Win2K3 end point routers on separate Win2K3 networks

2 offices, each has it's own Win2K3 Standard Edition
network.
One office has cable modem - the other ADSL.
Both offices have static IP.
ADSL office has Exchange Server 2003.
Cable office gets email from ADSL office via OWA (but
wants to use desktop Outlook).
Each office has file server that the other wishes to
access.
I wish to connect the 2 offices via VPN which I think will
resolve both issues.

I figured I'd use the steps at:
http://msdn.microsoft.com/library/default.asp?url=/l
ibrary/en-us/dnw2kmag00/html/VPN.asp

I have 2 questions:
1. Is the setup any different for Win2K3?
2. How do I tell the DC to point VPN traffic to the new
end point router and for all other traffic to use the
cable modem router as they currently do? I was told that I
needed to create a VPN policy on each Win2K3 DC - and then
other post told me that I didn't. I'm confused. Any help
is appreciated.

Thanks

"ch" <(E-Mail Removed)> wrote in message
news:2d7a01c4288e$63a129f0$(E-Mail Removed)...
> I have 2 questions:
> 1. Is the setup any different for Win2K3?

Not sure. Never have done it with 2003.

> 2. How do I tell the DC to point VPN traffic to the new
> end point router and for all other traffic to use the
> cable modem router as they currently do?

Snce you only have two subnets and since they are directly connected, the
two VPN boxes are already aware of each other. The on rest of the clients in
the system they either need to use their respective VPN box as the Default
Gateway or whatever is their default gateway must have the routing setup on
it so that it knows to send anything for the remote network to the VPN box.

> I was told that I
> needed to create a VPN policy on each Win2K3 DC - and then
> other post told me that I didn't. I'm confused. Any help
> is appreciated.

I never heard of "VPN Policies".

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

No - The two subnets are NOT aware of each other (2
offices - 2 internet connections (cable/adsl) - 2 separate
locations - geographically separated).




>-----Original Message-----
>"ch" <(E-Mail Removed)> wrote in
message
>news:2d7a01c4288e$63a129f0$(E-Mail Removed)...
>> I have 2 questions:
>> 1. Is the setup any different for Win2K3?
>
>Not sure. Never have done it with 2003.
>
>> 2. How do I tell the DC to point VPN traffic to the new
>> end point router and for all other traffic to use the
>> cable modem router as they currently do?
>
>Snce you only have two subnets and since they are
directly connected, the
>two VPN boxes are already aware of each other. The on
rest of the clients in
>the system they either need to use their respective VPN
box as the Default
>Gateway or whatever is their default gateway must have
the routing setup on
>it so that it knows to send anything for the remote
network to the VPN box.
>
>> I was told that I
>> needed to create a VPN policy on each Win2K3 DC - and
then
>> other post told me that I didn't. I'm confused. Any help
>> is appreciated.
>
>I never heard of "VPN Policies".
>
>--
>
>Phillip Windell [MCP, MVP, CCNA]
>www.wandtv.com
>
>
>.
>

You wrote:
"whatever is their default gateway must have the routing
setup on it so that it knows to send anything for the
remote network to the VPN box"

Right now the default gateways are the routers (connected
to the cable modem / ADSL modem) for each respective
office. This is how each office currently connects to the
internet.

I've read much of the documentation for each router and
cannot figure out how to get the routers to point traffic
to the Win2K3 VPN router (if and only if that traffic is
destined for the other office). So I thought that it must
be handled by the DC server (which houses the DNS & DHCP
servers). The article I am building my end-point routers
by speaks about configuring the workstations to point to
the VPN server as thier default gateway - but I do NOT
want one office to traverse teh wire to use teh other
office's DG for internet access. That would make things
probitively slow. Since I use a DC that includes a DHCP
server, I wonder why I would configure each workstation.
That led me to assume that the suggestions laid out in
that article were based upon a peer to peer network, vice
a DC controlled network. We are using 2 DC controlled
networks. I had hoped to attach each VPN server to their
respective network with a static route to the other static
IP address. I guess each VPN server would be in the DMZ
for each router (current DG) for each office.

As you can see I am thoroughly confused. I assume that I'd
have some sort of icon on the workstations that allows the
users to access the VPN connection at will (but it would
always be open - I'd create a ping daemon to keep the
connection alive), but I'd hope to not have to create
these connections manually, instead allow any new
workstation that connects to the network to automatically
have access to the VPN.

Do you have any specific suggestions to handle this?

Thanks.




