Branch Office & HREAP & local Internet breakout

Similar Messages

• Branch Office Communication

  Hi,
  Supposingly we have many branch offices with good internet speed but no dedicated bandwidth between individual locations.
  We need to enable VoIP calling using Internet, can we use any skype product to tie all standalone EPABX system for branch office communications. 
  Can we have SIP trunks on skype gateway from each location and enable interoffice calling.
  Please suggest

  Hello Rahul,
  I see you are asking about connecting your offices together for calling and comminucations.
  Well,  Connecting the offices together will require a Communication Server of some sort.  Manufacturers like Nortel, Avaya, Cisco, and many others have these type of devices available to accomplish the "link" between your offices, as long as the equipment is all compliant with the Communication Server.   I suggest you contact a local agent for these manufacturers and have them take a look at what you have. They will provide you with a quote to get you connected.
  As for Skype, making and receiving calls is a snap for us.  We provide these services 24/7. We can get you connected in miinutes and have you making cheap calls all day long.  The cost just depends on where in the world you are calling.  Our "minutes" bundles are very cost effective to use.  And, all of your incoming calls are free. All you would need, would be a Skype Online Number, a Managed User for the Skype Clients that want to call you, and SIP Channels to connect to your PBX to talk on.
  That's pretty much it.  I hope this helps you in your research to get your offices connected and to start using Skype.  I have provided  a few links for you to look at below.
  http://www.skype.com/intl/en-us/business/skype-connect/
  http://www.skype.com/intl/en-us/business/skype-manager/
  http://download.skype.com/share/business/guides/skype-connect-rates.pdf
  http://skypeconnect.voxygen.com/#stage1
  Thank You for considering Skype and using the Skype Community Forums.
  Regards,
  Victor S.
  Skype Enterprise Support

• Internet Access through TMG for all HO & Branch office

  Dear Experts!,
  I am new to the Forefront TMG 2010. Have requirement to implement internet access.
  Head office : 192.168.11.x/24 (192.168.11.1 is the TMG server)
  Branch Office 1: 192.168.12.x/24
  Branch Office 2 : 192.168.14.x/24
  Branch Office 2 : 192.168.16.x/24
  Forefront TMG 2010 standard edition.
  Having 3 NIC's two have different ISP network addresses and one has 192.168.11.1.
  Branch office are connected using MPLS network, the requirement is all branch site internet must be accessed through TMG 2010 server which is homed in Head Office. How to achieve ?
  What needs to be done in external firewall and in TMG for enabling internet access.
  Thanks!
  Regards, Ganesh, MCTS, MCP, ITILV2 This posting is provided with no warranties and confers no rights. Please remember to click Mark as Answer and Vote as Helpful on posts that help you. This can be beneficial to other community members reading the thread.

  Hi Ganesh,
  Hope this helps
  1 - If you wish to give internet as Proxy to users.
  Ensure the Below subnet is able to reach TMG Internal Interface that is 192.168.11.1
  Subnet
  Branch Office 1: 192.168.12.x/24
  Branch Office 2 : 192.168.14.x/24
  Branch Office 2 : 192.168.16.x/24
  Configuration
  Enable Proxy in TMG and configure Proper Ports as per your requirements
  On the Client IE – Ensure you put Proxy IP as TMG and Port configured in TMG configuration.
  Enable a Rule
  Access Rule
  Source : Internal
  Destination : External
  Ports : HTTP / HTTPS
  Users : Authenticated Users
  2 As normal Internet as Gateway to users
  You need to request your MPLS provider to change the Default Route of below subnet to 192.168.11.1. By doing this, all the internet request from the below subnet to internet will hit TMG.
  Subnet
  Branch Office 1: 192.168.12.x/24 Default Route 192.168.11.1
  Branch Office 2 : 192.168.14.x/24 Default Route 192.168.11.1
  Branch Office 2 : 192.168.16.x/24 Default Route 192.168.11.1
  IF you have any L3 Switch then you can also make Default gateway as L3 for all the subnet and from L3 device point it to TMG
  Enable a Rule
  Access Rule
  Source : Internal
  Destination : External
  Ports : HTTP / HTTPS
  Users : All Users ( Important )
  Two ISP
  In network Rules : You need to use NAT
  You will have a Rule which NATS internal to  External
  On external - Choose which ISP interface should be used  and Apply NAT rule

