Join remote computers in a branch office over vpn(GRE)

Similar Messages

• Join Remote Computers to AD Domain

  Hi
  We have nearly 60 computers in 4 different cities in different retail outlets in each city. We use them as point of sale. We want them to be part of AD domain that is working in our head office. All these 60 computers have internet connectivity. Some have
  good connectivity and some have connectivity for just basic browsing.
  Do we need to create VPN for them to join the HO AD domain? Even with VPN, we dont want to bring all their internet traffic to HO. We want them to connect to HO for just AD replication etc.
  The main benefit we need is that our systems will be locked down and we will not have to reformat them every second month.
  Your guidelines are needed.

  If the computers are accessible only via the Internet, you only have a few options and you have already eliminated one of them. Also for clarification, client computers don't do AD replication. They will cache logon information for users that have used the
  system as well as copy GPOs, etc... 
  1) Usually you could use VPN for connectivity, but as you said, you dont want to backhall all the internet traffic to your corporate network, so that option is out.
  2) You can use Direct Access if these clients are new enough. This provides a persistent, VPN like access, but only corporate traffic is sent over the tunnel (AD authentication, server access, etc..) and internet traffic is set directly to the local point
  of presence. http://technet.microsoft.com/en-us/windows/directaccess.aspx
  Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years.

• How can I improve performance over a Branch Office IPsec vpn tunnel between and SA540 and an SA520

  Hello,
  I just deployed one Cisco SA540 and three SA520s.
  The SA540 is at the Main Site.
  The three SA520s are the the spoke sites.
  Main Site:
  Downstream Speed: 32 Mbps
  Upstream Speed: 9.4 Mbps
  Spoke Site#1:
  Downstream Speed: 3.6 Mbps
  Upstream Speed: 7.2 Mbps (yes, the US is faster than the DS at the time the speed test was taken).
  The SA tunnels are "Established"
  I see packets being tranmsitted and received.
  Pinging across the tunnel has an average speed of 32 ms (which is good).
  DNS resolves names to ip addresses flawlessly and quickly across the Inter-network.
  But it takes from 10 to 15 minutes to log on to the domain from the Spoke Site#1 to the Main Site across the vpn tunnel.
  It takes about 15 minutes to print across the vpn tunnel.
  The remedy this, we have implemented Terminal Services across the Internet.
  Printing takes about 1 minute over the Terminal Service Connection, while it takes about 15 minutes over the VPN.
  Logging on to the network takes about 10 minutes over the vpn tunnel.
  Using an LOB application takes about 2 minutes per transaction across the vpn tunnel; it takes seconds using Terminal Services.
  I have used ASAs before in other implementation without any issues at all.
  I am wondering if I replaced the SAs with ASAs, that they may fix my problem.
  I wanted to go Small Business Pro, to take advantage of the promotions and because I am a Select Certified Partner, but from my experience, these SA vpn tunnels are unuseable.
  I opened a case with Small Business Support on Friday evening, but they couldnt even figure out how to rename an IKE Policy Name (I figured out that you had to delete the IKE Policy; you cannot rename them once they are created).
  Maybe the night weekend shift has a skeleton crew, and the best engineers are available at that time or something....i dont know.
  I just know that my experience with the Cisco TAC has been great for the last 10 years.
  My short experience with the Cisco Small Business Support Center has not been as great at all.
  Bottom Line:
  I am going to open another case with the Day Shift tomorrow and see if they can find a way to speed things up.
  Now this is not just happening between the Main Site and Spoke Site #1 above. It is also happeninng between the Main Site and Spoke #2 (I think Spoke#2 has a Download Speed of about 3Mbps and and Upload Speed of about 0.5 Mbps.
  Please help.
  I would hate to dismiss SA5xx series without making sure it is not just a simple configuration setting.

  Hi Anthony,
  I agree!.  My partner wants to just replace the SA5xxs with ASAs, as we have never had problems with ASA vpn performance.
  But I want to know WHY this is happening too.
  I will definitely run a sniffer trace to see what is happening.
  Here are some other things I have learned from the Cisco Small Business Support Center (except for Item 1 which I learned from you!)
  1.  Upgrade the SA540 at the Main Site to 2.1.45.
  2a. For cable connections, use the standard MTU of 1500 bytes.
  2.b For DSL, use the following command to determine the largets MTU that will be sent without packet fragmentation:
  ping -f -l packetsize
  Perform the items below to see if this increases performance:
  I was told by the Cisco Small Business Support Center that setting up a Manual Policy is not recommended; I am not sure why they stated this.
  3a. Lower the IKE encryption algorithm from "AES-128" to DES.
  3b. Lower the IKE authentication algorithm to MD5
  3c. Also do the above for the VPN Policy
  Any input is welcome!

