Office LAN |
> |Server| | | |
> | A |-----+ +--------+--------+
> | | | +---------------+ |
> | | | | | |
> | | +--+ Router #1 +-----Link-1---+
> +------+ | | |
> | +---------------+
> | _
> | +---------------+ #-#-#-##}
> +------+ | | Router #2 | {# # # ##}
> | | +--+ +-----{# Internet ##}
> |Server| | | Packet Filter | {## # # ##}
> | B |-----+ +---------------+ {###_##}
> | | |
> | |
> | |
> +------+
>
> | |
> | |
> ---------------------------------+ +---------------------
>
> Note: Both servers have Private IP addresses (e.g. 10.x.x.x, 192.168.x.x,
> etc...) Link-1 could be a VPN or could be truly private--point-to-point
> frame relay over ds1 or ds3 or something like that. Router #2 would do
> filtering and port forwarding as necessary for your applications (Web,
> mail, Remote admin, etc...
>
> Depending on your mail setup it might be a good idea to have a Unix based
> mail switch/smtp filter in front of your exchange server.
>
> ~Jason
>
> --
>

There really isn't a need for dual NIC's (unless for redundancy). All
servers should be behind a firewall, that's mandatory. I have never used MS
VPN, I've always used Cisco. They make a solid firewall that can also
terminate a VPN (both client and site to site). Jason's points are
excellent, make sure to note them as well.

"Lee" <(E-Mail Removed)> wrote in message
news:6B2BAF1E-2C92-42D4-9B04-(E-Mail Removed)...
> Here is how I was going to do it,
>
> Server A - Exchange, DC, SQL Server
> 2 NICs - 1 To Server B and 1 to VPN to Homeoffice
>
> Server B - IIS, ISA (Proxying to Server A)
> 2 NICs - 1 To Server A and 1 to Internet
>
> But what you are saying is both should be behind a dedicated packet
> filter/firewall. What do you recommend for firewall hardware for this?
> What do you recommend for a point to point VPN?
>
> Thanks
>
> "Jason Gurtz" wrote:
>
> > On 8/2/2005 12:03, Lee wrote:
> > > Yes we're going to put an exchange server there as well as a windows
share
> > > point services server. Both those will be using the domain
controller,
> > > behind an ISA server. So we will treat them like they are in out
intranet,
> > > and the co-location is more like a branch office. How reliable is a
windows
> > > to windows VPN? Will it need frequent manual intervention? I have
only used
> > > it on my desktop and usually have fairly frequent disconnects.
> >
> > This sounds like a recipe for disaster. The two servers should be
sitting
> > behind a packet filter at a minimum.
> >
> > A hardware VPN link would probably prove to be the most reliable. I
would
> > trust a private point-to-point for the domain traffic a bit more.
> >
> > Something like this:
> >
> > Co-Lo Facility Across WAN
> > ---------------------------------+ +---------------------
> > | |
> > | |
> > +-----------------+
> > +------+ | |
> > | | LAN | Home Office LAN |
> > |Server| | | |
> > | A |-----+ +--------+--------+
> > | | | +---------------+ |
> > | | | | | |
> > | | +--+ Router #1 +-----Link-1---+
> > +------+ | | |
> > | +---------------+
> > | _
> > | +---------------+ #-#-#-##}
> > +------+ | | Router #2 | {# # # ##}
> > | | +--+ +-----{# Internet ##}
> > |Server| | | Packet Filter | {## # # ##}
> > | B |-----+ +---------------+ {###_##}
> > | | |
> > | |
> > | |
> > +------+
> >
> > | |
> > | |
> > ---------------------------------+ +---------------------
> >
> > Note: Both servers have Private IP addresses (e.g. 10.x.x.x,
192.168.x.x,
> > etc...) Link-1 could be a VPN or could be truly private--point-to-point
> > frame relay over ds1 or ds3 or something like that. Router #2 would do
> > filtering and port forwarding as necessary for your applications (Web,
> > mail, Remote admin, etc...
> >
> > Depending on your mail setup it might be a good idea to have a Unix
based
> > mail switch/smtp filter in front of your exchange server.
> >
> > ~Jason
> >
> > --
> >

Ok, new plan then, I like the way that was recommended. Anyone have specific
models for the firewall hardware?