• Local Portal instance in branch office

  Are there any solutions for speeding up Portal for remote/branch office users?
  We have a lot of users who will be accessing the corporate network & Portal over relatively slow lines or satellite links; buying more bandwidth is physically not an option in some places we operate.
  Has anyone looked at installing a local Portal instances in the field, and replicating PCD content to still allow central administration?
  Does SAP have any offerings in this space? Global/Federated Portal does not address the speed issue - users still go across the WAN to render their content. Portal Lite is still too slow.
  Any and all ideas appreciated.
  RBL

  Well spoken - you can't speed up the speed of light.
  Luckily, many of our content sources CAN be replicated to the branch offices. We use Lotus Notes/Domino for many web apps & web content; DFS (Microsoft replicated file system) for distributing files; and Exchange Public Folders for replicating commonly accessed email-type postings.
  Have you (or anyone out there) found any solutions for keeping PCD updates in sync between a head office Portal and a branch office Portal?

• Branch Office CME design Verification

  Hi All,
  Please refer to the attached network diagram.
  I need to verify this can be implemented and would work.
  We have a branch office moving to a new location and they intend to keep their existing CME (for business reasons),  provided by their local service provider with ISDN line for calls to the PSTN. This is managed by the service provider and we have no access to it. However we would like to grant them connectivity to the existing corporate voice network via an IP VPN connection, which shall be put in place soon. This will enable  the branch make site to site calls within the corporate network
  With a SIP trunk between the internal and external CME, I intend to make all the phones register with the Call Manager, however on the call manager , set a route pattern for calls going out to the PSTN from this branch back to the internal CME and this will then be matched by a SIP dial peer  directing the call to the external CME out to the PSTN.
  My worry is with the delay  that might be introduced when making a PSTN call as the internal CME has to first contact the call manager in order to know where to send the call.
  So my questions are as follows,
  1. Is this solution feasible especially in terms of delay? If not,
  2. Are there any other ways to achieve the same scenario
  Thanks,
  Yomi

  Are the phones at the branch office going to register to the Internal CME? If so, all configuration for outbound dialing will be done on the Internal CME, not on UCM. ie. dial-peer on the Internal CME for outbound dialing. For phone connectivity back to UCM, you will have a SIP trunk between UCM and internal CME and that is perfectly acceptable. You "might" see some quality degradation but that is to be expected from Internet based WAN connectivity. If your RTT delay is greater than 150ms, then you might see some quality issues.

• New Branch Office - High Security

  Hello
  we plan to have 5 branch offices each with around 40 users. All branches will be in different geographical locations. Best Security needs to be implemented in all branches. All services email, SAP, Portals are hosted in the HeadOffice Datacenter. Each Branch will have dedicated internet 5MB for Voice and DATA
  Guidelines for security  -
  ensure users cannot insert usb or cd on laptops /desktops
  laptops/desktops are allowed to access restrictive internet from Office
  Outside Laptops / Tablets not allowed to connect to network but allowed internet via wireless using Guest
  to access internet from home or Cafe users needs to connect to office VPN and then access from local Internet server (Proxy)
  vendors proposed following ;-
  3921 router for branch
  ASA 5510 for branch
  3945 router for HeadOffice ( VPN )
  Filtering - Web Washer - Mcafee
  Experts can advice what hardware will best fit on branches, what other devices I need to achieve the above goals
  Thanks
  Vishal

