Looking for a Solution

[Ben]

Let say there are two small local networks A and B at two different cities.
+The network A: 10 PCs (Windows) peer to peer behide a NAT via a router
which connect to a Cayman DSL modem (Only 1 static WAN IP)
+The network B: is the same as A but using Linksys DSL modem

1>How to connect A and B via Internet to make it work like a larger "local
network" L?
2>Do I need a sever, such as Win2003 for small business, on each Network to
share resources (Intranet, Files..) or just reserve a normal PC with large
Hardrive, Memory? If a normal PC then
Linux is better or WinXP is better?

 

[Steven L Umbach]

Get yourself two ipsec endpoint routers to connect the two networks over the internet
via an ipsec tunnel. I would suggest two identical routers which can be purchased for
around $170 each or so, at least the ones I am thinking of [Netgear FVS328] . The two
networks need to be on separate network addresses for this to work as in one network
being 192.168.1.xxx and the other being 192.168.1.xxx both with subnet mask of
255.255.255.0. As long as the network addresses are different now, you do not need to
change them. With the ipsec endpoint devices the networks will be joined but over a
SLOW link compared to your lan network speed. Some of these devices can be configured
to forward netbios broadcasts otherwise you may find that My Network Places does not
work well though if you do have a connection you still should be able to map drives
and create shortcuts as in \\computername\share or \\xxx.xxx.xxx.xxx\share using the
lan IP address of the target computer. The link below is to a device that should work
well for your needs and is reasonably priced and will still allow internet access to
your network users. --- Steve

http://www.netgear.com/products/prod_details.php?prodID=235&view= -- This is a real
SPI firewall.
http://kbserver.netgear.com/products_automatic/fvs328.asp -- download the reference
manual here so you can see what it is all about and how to install it.

 

[Steven L Umbach]

Also to answer your other question, You don't have to use a server computer but if
you expect that you will need to have more then ten connections at a time to any
computer offering shares then you will need a server operating system because W2K Pro
and XP Pro have a limit of ten concurrent connections. If you do use a server such as
Windows 2003 or SBS2003 you can set up an Active Directory domain for your computers
to centralize user accounts and policy management. For your regular desktops I would
recommend XP Pro. Internet access will be provided by using your internet router as
the default gateway for your computers. If you do decide to set up a domain make sure
you read up on it because dns configuration is critical for success. The link below
explains that a bit more and you may want to bookmark it for future reference. ---
Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;291382 -- Active
Directory dns FAQ

 

[Ben]

Hi Steven,

Thank you for your very practical information. I have a couple of questions
further since I know that Windows XP Professional could be configured to be
a VPN sever:

http://asia.cnet.com/enterprise/netadmin/printfriendly.htm?AT=39050037-39000223c

To choose Netgear router or "setting XP to be a VPN", I wonder what is the
benefit of using the VPN router over "setting XP to be a VPN"?

There are some concern about using XP as VPN server behind a NAT, but it
seems to be OK if the ports related to VPN sever are configured to forward
properly.

Very appreciated, Steven

Ben

Get yourself two ipsec endpoint routers to connect the two networks over the internet
via an ipsec tunnel. I would suggest two identical routers which can be purchased for
around $170 each or so, at least the ones I am thinking of [Netgear FVS328] . The two
networks need to be on separate network addresses for this to work as in one network
being 192.168.1.xxx and the other being 192.168.1.xxx both with subnet mask of
255.255.255.0. As long as the network addresses are different now, you do not need to
change them. With the ipsec endpoint devices the networks will be joined but over a
SLOW link compared to your lan network speed. Some of these devices can be configured
to forward netbios broadcasts otherwise you may find that My Network Places does not
work well though if you do have a connection you still should be able to map drives
and create shortcuts as in \\computername\share or \\xxx.xxx.xxx.xxx\share using the
lan IP address of the target computer. The link below is to a device that should work
well for your needs and is reasonably priced and will still allow internet access to
your network users. --- Steve

http://www.netgear.com/products/prod_details.php?prodID=235&view= -- This is a real
SPI firewall.
http://kbserver.netgear.com/products_automatic/fvs328.asp -- download the reference
manual here so you can see what it is all about and how to install it.