Thanks

Lee

"Neteng" wrote:

> There really isn't a need for dual NIC's (unless for redundancy). All
> servers should be behind a firewall, that's mandatory. I have never used MS
> VPN, I've always used Cisco. They make a solid firewall that can also
> terminate a VPN (both client and site to site). Jason's points are
> excellent, make sure to note them as well.
>
> "Lee" <(E-Mail Removed)> wrote in message
> news:6B2BAF1E-2C92-42D4-9B04-(E-Mail Removed)...
> > Here is how I was going to do it,
> >
> > Server A - Exchange, DC, SQL Server
> > 2 NICs - 1 To Server B and 1 to VPN to Homeoffice
> >
> > Server B - IIS, ISA (Proxying to Server A)
> > 2 NICs - 1 To Server A and 1 to Internet
> >
> > But what you are saying is both should be behind a dedicated packet
> > filter/firewall. What do you recommend for firewall hardware for this?
> > What do you recommend for a point to point VPN?
> >
> > Thanks
> >
> > "Jason Gurtz" wrote:
> >
> > > On 8/2/2005 12:03, Lee wrote:
> > > > Yes we're going to put an exchange server there as well as a windows
> share
> > > > point services server. Both those will be using the domain
> controller,
> > > > behind an ISA server. So we will treat them like they are in out
> intranet,
> > > > and the co-location is more like a branch office. How reliable is a
> windows
> > > > to windows VPN? Will it need frequent manual intervention? I have
> only used
> > > > it on my desktop and usually have fairly frequent disconnects.
> > >
> > > This sounds like a recipe for disaster. The two servers should be
> sitting
> > > behind a packet filter at a minimum.
> > >
> > > A hardware VPN link would probably prove to be the most reliable. I
> would
> > > trust a private point-to-point for the domain traffic a bit more.
> > >
> > > Something like this:
> > >
> > > Co-Lo Facility Across WAN
> > > ---------------------------------+ +---------------------
> > > | |
> > > | |
> > > +-----------------+
> > > +------+ | |
> > > | | LAN | Home Office LAN |
> > > |Server| | | |
> > > | A |-----+ +--------+--------+
> > > | | | +---------------+ |
> > > | | | | | |
> > > | | +--+ Router #1 +-----Link-1---+
> > > +------+ | | |
> > > | +---------------+
> > > | _
> > > | +---------------+ #-#-#-##}
> > > +------+ | | Router #2 | {# # # ##}
> > > | | +--+ +-----{# Internet ##}
> > > |Server| | | Packet Filter | {## # # ##}
> > > | B |-----+ +---------------+ {###_##}
> > > | | |
> > > | |
> > > | |
> > > +------+
> > >
> > > | |
> > > | |
> > > ---------------------------------+ +---------------------
> > >
> > > Note: Both servers have Private IP addresses (e.g. 10.x.x.x,
> 192.168.x.x,
> > > etc...) Link-1 could be a VPN or could be truly private--point-to-point
> > > frame relay over ds1 or ds3 or something like that. Router #2 would do
> > > filtering and port forwarding as necessary for your applications (Web,
> > > mail, Remote admin, etc...
> > >
> > > Depending on your mail setup it might be a good idea to have a Unix
> based
> > > mail switch/smtp filter in front of your exchange server.
> > >
> > > ~Jason
> > >
> > > --
> > >
>
>
>

On 8/2/2005 13:45, Lee wrote:
>
> "Neteng" wrote:
>
>> used MS VPN, I've always used Cisco. They make a solid firewall that
>> can also terminate a VPN (both client and site to site). Jason's
>> points are excellent, make sure to note them as well.
>
> Ok, new plan then, I like the way that was recommended. Anyone have
> specific models for the firewall hardware?

I would take a look at the PIX line. Cisco is pretty much the widest used
brand and is very good but you may want to look at hiring a consultant if
you're new to the hardware. It can be quite complex to do the initial set
up and configuration.


~Jason

--

I would suggest a PIX as well (probably a 515 but take a look at the specs
and make sure it fits.) The new ASA5500 boxes are sexy, check them out. It
would be a good fit for remote administration with the SSL VPN portion. It
can also include IDS if that's a requirement.
http://cisco.com/en/US/products/hw/vpndevc/index.html



"Jason Gurtz" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On 8/2/2005 13:45, Lee wrote:
> >
> > "Neteng" wrote:
> >
> >> used MS VPN, I've always used Cisco. They make a solid firewall that
> >> can also terminate a VPN (both client and site to site). Jason's
> >> points are excellent, make sure to note them as well.
> >
> > Ok, new plan then, I like the way that was recommended. Anyone have
> > specific models for the firewall hardware?
>
> I would take a look at the PIX line. Cisco is pretty much the widest used
> brand and is very good but you may want to look at hiring a consultant if
> you're new to the hardware. It can be quite complex to do the initial set
> up and configuration.
>
>
> ~Jason
>
> --

On Tue, 2 Aug 2005 10:45:04 -0700, Lee <(E-Mail Removed)>
wrote:

>Ok, new plan then, I like the way that was recommended. Anyone have specific
>models for the firewall hardware?