  Hello Vishal,
  I would recommend the following:
  For Branches:
  1-  Cisco : 2921 : Voice Licensed (you dont need a higher end above this series for 40 users).
  2-  Cisco ASA 5510: (This will be your Security appliance at each branch).
  For Head Quarter:
  1-  Cisco ASA 5520: (This Will be Your HQ Security Appliance).
  2-  Cisco 3925 or 3945 router (Voice Licensed).
  For Your Security Guidelines, here is my answers:
  ensure users cannot insert usb or cd on laptops /desktops
  FOr this purpose, you Can disable the administrative privelege on the Notebooks and PCs for All users and remove the software driver for thier USPs.
  laptops/desktops are allowed to access restrictive internet from Office
  FOr this Purpose, I would recommend using Cisco IronPort WebFiltering, it Can be easily Integrated with your Active Directory and Enforces all Filtering Policy you would require.
  Outside Laptops / Tablets not allowed to connect to network but allowed internet via wireless using Guest
  For this Purpose, I would recommend deploying Wireless LAN Controller at your HQ to have benefit and full advantage of managing your Wireless Infrastructure.
  to access internet from home or Cafe users needs to connect to office VPN and then access from local Internet server (Proxy)
  FOr this Purpose , I would also say Your Best Option is to have Remote Access VPN & (VPN Client) deployed at all employee's Notebook. Though, You Can have another Option which to have SSL-VPN deployed at your HQ, but this will have additional cost as its added value featured licensed per number of users.
  Let me Know if this answers your Question Or if you require additional assistance.
  Regards,
  Mohamed

• To make a new site or not? (for branch office with small number of people)

  We have a main office, with our DC (DC01) and a single site (SiteHO), and we are about to open up a new branch office in another city.  This branch office is connected to the head office via a 5 Mbps MPLS network.  The branch office will have around
  5-7 domain joined workstations, and the people there will require access to the existing file and exchange servers in the head office. 
  I was thinking about not adding a RODC in the branch office and not creating another site in AD for the branch office either.  My thinking is that since the number of users is relatively low, it doesn't warrant having a new RODC and site.  The
  traffic generated by the 5-7 user logon activities will be minimal, and the local profiles are stored on the workstations (no roaming profiles), so there shouldn't be much WAN link impact.  Obviously I would have to add the subnet from the branch office
  to the SiteHO site. 
  Can anybody think of something wrong with my reasoning?

  I think the dedicated line has a little to do with AD since its used both to authenticate the users and move the data.
  I am not sure what bandwith you get from an internet provider in your location, but for example you might get a 100Mb internet connection from an ISP. A VPN tunnel over a 100Mb internet connection I am guessing is faster then a 5Mb guaranteed MPLS link.
  The advantage of MPLS is that you can have QoS policies for voice and video traffic.
  If users move 'very large files' perhaps a local file server might be an good option. DFS replication can save a lot of bandwidth in that case. And then you would have 'local resources' in the branch and in case of wan failure the users will not be able
  to access the local file server resource. So you would need a secondary DC in that location.
  And if they are moving the files think (and check) the impact on the MPLS, because authentication requests go through that link, Exchange traffic (RPC MAPI) goes through that link so these might be affected. For example, lets say you have 2GB mailboxes.
  All Outlook users use OST files. One user's profile gets corrupted and needs to be rebuilt. The Outlook client sets up a fresh OST copy of the mailbox so now its downloading a 2GB mailbox copy over a 5Mb MPLS while some other user is moving a 'large file'.
  By local resources I am referring to file servers, printers, applications in the branch location that require AD authentication. Authentication works with both VPN and MPLS and in case the wan/vpn is down users can even log in with
  cached credentials.
  Hope it helps.
  http://mariusene.wordpress.com/

• Synchronizing multiple Mac Mini Server Open Directories across branch offices

  Greetings from Central Asia -
  The non-profit that I work with has been undergoing a long-overdue IT upgrade and we recently purchased some Mac Mini Servers (still running Snow Leopard Server) to act as the core of our network across our 3 offices in 3 different cities.
  We have employees moving between offices regularly, so I'm hoping to find a way to synchronize our user database between our head office and our branch offices instead of creating separate databases in each location.  We use RADIUS and pfSense with a CaptivePortal for controlling who has internet access as well as have file shares, so keeping user database management to a minimum is an ideal.
  I come from a mostly Microsoft Domain background with regards to these things so I'm not entirely sure where to start.  Hopefully some hopeful folks here will steer me in the right direction!
  I have a (mostly) unrelated question though - OS X Server seems to have two separate user databases - the "local" DB and the LDAP/OpenDirectory DB.  Is there a way to make these function together? When creating users and assigning them to groups, which is best practice to use? How do I give an LDAP/OD user login rights to the server?
  Thanks in advance,
  Tim

