VPN - Network Novice Questions

At our main office we have a Windows 2003 Server running as a DC and a
Terminal Server - I know not recommended but we have to cut corners on
hardware expenses temporarily. We are setting up a remote office that
will be using Thin-clients with the Windows CE 5.0 OS. Our phone
company is installing a VoIP system at the remote office and will also
be setting up a VPN from the remote office to the main office (they
support the Voip here too and have their router in place) and they
will supply the router at the remote location. We have a static IP at
each location.

The remote clients will login to the Terminal Server with Active
Directory/Domain credentials.

Here is our current network setup:

Location A: Main Office

Server =Windows 2003 Standard Edition
Clients: all XP Pro
Running DHCP = Yes -- handing out addresses: 192.168.1.xxx to local
clients
# of NICs = 1
LAN IP: 192.168.1.1
Subnet Mask:255.255.255.0
Gateway: 192.168.1.254 -- router IP
DNS Server: 192.168.1.1
Internet Connection: Cable

Location B: Remote Office

Server: None
Clients: Wyse Winterms with Windows CE5.0
Internet Connection: DSL

Here are our questions:

1. Should the router at the remote site run DHCP or do you typically
let the remotes get IP addresses from the Server at the main location?
Or, do we statically assign IPs to the remotes and turn off DHCP on
the router?

2. What IP address range should the remotes use? For example,
192.168.2.xxx?

Thanks

Hi,
what i guess here is, that your serviceprovider places the routers as "the"
vpn tunnel endpoints.
So, your data and voip traffic is encapsulated (encrypted) passing the
providers net and wires and/or the internet cloud.

For the local nets on both sides this would be transparent. Appropriate
gateway setting (routing) localy should be sufficient to serve central and
remote sites.
If you already have a DC ( for the domain purposes ) running (with DNS too),
why should not run DCHP too.

It will be more complicate to set up DHCP on the router, i think. ...depends
on the device...
Dhcp not at last gives you control, which Clients you (the domain) accept to
be connected by IP.

It was different, if the tunnel ends on a client or on a computer in your
central office. (?)

jk

Can the routers be a VPN servers? You may want to setup IPSec site to site
VPN. Otherwise, you may have some issues because of using DC as VPN server.

--
Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on
http://www.HowToNetworking.com


<(E-Mail Removed)> wrote in message
news:657f8287-592e-4e2f-8900-(E-Mail Removed)...
> At our main office we have a Windows 2003 Server running as a DC and a
> Terminal Server - I know not recommended but we have to cut corners on
> hardware expenses temporarily. We are setting up a remote office that
> will be using Thin-clients with the Windows CE 5.0 OS. Our phone
> company is installing a VoIP system at the remote office and will also
> be setting up a VPN from the remote office to the main office (they
> support the Voip here too and have their router in place) and they
> will supply the router at the remote location. We have a static IP at
> each location.
>
> The remote clients will login to the Terminal Server with Active
> Directory/Domain credentials.
>
> Here is our current network setup:
>
> Location A: Main Office
>
> Server =Windows 2003 Standard Edition
> Clients: all XP Pro
> Running DHCP = Yes -- handing out addresses: 192.168.1.xxx to local
> clients
> # of NICs = 1
> LAN IP: 192.168.1.1
> Subnet Mask:255.255.255.0
> Gateway: 192.168.1.254 -- router IP
> DNS Server: 192.168.1.1
> Internet Connection: Cable
>
> Location B: Remote Office
>
> Server: None
> Clients: Wyse Winterms with Windows CE5.0
> Internet Connection: DSL
>
> Here are our questions:
>
> 1. Should the router at the remote site run DHCP or do you typically
> let the remotes get IP addresses from the Server at the main location?
> Or, do we statically assign IPs to the remotes and turn off DHCP on
> the router?
>
> 2. What IP address range should the remotes use? For example,
> 192.168.2.xxx?
>
> Thanks
>
>
>
>