• Discover Switch and router over VPN

  i am in contact with a company having many branches connecting over VPN tunnel and with different IP range in each branch
  how can i configure the LMs to discover my switch and my router over VPN

  LMS 3.0.1 and higher can use non-CDP discovery methods which should be able to find your remotely connected VPN devices.  You could use the Ping Sweep or Route Table modules to accomplish what you want.
  See https://supportforums.cisco.com/docs/DOC-9005 for more details.

• Best Practice for Roaming Profiles over Branch Offices

  Hello Everybody,
  I was hoping I could gain advice from experienced engineers on an issue me and my team are currently experiencing.
  The issue:
  We have a client that has their main office in London and this company has other remote offices over the world, Paris, Milan, Luxembourg etc.. Each remote office has a local DC&file server installed as two separate servers or both roles on the same
  server. Everything is central to London, all the main file shares that the company uses is based in London and the terminal server's are based in London too.
  We have DFS-R & N set up on the London File servers to replicate the dfs shares over the remote offices which works fine and we don't generally ever have any issues with this and works well when user's in remote offices access file shares from
  London.
  However and I didn't set this up but this client also has DFS-R & N set up for roaming profiles!!! The issue we are having here is only with the terminal servers. For example I will log in as one of the users from London on the terminal server and will
  load the profile fine, I will log that user off and log in as the admin and remove the profile through advanced system settings. I will then log back on as that same user and will be given a temporary profile, I repeat the first step and the profile loads
  fine, so every other log on will load the user with a temporary profile. I know this is the case because for that user, if I change the profile path in AD from
  \\xxxx.com\public to
  \\lon-fs3v\profiles$\user it then loads every time with no issues. Before anyone asks I have rebuilt the terminal server(s) to rule out if they were misconfigured. You may ask why not do that for everyone? We can't do that for people based in Milan otherwise
  their profile will forever take time to load and that's where the dfs replication comes into play for the profiles.
  Unfortunately they are a very stubborn client so some users (important people) have very large profiles which sometimes takes a while to load up.
  I have done some reading already on the web and have seen the unsupported scenario from Microsoft regarding this (
  https://support.microsoft.com/en-gb/kb/2533009 )  so unsure the best way to do it. The link I've put in does say you can have issues with the profiles loading (which we do) if there are too many
  connections which we have 10 to replicate profiles around the remote offices.
  I have done some reading into the hostedbranch cache method but not sure if you can do this with roaming profiles or not?
  We generally want to eliminate the issue for users when logging on remotely with getting a temp profile every other log on attempt. I must add though this issue never occurs on the workstations just the terminal server, our client is in the private equity
  market so one user may just spend one day in a remote office and then come back to London to carry on as they normally would.
  So that's the background to the issue and I was generally trying to work out what methods or if this is possible with the branch cached method for roaming profiles ?
  Thank you to anyone who replies.
  Best,
  Liam

  Hi UC3ngineer,
  Agree with Luca.
  If the branch users need to do lot of conferencing, the best practice is to deploy an new Front End Pool and an Edge Server in Branch Office; Otherwise you must have a 100%
  reliable WAN connection to your central site.
  Best regards,
  Eric
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Branch Office setup

  Hello All.
  I have a problem with a branch office setup, and I can't for the life of me think of what the problem is.
  I have a remote office setup, using an ASA 5505 that is set up to establish an easy vpn connection to the central network.  The connection at the branch office is a 20/5 cable modem, the central network has a 25/25 fiber connection.
  The issue I have is this.  Wired clients work fine at this branch office, at least 95% of the time.  I have a lightweight AP there that can come up and join the controllers at the central network, no problem.  I haven't done anything with H-REAP because there are really no resources locally they need that would allow them to do their work, so all traffic is tunneled back to the WLC.
  Wireless clients can authenticate to the AP, and I can get 15-20ms ping responses from them all day.  Latency never comes close to the 600ms proposed limit with CAPWAP.  Yet, for some reason the performance of the clients is problematic.  Webpages will frequently not load correctly, they experience some freezing, and with one application we use - it refuses to load completely.
  If we bring these same computers to an AP connected to our central network, on the same SSID, they work flawlessly.
  Something about this particular location is causing a lot of grief for our users.
  For what it's worth, we are running WCS 7.0.230.0 and the WLCs are on 7.0.116.0.  The ASA is running a pretty basic configuration, pretty much out of the box with the easy vpn configuration entered.
  Any help on this would be appreciated, I am at my wit's end with this setup.