  I would prefer to keep the two databases seperate, with the local database providing a few specific users with access when OD is inaccessable.
  The local database is basically a self-hosted LDAP server. 
  The local and OD databases do function with the appearance of one single user account presentation at login and for typical operations, too.
  Do keep all of the usernames unique; the local users, as well as the OD users.
  For your configuration, the usual pattern here is one or more open directory replicas in each lobe of the network.
  These replicas then coordinate with the master copy among themselves.  You'll have one distributed copy, but the lobes won't be tied to authentication across what may or may not be an entirely stable network; users authenticate off the local replica.
  There are also folks that use Microsoft Active Directory as the back-end for Mac OS X, as well; there are various means to this end, including what is known as the magic triangle configuration.
  As for learning more about OD, I'd read the Snow Leopard Server Open Directory administration documentation as a starting point.  The Lion Server documentation is thin.
  The Mac Enterprise Mailing List archives can also be enlightening; that's probably the most concentrated source of information on more complex management environments.

• Minimum number of users to warrant a branch office server

  I'd suggest that it's nothing to do with the number of users, but rather what type and amount of work is going on. It could also be affected by a number of other issues; the speed of available Internet connection, how much support you have to provide, how far away from other officesetc.However, as an exampleI had a small site with about 7 staff using PCs and another 20+ staff working in a workshop; I set them up with a coupleof servers due to the work that was going on at that site. I had planned to virtualize these, but left before I got around to it.They wereproviding AD, DHCP, DNS, CA, Print Services to 3 printers, local file store, some database apps and a specialist bar code printer. We also had separate web filtering, a local PBX linked back to a central controller. Because it was a long way to travel to reach, we tried to make...

  We have a branch office, currently housing 10 staff.
  The office is to be expanded to 16.
  Currently staff are using thin clients and logging into our Citrix Xenapp 6.5 server every day
  The server comfortably copes with the 10 heads so far and is licenced to handle 20 concurrent connections.
  What is the minimum number of heads before you would recommend adding a server to a branch office?
  This topic first appeared in the Spiceworks Community

• WLAN Controller at HQ and AP's at Branch offices

  I have a WLAN controller at HQ and want to put APs at my branch offices, but connected and managed by my controller at HQ. I know that if the WAN goes down, I will lose wireless, etc.
  my question is:
  Is there anything I should watch out for with this type of setup? I will have separate vlans' for the wireless and data.. will this matter when it hits the MPLS from the branch back to the HQ WLAN controller? I thought maybe the vlan tagging had to stay consistant between AP and WLAN controller?

  Hybrid Remote Edge Access Point (HREAP) is a mode supportede by 1130 and 1240 series AP's. In the upcoming release of version 4.2, HREAP will also have full support for voice roaming as well. With HREAP, wireless users already authenticated will remain connected in the event of a WAN outage. In addition, v4.2 will support local site authentication for HREAP deployments. If you have an ACS server at the remote site, you can even authenticate new users during a WAN outage. I wouldn't recommend anything in the 1000 series AP family. It's already been announced that it's going end of sale. Keep in mind the latency between AP and controller must be less than 100ms.

• Simulating small branch office in lab network

  Hi,
  I have to setup what seems to be a very basic configuration, but it doesn't work.
  In our lab there is a cluster of switches with a 3550 that does all the routing for vlans.
  I need to simulate a sort of a small branch office that has one connection
  to the outside world (the lab network).
  Here is my design:
  Vlan 230 (the internet)
  A port on 3550 is in vlan 230 and is connected to e0/0 (172.26.230.150) on 2611 router.
  e0/1 interface on a 2611 is (192.168.1.1).
  A PC is connected to e0/1 (192.168.1.12).
  From the router I can ping any host on vlan 230 and other vlans,
  I can also ping the pc connected to e0/1.
  However from the PC I can only ping 192.168.1.1(e0/1) and 172.26.230.150 (e0/0)
  Below is my configuration
  Thanks for your help.
  R2611-1#sh run
  Building configuration...
  Current configuration:
  version 12.0
  service timestamps debug uptime
  service timestamps log uptime
  no service password-encryption
  hostname R2611-1
  ip subnet-zero
  ip dhcp excluded-address 192.168.1.1 192.168.1.9
  ip dhcp pool 192.168.1
     network 192.168.1.0 255.255.255.0
     default-router 192.168.1.1
  interface Ethernet0/0
  ip address 172.26.230.150 255.255.255.0
  no ip directed-broadcast
  no ip mroute-cache
  no mop enabled
  interface Ethernet0/1
  ip address 192.168.1.1 255.255.255.0
  no ip directed-broadcast
  no ip mroute-cache
  ip classless
  ip route 0.0.0.0 0.0.0.0 172.26.230.1
  ip http server
  no scheduler allocate
  end