On Jan 7, 11:59*am, "Robert L. \(MS-MVP\)"
<blinNoEmailple...@mvps.org> wrote:
> Can the routers be a VPN servers? You may want to setup IPSec site to site
> VPN. Otherwise, you may have some issues because of using DC as VPN server..
>
> --
> Bob Lin, MS-MVP, MCSE & CNE
> Networking, Internet, Routing, VPN Troubleshooting onhttp://www.ChicagoTech.net
> How to Setup Windows, Network, VPN & Remote Access onhttp://www.HowToNetworking.com
>
> <porbarfa...@gmail.com> wrote in message
>
> news:657f8287-592e-4e2f-8900-(E-Mail Removed)...
>
>
>
> > At our main office we have a Windows 2003 Server running as a DC and a
> > Terminal Server - I know not recommended but we have to cut corners on
> > hardware expenses temporarily. We are setting up a remote office that
> > will be using Thin-clients with the Windows CE 5.0 OS. Our phone
> > company is installing a VoIP system at the remote office and will also
> > be setting up a VPN from the remote office to the main office (they
> > support the Voip here too and have their router in place) and they
> > will supply the router at the remote location. We have a static IP at
> > each location.
>
> > The remote clients will login to the Terminal Server with Active
> > Directory/Domain credentials.
>
> > Here is our current network setup:
>
> > Location A: Main Office
>
> > Server =Windows 2003 Standard Edition
> > Clients: all XP Pro
> > Running DHCP = Yes -- handing out addresses: 192.168.1.xxx to local
> > clients
> > # of NICs = 1
> > LAN IP: *192.168.1.1
> > Subnet Mask:255.255.255.0
> > Gateway: 192.168.1.254 *-- *router IP
> > DNS Server: 192.168.1.1
> > Internet Connection: Cable
>
> > Location B: *Remote Office
>
> > Server: None
> > Clients: Wyse Winterms with Windows CE5.0
> > Internet Connection: DSL
>
> > Here are our questions:
>
> > 1. Should the router at the remote site run DHCP or do you typically
> > let the remotes get IP addresses from the Server at the main location?
> > Or, do we statically assign IPs to the remotes and turn off DHCP on
> > the router?
>
> > 2. What IP address range should the remotes use? For example,
> > 192.168.2.xxx?
>
> > Thanks- Hide quoted text -
>
> - Show quoted text -

The VPN provider-the Phone company who provides the VoIP- tells us
they are setting up a Site-to-Site IPSec VPN.

So, do we let our DC act as DHCP for remote clients? If so, do we give
them 192.168.1.xxx addresses?

If not, do we let the router at the remote site be the DHCP server and
what addresses do we give the remote clients?

Thanks

I would use remote router as DHCP server and you can use any IP you want
except 192.168.1.0/24.

--
Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on
http://www.HowToNetworking.com


<(E-Mail Removed)> wrote in message
news:58639c89-6784-40f4-9015-(E-Mail Removed)...
On Jan 7, 11:59 am, "Robert L. \(MS-MVP\)"
<blinNoEmailple...@mvps.org> wrote:
> Can the routers be a VPN servers? You may want to setup IPSec site to site
> VPN. Otherwise, you may have some issues because of using DC as VPN
> server.
>
> --
> Bob Lin, MS-MVP, MCSE & CNE
> Networking, Internet, Routing, VPN Troubleshooting
> onhttp://www.ChicagoTech.net
> How to Setup Windows, Network, VPN & Remote Access
> onhttp://www.HowToNetworking.com
>
> <porbarfa...@gmail.com> wrote in message
>
> news:657f8287-592e-4e2f-8900-(E-Mail Removed)...
>
>
>
> > At our main office we have a Windows 2003 Server running as a DC and a
> > Terminal Server - I know not recommended but we have to cut corners on
> > hardware expenses temporarily. We are setting up a remote office that
> > will be using Thin-clients with the Windows CE 5.0 OS. Our phone
> > company is installing a VoIP system at the remote office and will also
> > be setting up a VPN from the remote office to the main office (they
> > support the Voip here too and have their router in place) and they
> > will supply the router at the remote location. We have a static IP at
> > each location.
>
> > The remote clients will login to the Terminal Server with Active
> > Directory/Domain credentials.
>
> > Here is our current network setup:
>
> > Location A: Main Office
>
> > Server =Windows 2003 Standard Edition
> > Clients: all XP Pro
> > Running DHCP = Yes -- handing out addresses: 192.168.1.xxx to local
> > clients
> > # of NICs = 1
> > LAN IP: 192.168.1.1
> > Subnet Mask:255.255.255.0
> > Gateway: 192.168.1.254 -- router IP
> > DNS Server: 192.168.1.1
> > Internet Connection: Cable
>
> > Location B: Remote Office
>
> > Server: None
> > Clients: Wyse Winterms with Windows CE5.0
> > Internet Connection: DSL
>
> > Here are our questions:
>
> > 1. Should the router at the remote site run DHCP or do you typically
> > let the remotes get IP addresses from the Server at the main location?
> > Or, do we statically assign IPs to the remotes and turn off DHCP on
> > the router?
>
> > 2. What IP address range should the remotes use? For example,
> > 192.168.2.xxx?
>
> > Thanks- Hide quoted text -
>
> - Show quoted text -