  Yes, 20/5 Download/Upload. 
  So I did as you suggested, here are the results with a 1400 byte packet:
  Ping statistics for 172.16.253.50:
      Packets: Sent = 100, Received = 99, Lost = 1 (1% loss),
  Approximate round trip times in milli-seconds:
      Minimum = 17ms, Maximum = 2208ms, Average = 42ms
  That 2208ms response was an anomaly.  I ran it again and got this:
  Ping statistics for 172.16.253.50:
      Packets: Sent = 100, Received = 100, Lost = 0 (0% loss),
  Approximate round trip times in milli-seconds:
      Minimum = 16ms, Maximum = 93ms, Average = 21ms
  With this one specific application we're testing with - it stops loading at a predictable point, every time.  However, I can remain VNC'd to this machine the entire time, and do anything else on the machine, but the application will fail to load at the same point every time.  But like I said, if I bring that client back to our main network, it works just fine, so it's not the application itself causing the problem, and we have other, smaller issues with other applications we have.  It's really bizarre.
  It's really not acting like interference.  I just set up a new site with an identical configuration - but with a 3502i AP, and I can replicate the behavior at that location too.  Unfortunately at this time we don't have anything to study the traffic with - I actually have a call on a solution for that this afternoon.

• Branch office setup with L3 switch and router with IOS security

  Hello,
  I am in the process of putting together a small branch office network and I am in need of some design advise. The network will support about 10-15 workstations/phones, 3-4 printers, and 4-5 servers. In addition we will eventually have up to 25-30 remote users connecting to the servers via remote access VPN, and there will also be 2-3 site-to-site IPSec tunnels to reach other branches.
  I have a 2911 (security bundle) router and 3560 IP Base L3 switch to work with. I have attached a basic diagram of my topology. My initial design plan for the network was to setup separate VLANs for workstation, phone, printer, and server traffic. The 3560 would then be setup with SVIs to perform routing between VLANs. The port between the router and switch would be setup as a routed port, and static routes would be applied on the switch and router as necessary. The thought behind this was that I'd be utilizing the switch backplane for VLAN routing instead instead of doing router-on-a-stick.
  Since there is no firewall between the switch and router my plan was to setup IOS firewalling on the router. From what I am reading ZBF is my best option for this. What I was hoping for was a way to set custom policies for each VLAN, but it seems that zones are applied per interface. Since the interface between the router and switch is a routed interface, not a trunk/subinterface(s), it doesn't seem like there would be a way for me to use ZBF to control traffic on different VLANs. From what I am gathering I would have to group all of my internal network into one zone, or I would have to scrap L3 switching all together and do router-on-a-stick if I want to be able to set separate policies for each VLAN. Am I correct in my thinking here?
  I guess what I am getting at is that I really don't want to do router-on-a-stick if I have a nice switch backplane to do all of the internal routing. At the same time I obviously need some kind of firewalling done on the router, and since different VLANs have different security requirements the firewalling needs to be fairly granular.
  If I am indeed correct in the above thinking what would be the best solution for my scenario? That is, how can I setup this network so that I am utilizing the switch to do L3 routing while also leveraging the firewall capabilities of IOS security?
  Any input would be appreciated.
  Thanks,
  Austin

  Thanks for the input.
  1. I agree, since I have only three to four printers, they need not be in a separate VLAN. I simply was compartmentalizing VLANs by function when I initially came up with the design.
  2. Here's a little more info on the phone situation. The phones are VoIP. The IP PBX is on premise, but they are currently on a completely separate ISP/network. The goal in the future is to converge the data and voice networks and setup PBR/route maps to route voice traffic out the voice ISP and data traffic out the other ISP. This leads up to #3. 
  3. The reason a router was purchased over a firewall was that ASA's cannot handle routing and dual ISPs very well. PBR is not supported at all on an ASA, and dual ISPs can only be setup in an active/standby state. Also, an ASA Sec+ does not have near the VPN capabilities that the 2911 security does. The ASA Sec+ would support only 25 concurrent IPSec connections while the 2911 security is capable of doing an upwards of 200 IPSec connections.
  Your point about moving the SVI's to a firewall to perform filtering between VLANs makes sense, however, wouldn't this be the same thing as creating subinterfaces on a router? In both cases you are moving routing from the switch backplane to the firewall/routing device, which is what I am trying to avoid.  