  You are not performing nat on the router.
  This is typically required on a box which provides internet connectivity.
  Probably the other hosts on vlan 230 have no route back to the pc on 192.168.1.1
  Configuring nat on the router will resolve this problem.
  regards,
  Leo

• Small branch office network

  We have a small branch office (7 users) that will be moving to a building that has a Wireless Residential Gateway (Model: DPC3829).  This device provides wifi for 2 other tenants on the same floor.  Can we connect another wireless router to this wireless residential gateway device and create our own SSID so that we don't have to use the wifi settings that the other 2 tenants connect to?  
  I've attached a picture of what the back of the DPC3829 currently looks like.  I am thinking I can plug that yellow network cable into another wireless router and create our own wireless network (obviously off of their internet connection) for our 7 users. 
  Thank you for your help.

  u may but any plane wireless device and run it in bridge mode (shouldd run by default i beleive). Then connect one of its lan port to any one of the lan ports available on the DPC3829 thing.
  you are correct in what you want to do, and it can be done no problem.
  Regards
  Please mark answer as correct if it helps.

• Windows 8.1 laptop not connecting to domain in branch office

  We have a problem with a laptop. 
  It is installed in our Head office (The Netherlands), just like all other laptops by using an image.
  Tested and working on the domain.
  The user had to go to one of our branch offices (China) and when he connected there, the laptop just won't connect to the domain.
  When he plugged in the laptop, it keeps trying to connect it's directaccess.
  Other laptops (same image) immediately recognize the domain network, but this laptop just won't.
  I am able to ping everything on the local network (MPLS connection), from HQ to all Branch offices but not access them.
  I've tried changing the DNS settings, but without any result.
  Any suggestions?

  Hi,
  According to this tool's description, I think it should be helpful to check system current enviroment, such as network, certificates, etc. problem. Actually according to your description, I doubt it probably network enviroment of ISP problem, but we should
  find a way to verify our suspect. Then this tool would be convenient, it also would generate a trace log and it would be helpful with troubleshooting.
  The DirectAccess Client Troubleshooting Tool is a graphical application, based on the .NET Framework, which checks the health of a DirectAccess client by running various tests.  Built-in health tests: The following tests are currently implemented:
  Network interfaces Network location (NLS and NRPT DNS) IP connectivity (6to4, Teredo, IPHTTPS, entry point in a multisite setup, DNS) Windows Firewall (applied profile, Firewall outbound rules) Certificates (EKU Client Authentication, trust chain for AIA and
  CRL) IPsec infrastructure tunnel (Domain SysVol share) IPsec intranet tunnel (PING and HTTP probes) Additional features Run post-check script (PowerShell, VBScript, BAT or CMD file)
  Roger Lu
  TechNet Community Support

• Branch Office Mail Server?

  I have Mac OS X providing mail services to about 100 users at a main office. We are opening a branch office with 20-30 users. I'm wondering if it is possible to setup another mail server for the branch office using the same domain. The users at the branch office are moderately heavy users who will often deal with lots of attachments. I would like them to have an IMAP server that is local to them for better performance and to reduce traffic on the main office network.
  I thought I'd give it a try. There's a field called "Mail Server" on the mail tab of WGM for each user. I put the address of the branch office server in that field. However, the main office server keeps the messages in its own mailstore. So, what's this field for? It doesn't seem to do anything.
  I see a way to accomplish this by editing the postfix alias file for each user and adding a line for each branch office user like branchofficeuser: [email protected] but that wouldn't be so nice if I ever have to turn over administration of these servers to someone else.
  Is there any way to distribute mail for users of the same domain across more than one IMAP server without resorting to entering aliases to subdomains for each user?

  x

• Branch office Exchange 2010 Role base administration control for branch site administrator