Let say there are two small local networks A and B at two different cities.
+The network A: 10 PCs (Windows) peer to peer behide a NAT via a router
which connect to a Cayman DSL modem (Only 1 static WAN IP)
+The network B: is the same as A but using Linksys DSL modem

1>How to connect A and B via Internet to make it work like a larger "local
network" L?
2>Do I need a sever, such as Win2003 for small business, on each Network to
share resources (Intranet, Files..) or just reserve a normal PC with large
Hardrive, Memory? If a normal PC then
Linux is better or WinXP is better?

 

[Ben]

and XP Pro have a limit of ten concurrent connections. If you do use a server such as
Windows 2003 or SBS2003 you can set up an Active Directory domain for your

computers

Do I have to buy a Netgear VPN router if I use a server? Could Windows 2003
be a VPN server without a VPN router? And just one server on network A or
the other server on network B as well?

Ben

 

[Steven L Umbach]

Usually an XP Pro computer is used to act as a VPN server to accept one
connection and not a tunnel between networks. The problem with a XP Pro to
XP Pro VPN connection is that both computers would be on the same network
and the other computers on each side of the VPN would not be able to find
computers on the other side since when a computer is looking for a computer
on it's network it broadcasts asking the other computer for its mac address
via ARP. Well broadcasts like ARP would not go accross that VPN and the
other computer would not reply. It would work well for a single computer
using VPN to connect to the other network. --- Steve

Hi Steven,

Thank you for your very practical information. I have a couple of questions
further since I know that Windows XP Professional could be configured to be
a VPN sever:

http://asia.cnet.com/enterprise/netadmin/printfriendly.htm?AT=39050037-39000223c

To choose Netgear router or "setting XP to be a VPN", I wonder what is the
benefit of using the VPN router over "setting XP to be a VPN"?

There are some concern about using XP as VPN server behind a NAT, but it
seems to be OK if the ports related to VPN sever are configured to forward
properly.

Very appreciated, Steven

Ben

Get yourself two ipsec endpoint routers to connect the two networks over the internet
via an ipsec tunnel. I would suggest two identical routers which can be purchased for
around $170 each or so, at least the ones I am thinking of [Netgear FVS328] . The two
networks need to be on separate network addresses for this to work as in one network
being 192.168.1.xxx and the other being 192.168.1.xxx both with subnet mask of
255.255.255.0. As long as the network addresses are different now, you

do
not need to

change them. With the ipsec endpoint devices the networks will be joined but over a
SLOW link compared to your lan network speed. Some of these devices can

be

configured
to forward netbios broadcasts otherwise you may find that My Network Places does not
work well though if you do have a connection you still should be able to map drives
and create shortcuts as in \\computername\share or

\\xxx.xxx.xxx.xxx\share
using the

lan IP address of the target computer. The link below is to a device

that
should work

well for your needs and is reasonably priced and will still allow

internet
access to

your network users. --- Steve

http://www.netgear.com/products/prod_details.php?prodID=235&view= --

This
is a real

SPI firewall.
http://kbserver.netgear.com/products_automatic/fvs328.asp -- download

the

reference
manual here so you can see what it is all about and how to install it.

Network

to

 

[Steven L Umbach]

Windows 2003 would work well as a Remote Access server for a router to
router vpn tunnel as described in the link below. --- Steve

http://www.microsoft.com/windows2000/server/evaluation/features/deplyr2rvpn.asp
--- mostly the same for W2K

 

[Treebeard]

Let say there are two small local networks A and B at two different cities.
+The network A: 10 PCs (Windows) peer to peer behide a NAT via a router
which connect to a Cayman DSL modem (Only 1 static WAN IP)
+The network B: is the same as A but using Linksys DSL modem

1>How to connect A and B via Internet to make it work like a larger "local
network" L?
2>Do I need a sever, such as Win2003 for small business, on each Network to
share resources (Intranet, Files..) or just reserve a normal PC with large
Hardrive, Memory? If a normal PC then
Linux is better or WinXP is better?

Ben,

I think it depends on the files you want to share. Do your people really
want to work on the same spreadsheet or word document simultaenously? If you
are sharing a desktop database like MS access, then vpn won't work. I don't
have a lot of experience with this, I have used VPN but I have had more
success with PC anywhere. On the nets I have set up vpn, the connections are
slow for some reason. . PC Anywhere on the other hand seems to transfer the
files faster. Most people want to just exchange files quickly and using
email attachments is a pain in the neck.

As I mentioned I don't have a lot of experence with this and just wanted to
give you another opinion.


Jack