>-----Original Message-----
>"ch" <(E-Mail Removed)> wrote in
message
>news:2d7a01c4288e$63a129f0$(E-Mail Removed)...
>> I have 2 questions:
>> 1. Is the setup any different for Win2K3?
>
>Not sure. Never have done it with 2003.
>
>> 2. How do I tell the DC to point VPN traffic to the new
>> end point router and for all other traffic to use the
>> cable modem router as they currently do?
>
>Snce you only have two subnets and since they are
directly connected, the
>two VPN boxes are already aware of each other. The on
rest of the clients in
>the system they either need to use their respective VPN
box as the Default
>Gateway or whatever is their default gateway must have
the routing setup on
>it so that it knows to send anything for the remote
network to the VPN box.
>
>> I was told that I
>> needed to create a VPN policy on each Win2K3 DC - and
then
>> other post told me that I didn't. I'm confused. Any help
>> is appreciated.
>
>I never heard of "VPN Policies".
>
>--
>
>Phillip Windell [MCP, MVP, CCNA]
>www.wandtv.com
>
>
>.
>

When the VPN connection is activated the VPN Routing Device is aware of the
subnet on both sides of it. Geography doesn't mean anything, the Internet
connection and the ISP doesn't mean anything

Yes, the two sides are aware of each other,...in Cisco "lingo" they are
refered to as "Directly Connected Networks" as opposed to networks that have
more than one "router hop" between them.

When more than one "router hop" exists between two networks a routing table
entry is required. It can either be static or is can be dynamically
discovered via routing protocols such as RIP, OSPF, EIGRP, ect.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


<(E-Mail Removed)> wrote in message
news:301b01c428a9$2152e000$(E-Mail Removed)...
> No - The two subnets are NOT aware of each other (2
> offices - 2 internet connections (cable/adsl) - 2 separate
> locations - geographically separated).
>
>
>
>
> >-----Original Message-----
> >"ch" <(E-Mail Removed)> wrote in
> message
> >news:2d7a01c4288e$63a129f0$(E-Mail Removed)...
> >> I have 2 questions:
> >> 1. Is the setup any different for Win2K3?
> >
> >Not sure. Never have done it with 2003.
> >
> >> 2. How do I tell the DC to point VPN traffic to the new
> >> end point router and for all other traffic to use the
> >> cable modem router as they currently do?
> >
> >Snce you only have two subnets and since they are
> directly connected, the
> >two VPN boxes are already aware of each other. The on
> rest of the clients in
> >the system they either need to use their respective VPN
> box as the Default
> >Gateway or whatever is their default gateway must have
> the routing setup on
> >it so that it knows to send anything for the remote
> network to the VPN box.
> >
> >> I was told that I
> >> needed to create a VPN policy on each Win2K3 DC - and
> then
> >> other post told me that I didn't. I'm confused. Any help
> >> is appreciated.
> >
> >I never heard of "VPN Policies".
> >
> >--
> >
> >Phillip Windell [MCP, MVP, CCNA]
> >www.wandtv.com
> >
> >
> >.
> >

"ch" <(E-Mail Removed)> wrote in message
news:2f2401c428ad$01504eb0$(E-Mail Removed)...
> You wrote:
> "whatever is their default gateway must have the routing
> setup on it so that it knows to send anything for the
> remote network to the VPN box"
>
> Right now the default gateways are the routers (connected
> to the cable modem / ADSL modem) for each respective
> office. This is how each office currently connects to the
> internet.

That is normal.

> I've read much of the documentation for each router and
> cannot figure out how to get the routers to point traffic
> to the Win2K3 VPN router (if and only if that traffic is
> destined for the other office). So I thought that it must
> be handled by the DC server (which houses the DNS & DHCP
> servers).

No, DCs, DNS, and DHCP lives in a totally different realm and have
relationship to Layer3 Routing. Routing is,...well..Layer3, while all that
other stuff is well up and beyond Layer7.

>The article I am building my end-point routers
> by speaks about configuring the workstations to point to
> the VPN server as thier default gateway - but I do NOT
> want one office to traverse teh wire to use teh other
> office's DG for internet access. That would make things
> probitively slow.

I think you undestand the problem exactly. You either have to get those
routers setup to send the proper traffic to the VPN device or the VPN device
must become the Clients Default Gateway. But pointing the clients to the
VPN Device doesn't mean that all the traffic would go over the VPN. The VPN
Device would have *its* Default Gateway set to the ADSL Router and would
then forward all "unspecified routes" (the Internet) to the ADSL Router and
send the "specified routes" (VPN traffic) to the remote VPN network based on
the destination address. Remember that the VPN Device knows about the
networks on both sides of it and therefore knows what to do with those
destinations. In the worst case, you might have to add static routes to the
VPN Device's routing table, but I think they would already be there since
those respresent "Directly Connected Networks" from the VPN Device's
perspective.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

"Phillip Windell" <@.> wrote in message
news:%(E-Mail Removed)...
> No, DCs, DNS, and DHCP lives in a totally different realm and have
> relationship to Layer3 Routing. Routing is,...well..Layer3, while all
that

I meant "no relationship". I hate typos that change what I meant! :-{


--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com