• Clients Not seeing DHCP server at branch office or not accepting ip offers (NO LOG REPORTS KIND OF IN THE DARK)

  Hi there i am having an issue that has popped up recently i have a DC at a branch office that is connected to the main office DC via a Persistent Demand Dial connection in RRAS. Everything was working properly according to me until i found out that the Network
  Admin who manages the branch office network failed to notify me that client machines weren't getting IP addresses from the DHCP server. This server was recently installed and wasn't fully implemented till about a week ago when i configured the Demand Dial
  connection in RRAS up until that point it just had a regular old VPN connection to the main office while we worked out the kinks with a few things. the things ive tried so far to get DHCP working are as followed
  1.Rebooted the branch office server (MULTIPLE TIMES)
  2. Uninstalled the DHCP Role and re-installed it....To my surprise 1 client managed to get a ip on its lan adapter after DHCP was re-installed but nothing else
  3. Disconnected the connection between the main office DC and the Branch office DC as i figured the main office DC DHCP server might be interfering with the branch office DC DHCP Server but nothing happened 
  4. Unauthorized and Reauthorized the main office DHCP server and the branch office DHCP server nothing changed
  5. sifted through multiple log files on both servers and found noting in fact DHCP logs are empty on both servers
  6. restored backups of the DHCP servers from when they were working
  7. came here cause im out of ideas and im pulling my hair out
  here are the current statistics from the problem server
  Start Time: 7/12/2014 2:02:10PM
  Up Time: 1Hours, 18 Minutes, 41 Seconds
  Discovers: 90
  Offers: 90
  Requests: 2
  Acks: 13
  Nacks: 0
  Declines: 0
  Releases: 0
  Total Scopes: 1
  Total Addresses 253
  In Use 2 (0%)
  Available: 251 (99%)
  Id like to add that RRAS was getting IP addresses from the problem server up until the point i uninstalled the role and re-installed it
  heres is a ipconfig /all from the problem server
  Windows IP Configuration
     Host Name . . . . . . . . . . . . : MNB-DC
     Primary Dns Suffix  . . . . . . . : VTEACR.LOCAL
     Node Type . . . . . . . . . . . . : Hybrid
     IP Routing Enabled. . . . . . . . : Yes
     WINS Proxy Enabled. . . . . . . . : No
     DNS Suffix Search List. . . . . . : VTEACR.LOCAL
  PPP adapter Remote Router:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Remote Router
     Physical Address. . . . . . . . . :
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     IPv4 Address. . . . . . . . . . . : 10.141.70.25(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.255
     Default Gateway . . . . . . . . . :
     DNS Servers . . . . . . . . . . . : 10.141.70.10
     NetBIOS over Tcpip. . . . . . . . : Disabled
  Ethernet adapter Local Area Connection:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
     Physical Address. . . . . . . . . : 00-16-35-AB-D3-05
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     Link-local IPv6 Address . . . . . : fe80::d9e:daa4:34dd:db44%10(Preferred)
     IPv4 Address. . . . . . . . . . . : 10.141.80.102(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Default Gateway . . . . . . . . . : fe80::226:5aff:feb7:5b3c%10
                                         10.141.80.1
     DNS Servers . . . . . . . . . . . : ::1
                                         10.141.80.102
     NetBIOS over Tcpip. . . . . . . . : Enabled
  PPP adapter RAS (Dial In) Interface:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : RAS (Dial In) Interface
     Physical Address. . . . . . . . . :
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     IPv4 Address. . . . . . . . . . . : 169.254.238.243(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.255
     Default Gateway . . . . . . . . . :
     DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                         fec0:0:0:ffff::2%1
                                         fec0:0:0:ffff::3%1
     NetBIOS over Tcpip. . . . . . . . : Disabled
  Tunnel adapter Local Area Connection* 8:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : isatap.{427DF66B-3B30-40B1-B67E-B5587465C
  394}
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter Local Area Connection* 9:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
     Physical Address. . . . . . . . . : 02-00-54-55-4E-01
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter Local Area Connection* 11:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : isatap.ziricom.com
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter Local Area Connection* 12:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : isatap.VTEACR.LOCAL
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter Local Area Connection* 13:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : isatap.{BE201060-A9B9-404A-8361-F8FFB82F5
  6F6}
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter Local Area Connection* 14:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft ISATAP Adapter #5
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter Local Area Connection* 15:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : isatap.VTEACR.LOCAL
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter Local Area Connection* 16:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft ISATAP Adapter #7
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter Local Area Connection* 19:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : isatap.ziricom.com
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  if anymore information is needed please let me know i have full access to everything on the network so its not a problem and i am able to remotely access the branch office DC and all computer and switches at any time of the day
  Viper Technologies Computer Repair Putting The Venomus Bite Back In Your Computer We Are Located In Antigonish ,NS Canada Check Us Out HTTP://WWW.VIPERTECHNOLOGIES.TK