  Dear sir,
       Customer has a Exchange 2010 Main and Branch office environment:
  - Main office Exchange 2010 CAS x2 +HTS & Mailbox x2  (Server1,2 & Server 3,4)
    (Main office administrator:domain1\administrator) - DAG1
  - Branch office Exchange 2010 CAS+HTS x2 & Mailbox with DAG x2 (Server5,6 & Server7,8
     (Branch Administrator: domain1\badmin) - DAG2
       Customer would like to know what is the role which permission should grant / delegate for ID: badmin in order to manage Exchange server 5,6,7,8 ?  (with manage user account and performance in DAG2 failover & branch exchange server)
  Regards,
  Joe Tam

  Dear Brian,
     I have try in my lab to scale down into 2 x Server in 1 AD Single Domain And Single Forest.  It still have many unexpected behaviour, can you please suggest whether it is a design or bug of Exchagne 2010 SP1?
  Procedure:
  ============================================================================
  Exchange 2010 Role Delegation Problem: (Single AD, Single Site)
  Environment:
  Server: Windows 2008 R2 AD x1 + (CAS+HTS+Mailbox) Server x1
  AD Server: AD1
  Exchange2010 Server : EX2010 (with SP1) – Member Server Joined to testdomain1.net
  Domain Name: testdomain1.net (NETBIOS: TESTDOMAIN1)
  In AD,
  Login as domain administrator: Testdomain1\administrator
  1. Create an Organization Unit OU1.
  2. Create User User1 under OU1
  3. Delegate User1 to allow create user in OU1
  Select all item in “Delegate the following common tasks:
  In Exchange 2010 Server,
  Login as domain administrator: Testdomain1\administrator
  1. Rename existing database name to HKDB1
  2. Create a new database AUDB1 in EX2010 Server:
  AUDB1 Create Done.
  Assign testdomain1\User1 as Exchange 2010 local administrators group.
  Logoff Testdomain1\administrator and Login Testdomain1\User1
  Open Exchange EMC: (Failed, because no user management roles is grant).
  Logoff Testdomain1\User1, Login Testdomain1\Administrator
  Open Exchange 2010 PowerShell:
  Delegate User1 to allow perform recipient management in HKDB1 only:
  ====================================================================
  New-ManagementScope "HKDBSCOPE" -DatabaseRestrictionFilter {Name -Eq 'HKDB*' }
  $RoleGroup = Get-RoleGroup "Recipient Management"
  New-RoleGroup "HKDBRecipientManagement" -Roles $RoleGroup.Roles -CustomConfigWriteScope "HKDBSCOPE"
  Add-RoleGroupMember “HKDBRecipientMANAGEMENT” -Member User1
  ====================================================================
  Result:
  In Exchange 2010 Server, logon as domain user: Testdomain1\User1
  Open Exchange Management Console: (User1 able to open EMC now)
  Perform Create User User2 in OU1 with Mailbox located in HKDB1
  Mailbox Creation Failed because it cannot match the Database name = HKDB*
  Logoff Testdomain1\User1, Login Testdomain1\Administrator
  In Exchange Management Shell, enter:
  Set-ManagementScope "HKDBSCOPE" -DatabaseRestrictionFilter {Name -Like 'HKDB*' }
  Logoff Testdomain1\administrator, Login Testdomain1\User1
  Open Exchange Mangement Shell and Create User2 again.
  Create user successfully.
  Perform create User User3 in OU1 with Mailbox located in AUDB1
  User3 Creation Failed because it is not meet the Database restriction of User1 – Like HKDB*
  Logoff Testdomain1\User1, Login Testdomain1\Administrator
  Open Exchange Management Console, create User3 in AUDB1
  Create User3 in Users Container, by administrator ID.
  Logoff Testdomain1\administrator, Login Testdomain1\User1
  Perform mailbox remove of User2
  User2 mailbox remove successfully.
  Perform deletion of User3
  Mailbox User3 Remove Successfully.
  Why User3 is allowed to deleted mailbox which is located in by using delegated of User1?
  Moreover, it found that User3 properties can also be changed by using User1. Why?
  Does it mean delegation cannot handle delete operation?
  In Active Directory User and Computer: User2 is deleted successfully by using User1 ID.
  In Active Directory User and Computer: User3 is also deleted successfully by using User1 ID.