The VPN provider-the Phone company who provides the VoIP- tells us
they are setting up a Site-to-Site IPSec VPN.

So, do we let our DC act as DHCP for remote clients? If so, do we give
them 192.168.1.xxx addresses?

If not, do we let the router at the remote site be the DHCP server and
what addresses do we give the remote clients?

Thanks

I agree with Bob. Doing DHCP across the link would be a bad idea. You
need the DHCP server to be local to the remote site. If the site doesn't
have a server you will need to use DHCP on the router.

What IP address range you use for the second site will probably be
determined by your provider. That has to be determined before the link is
set up, because the routing between sites depends on it. (Each VPN router
has a route for the other site's subnet directing the traffic through the
VPN tunnel). You can only use the same IP range on both sides if the link
is a bridge, and that is not a real site to site VPN.

"Robert L. (MS-MVP)" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I would use remote router as DHCP server and you can use any IP you want
>except 192.168.1.0/24.
>
> --
> Bob Lin, MS-MVP, MCSE & CNE
> Networking, Internet, Routing, VPN Troubleshooting on
> http://www.ChicagoTech.net
> How to Setup Windows, Network, VPN & Remote Access on
> http://www.HowToNetworking.com
>
>
> <(E-Mail Removed)> wrote in message
> news:58639c89-6784-40f4-9015-(E-Mail Removed)...
> On Jan 7, 11:59 am, "Robert L. \(MS-MVP\)"
> <blinNoEmailple...@mvps.org> wrote:
>> Can the routers be a VPN servers? You may want to setup IPSec site to
>> site
>> VPN. Otherwise, you may have some issues because of using DC as VPN
>> server.
>>
>> --
>> Bob Lin, MS-MVP, MCSE & CNE
>> Networking, Internet, Routing, VPN Troubleshooting
>> onhttp://www.ChicagoTech.net
>> How to Setup Windows, Network, VPN & Remote Access
>> onhttp://www.HowToNetworking.com
>>
>> <porbarfa...@gmail.com> wrote in message
>>
>> news:657f8287-592e-4e2f-8900-(E-Mail Removed)...
>>
>>
>>
>> > At our main office we have a Windows 2003 Server running as a DC and a
>> > Terminal Server - I know not recommended but we have to cut corners on
>> > hardware expenses temporarily. We are setting up a remote office that
>> > will be using Thin-clients with the Windows CE 5.0 OS. Our phone
>> > company is installing a VoIP system at the remote office and will also
>> > be setting up a VPN from the remote office to the main office (they
>> > support the Voip here too and have their router in place) and they
>> > will supply the router at the remote location. We have a static IP at
>> > each location.
>>
>> > The remote clients will login to the Terminal Server with Active
>> > Directory/Domain credentials.
>>
>> > Here is our current network setup:
>>
>> > Location A: Main Office
>>
>> > Server =Windows 2003 Standard Edition
>> > Clients: all XP Pro
>> > Running DHCP = Yes -- handing out addresses: 192.168.1.xxx to local
>> > clients
>> > # of NICs = 1
>> > LAN IP: 192.168.1.1
>> > Subnet Mask:255.255.255.0
>> > Gateway: 192.168.1.254 -- router IP
>> > DNS Server: 192.168.1.1
>> > Internet Connection: Cable
>>
>> > Location B: Remote Office
>>
>> > Server: None
>> > Clients: Wyse Winterms with Windows CE5.0
>> > Internet Connection: DSL
>>
>> > Here are our questions:
>>
>> > 1. Should the router at the remote site run DHCP or do you typically
>> > let the remotes get IP addresses from the Server at the main location?
>> > Or, do we statically assign IPs to the remotes and turn off DHCP on
>> > the router?
>>
>> > 2. What IP address range should the remotes use? For example,
>> > 192.168.2.xxx?
>>
>> > Thanks- Hide quoted text -
>>
>> - Show quoted text -
>
> The VPN provider-the Phone company who provides the VoIP- tells us
> they are setting up a Site-to-Site IPSec VPN.
>
> So, do we let our DC act as DHCP for remote clients? If so, do we give
> them 192.168.1.xxx addresses?
>
> If not, do we let the router at the remote site be the DHCP server and
> what addresses do we give the remote clients?
>
> Thanks