Most enterprise class firewalls have this functionality. Cisco is
big, but a SonicWall or a Watchguard would work for less. While I
tend to shy away from the SOHO class of firewalls, this would b a
perfect place to use them provided they have a hardware to hardware
VPN capability.

Jeff

>
>> There really isn't a need for dual NIC's (unless for redundancy). All
>> servers should be behind a firewall, that's mandatory. I have never used MS
>> VPN, I've always used Cisco. They make a solid firewall that can also
>> terminate a VPN (both client and site to site). Jason's points are
>> excellent, make sure to note them as well.
>>
>> "Lee" <(E-Mail Removed)> wrote in message
>> news:6B2BAF1E-2C92-42D4-9B04-(E-Mail Removed)...
>> > Here is how I was going to do it,
>> >
>> > Server A - Exchange, DC, SQL Server
>> > 2 NICs - 1 To Server B and 1 to VPN to Homeoffice
>> >
>> > Server B - IIS, ISA (Proxying to Server A)
>> > 2 NICs - 1 To Server A and 1 to Internet
>> >
>> > But what you are saying is both should be behind a dedicated packet
>> > filter/firewall. What do you recommend for firewall hardware for this?
>> > What do you recommend for a point to point VPN?
>> >
>> > Thanks
>> >
>> > "Jason Gurtz" wrote:
>> >
>> > > On 8/2/2005 12:03, Lee wrote:
>> > > > Yes we're going to put an exchange server there as well as a windows
>> share
>> > > > point services server. Both those will be using the domain
>> controller,
>> > > > behind an ISA server. So we will treat them like they are in out
>> intranet,
>> > > > and the co-location is more like a branch office. How reliable is a
>> windows
>> > > > to windows VPN? Will it need frequent manual intervention? I have
>> only used
>> > > > it on my desktop and usually have fairly frequent disconnects.
>> > >
>> > > This sounds like a recipe for disaster. The two servers should be
>> sitting
>> > > behind a packet filter at a minimum.
>> > >
>> > > A hardware VPN link would probably prove to be the most reliable. I
>> would
>> > > trust a private point-to-point for the domain traffic a bit more.
>> > >
>> > > Something like this:
>> > >
>> > > Co-Lo Facility Across WAN
>> > > ---------------------------------+ +---------------------
>> > > | |
>> > > | |
>> > > +-----------------+
>> > > +------+ | |
>> > > | | LAN | Home Office LAN |
>> > > |Server| | | |
>> > > | A |-----+ +--------+--------+
>> > > | | | +---------------+ |
>> > > | | | | | |
>> > > | | +--+ Router #1 +-----Link-1---+
>> > > +------+ | | |
>> > > | +---------------+
>> > > | _
>> > > | +---------------+ #-#-#-##}
>> > > +------+ | | Router #2 | {# # # ##}
>> > > | | +--+ +-----{# Internet ##}
>> > > |Server| | | Packet Filter | {## # # ##}
>> > > | B |-----+ +---------------+ {###_##}
>> > > | | |
>> > > | |
>> > > | |
>> > > +------+
>> > >
>> > > | |
>> > > | |
>> > > ---------------------------------+ +---------------------
>> > >
>> > > Note: Both servers have Private IP addresses (e.g. 10.x.x.x,
>> 192.168.x.x,
>> > > etc...) Link-1 could be a VPN or could be truly private--point-to-point
>> > > frame relay over ds1 or ds3 or something like that. Router #2 would do
>> > > filtering and port forwarding as necessary for your applications (Web,
>> > > mail, Remote admin, etc...
>> > >
>> > > Depending on your mail setup it might be a good idea to have a Unix
>> based
>> > > mail switch/smtp filter in front of your exchange server.
>> > >
>> > > ~Jason
>> > >
>> > > --
>> > >
>>
>>
>>