On Jan 7, 5:37*pm, "Bill Grant" <not.available@online> wrote:
> * *I agree with Bob. Doing DHCP across the link would be a bad idea. You
> need the DHCP server to be local to the remote site. If the site doesn't
> have a server you will need to use DHCP on the router.
>
> * * What IP address range you use for the second site will probably be
> determined by your provider. That has to be determined before the link is
> set up, because the routing between sites depends on it. (Each VPN router
> has a route for the other site's subnet directing the traffic through the
> VPN tunnel). You can only use *the same IP range on both sides if the link
> is a bridge, and that is not a real site to site VPN.
>
> "Robert L. (MS-MVP)" <blinNoEmailple...@mvps.org> wrote in messagenews:(E-Mail Removed).. .
>
>
>
> >I would use remote router as DHCP server and you can use any IP you want
> >except 192.168.1.0/24.
>
> > --
> > Bob Lin, MS-MVP, MCSE & CNE
> > Networking, Internet, Routing, VPN Troubleshooting on
> >http://www.ChicagoTech.net
> > How to Setup Windows, Network, VPN & Remote Access on
> >http://www.HowToNetworking.com
>
> > <porbarfa...@gmail.com> wrote in message
> >news:58639c89-6784-40f4-9015-(E-Mail Removed)...
> > On Jan 7, 11:59 am, "Robert L. \(MS-MVP\)"
> > <blinNoEmailple...@mvps.org> wrote:
> >> Can the routers be a VPN servers? You may want to setup IPSec site to
> >> site
> >> VPN. Otherwise, you may have some issues because of using DC as VPN
> >> server.
>
> >> --
> >> Bob Lin, MS-MVP, MCSE & CNE
> >> Networking, Internet, Routing, VPN Troubleshooting
> >> onhttp://www.ChicagoTech.net
> >> How to Setup Windows, Network, VPN & Remote Access
> >> onhttp://www.HowToNetworking.com
>
> >> <porbarfa...@gmail.com> wrote in message
>
> >>news:657f8287-592e-4e2f-8900-(E-Mail Removed)...
>
> >> > At our main office we have a Windows 2003 Server running as a DC and a
> >> > Terminal Server - I know not recommended but we have to cut corners on
> >> > hardware expenses temporarily. We are setting up a remote office that
> >> > will be using Thin-clients with the Windows CE 5.0 OS. Our phone
> >> > company is installing a VoIP system at the remote office and will also
> >> > be setting up a VPN from the remote office to the main office (they
> >> > support the Voip here too and have their router in place) and they
> >> > will supply the router at the remote location. We have a static IP at
> >> > each location.
>
> >> > The remote clients will login to the Terminal Server with Active
> >> > Directory/Domain credentials.
>
> >> > Here is our current network setup:
>
> >> > Location A: Main Office
>
> >> > Server =Windows 2003 Standard Edition
> >> > Clients: all XP Pro
> >> > Running DHCP = Yes -- handing out addresses: 192.168.1.xxx to local
> >> > clients
> >> > # of NICs = 1
> >> > LAN IP: 192.168.1.1
> >> > Subnet Mask:255.255.255.0
> >> > Gateway: 192.168.1.254 -- router IP
> >> > DNS Server: 192.168.1.1
> >> > Internet Connection: Cable
>
> >> > Location B: Remote Office
>
> >> > Server: None
> >> > Clients: Wyse Winterms with Windows CE5.0
> >> > Internet Connection: DSL
>
> >> > Here are our questions:
>
> >> > 1. Should the router at the remote site run DHCP or do you typically
> >> > let the remotes get IP addresses from the Server at the main location?
> >> > Or, do we statically assign IPs to the remotes and turn off DHCP on
> >> > the router?
>
> >> > 2. What IP address range should the remotes use? For example,
> >> > 192.168.2.xxx?
>
> >> > Thanks- Hide quoted text -
>
> >> - Show quoted text -
>
> > The VPN provider-the Phone company who provides the VoIP- tells us
> > they are setting up a Site-to-Site IPSec VPN.
>
> > So, do we let our DC act as DHCP for remote clients? If so, do we give
> > them 192.168.1.xxx addresses?
>
> > If not, do we let the router at the remote site be the DHCP server and
> > what addresses do we give the remote clients?
>
> > Thanks- Hide quoted text -
>
> - Show quoted text -

Thanks for reply. Just so we understand:

Our main office's server is a DHCP server that is on a 192.168.1.xxx
LAN. The router here is the gateway at 192.168.1.254.

The remote site is all thin clients that will connect through the VPN
to this DHCP Server. The remote site does not have a server. There
will be a router here that will be the VPN-endpoint.

1. We understand that the router at the remote site will be the DHCP
server. What IP addresses should it give the thin-clients? For
example, could they be: 192.168.2.xxx or could they be 10.10.10.xxx?

2. Once the phone company creates this VPN, how do the thin-clients
"use it" for connecting to the Terminal Server? The thin-clients have
WindowsCE 5.0 OS and we intend to use the Microsoft RDP connection.

<(E-Mail Removed)> wrote in message
news:8d198bc8-ae40-4d8d-b4e0-(E-Mail Removed)...
On Jan 7, 5:37 pm, "Bill Grant" <not.available@online> wrote:
> I agree with Bob. Doing DHCP across the link would be a bad idea. You
> need the DHCP server to be local to the remote site. If the site doesn't
> have a server you will need to use DHCP on the router.
>
> What IP address range you use for the second site will probably be
> determined by your provider. That has to be determined before the link is
> set up, because the routing between sites depends on it. (Each VPN router
> has a route for the other site's subnet directing the traffic through the
> VPN tunnel). You can only use the same IP range on both sides if the link
> is a bridge, and that is not a real site to site VPN.
>
> "Robert L. (MS-MVP)" <blinNoEmailple...@mvps.org> wrote in
> messagenews:(E-Mail Removed).. .
>
>
>
> >I would use remote router as DHCP server and you can use any IP you want
> >except 192.168.1.0/24.
>
> > --
> > Bob Lin, MS-MVP, MCSE & CNE
> > Networking, Internet, Routing, VPN Troubleshooting on
> >http://www.ChicagoTech.net
> > How to Setup Windows, Network, VPN & Remote Access on
> >http://www.HowToNetworking.com
>
> > <porbarfa...@gmail.com> wrote in message
> >news:58639c89-6784-40f4-9015-(E-Mail Removed)...
> > On Jan 7, 11:59 am, "Robert L. \(MS-MVP\)"
> > <blinNoEmailple...@mvps.org> wrote:
> >> Can the routers be a VPN servers? You may want to setup IPSec site to
> >> site
> >> VPN. Otherwise, you may have some issues because of using DC as VPN
> >> server.
>
> >> --
> >> Bob Lin, MS-MVP, MCSE & CNE
> >> Networking, Internet, Routing, VPN Troubleshooting
> >> onhttp://www.ChicagoTech.net
> >> How to Setup Windows, Network, VPN & Remote Access
> >> onhttp://www.HowToNetworking.com
>
> >> <porbarfa...@gmail.com> wrote in message
>
> >>news:657f8287-592e-4e2f-8900-(E-Mail Removed)...
>
> >> > At our main office we have a Windows 2003 Server running as a DC and
> >> > a
> >> > Terminal Server - I know not recommended but we have to cut corners
> >> > on
> >> > hardware expenses temporarily. We are setting up a remote office that
> >> > will be using Thin-clients with the Windows CE 5.0 OS. Our phone
> >> > company is installing a VoIP system at the remote office and will
> >> > also
> >> > be setting up a VPN from the remote office to the main office (they
> >> > support the Voip here too and have their router in place) and they
> >> > will supply the router at the remote location. We have a static IP at
> >> > each location.
>
> >> > The remote clients will login to the Terminal Server with Active
> >> > Directory/Domain credentials.
>
> >> > Here is our current network setup:
>
> >> > Location A: Main Office
>
> >> > Server =Windows 2003 Standard Edition
> >> > Clients: all XP Pro
> >> > Running DHCP = Yes -- handing out addresses: 192.168.1.xxx to local
> >> > clients
> >> > # of NICs = 1
> >> > LAN IP: 192.168.1.1
> >> > Subnet Mask:255.255.255.0
> >> > Gateway: 192.168.1.254 -- router IP
> >> > DNS Server: 192.168.1.1
> >> > Internet Connection: Cable
>
> >> > Location B: Remote Office
>
> >> > Server: None
> >> > Clients: Wyse Winterms with Windows CE5.0
> >> > Internet Connection: DSL
>
> >> > Here are our questions:
>
> >> > 1. Should the router at the remote site run DHCP or do you typically
> >> > let the remotes get IP addresses from the Server at the main
> >> > location?
> >> > Or, do we statically assign IPs to the remotes and turn off DHCP on
> >> > the router?
>
> >> > 2. What IP address range should the remotes use? For example,
> >> > 192.168.2.xxx?
>
> >> > Thanks- Hide quoted text -
>
> >> - Show quoted text -
>
> > The VPN provider-the Phone company who provides the VoIP- tells us
> > they are setting up a Site-to-Site IPSec VPN.
>
> > So, do we let our DC act as DHCP for remote clients? If so, do we give
> > them 192.168.1.xxx addresses?
>
> > If not, do we let the router at the remote site be the DHCP server and
> > what addresses do we give the remote clients?
>
> > Thanks- Hide quoted text -
>
> - Show quoted text -

Thanks for reply. Just so we understand:

Our main office's server is a DHCP server that is on a 192.168.1.xxx
LAN. The router here is the gateway at 192.168.1.254.

The remote site is all thin clients that will connect through the VPN
to this DHCP Server. The remote site does not have a server. There
will be a router here that will be the VPN-endpoint.

1. We understand that the router at the remote site will be the DHCP
server. What IP addresses should it give the thin-clients? For
example, could they be: 192.168.2.xxx or could they be 10.10.10.xxx?

2. Once the phone company creates this VPN, how do the thin-clients
"use it" for connecting to the Terminal Server? The thin-clients have
WindowsCE 5.0 OS and we intend to use the Microsoft RDP connection.

1. As I thought I made clear, this has to be decided before the VPN link can
be set up. Part of the VPN setup involves setting the routing between the
sites. At this point the subnet at the second site must be known.

2. The individual clients do not need to know how to access machines at the
other site. They just connect to the terminal Server using its IP address or
its DNS name, as they would if they were at the same site. The sole purpose
of a site to site VPN link is to make the machines look as if they were on
the same network. The VPN link works like a (slow) IP router.