  Hi,
  Does this issue occur on one client or multiple?
  Please check this article:
  http://technet.microsoft.com/en-us/library/cc757164(v=ws.10).aspx#BKMK_5
  Regards.
  Vivian Wang

• To make a new site or not? (for branch office with small number of people)

  We have a main office, with our DC (DC01) and a single site (SiteHO), and we are about to open up a new branch office in another city.  This branch office is connected to the head office via a 5 Mbps MPLS network.  The branch office will have around
  5-7 domain joined workstations, and the people there will require access to the existing file and exchange servers in the head office. 
  I was thinking about not adding a RODC in the branch office and not creating another site in AD for the branch office either.  My thinking is that since the number of users is relatively low, it doesn't warrant having a new RODC and site.  The
  traffic generated by the 5-7 user logon activities will be minimal, and the local profiles are stored on the workstations (no roaming profiles), so there shouldn't be much WAN link impact.  Obviously I would have to add the subnet from the branch office
  to the SiteHO site. 
  Can anybody think of something wrong with my reasoning?

  I think the dedicated line has a little to do with AD since its used both to authenticate the users and move the data.
  I am not sure what bandwith you get from an internet provider in your location, but for example you might get a 100Mb internet connection from an ISP. A VPN tunnel over a 100Mb internet connection I am guessing is faster then a 5Mb guaranteed MPLS link.
  The advantage of MPLS is that you can have QoS policies for voice and video traffic.
  If users move 'very large files' perhaps a local file server might be an good option. DFS replication can save a lot of bandwidth in that case. And then you would have 'local resources' in the branch and in case of wan failure the users will not be able
  to access the local file server resource. So you would need a secondary DC in that location.
  And if they are moving the files think (and check) the impact on the MPLS, because authentication requests go through that link, Exchange traffic (RPC MAPI) goes through that link so these might be affected. For example, lets say you have 2GB mailboxes.
  All Outlook users use OST files. One user's profile gets corrupted and needs to be rebuilt. The Outlook client sets up a fresh OST copy of the mailbox so now its downloading a 2GB mailbox copy over a 5Mb MPLS while some other user is moving a 'large file'.
  By local resources I am referring to file servers, printers, applications in the branch location that require AD authentication. Authentication works with both VPN and MPLS and in case the wan/vpn is down users can even log in with
  cached credentials.
  Hope it helps.
  http://mariusene.wordpress.com/

• Local Portal instance in branch office

  Are there any solutions for speeding up Portal for remote/branch office users?
  We have a lot of users who will be accessing the corporate network & Portal over relatively slow lines or satellite links; buying more bandwidth is physically not an option in some places we operate.
  Has anyone looked at installing a local Portal instances in the field, and replicating PCD content to still allow central administration?
  Does SAP have any offerings in this space? Global/Federated Portal does not address the speed issue - users still go across the WAN to render their content. Portal Lite is still too slow.
  Any and all ideas appreciated.
  RBL

  Well spoken - you can't speed up the speed of light.
  Luckily, many of our content sources CAN be replicated to the branch offices. We use Lotus Notes/Domino for many web apps & web content; DFS (Microsoft replicated file system) for distributing files; and Exchange Public Folders for replicating commonly accessed email-type postings.
  Have you (or anyone out there) found any solutions for keeping PCD updates in sync between a head office Portal and a branch office Portal?

• OSPF design for branch offices across MPLS

  Hello fellow networking engineers,
  I want to implement OSPF in our network. We have multiple branch offices, all linked to an MPLS backbone.
  I know that in order to get linked areas, I would need to setup GRE tunnels between them, but I want to avoid static/manual configurations as much as possible. With multiple sites, it would become cumbersome to create a mesh real fast.
  Is running OSPF independent areas at each site, and simply redistributing over eBGP a valid solution? This will host voice and data, and will failover to VPN connection (Cisco ASAs) if the MPLS goes down.
  For the VPN backup links, I thought of two options. Either simply using the default route to send everything to the ASA in case of MPLS "death", or inject routes using IP SLA...
  Any input would be appreciated.

  Marc
  You don't GRE tunnels to link your areas if that is what you want to do.
  If the SP supports it then you can exchange your OSPF routes between areas and they will still be seen as inter area routes rather than OSPF externals which they would if you simply treated each area as isolated from each other.
  In effect the MPLS network becomes an OSPF super backbone area and your main site would also be part of the backbone area with all your other sites having an area each.
  You still redistribute your OSPF routes into BGP but with some extra configuration on both your CEs and the SP PE devices.
  Like I say you would need to check with your SP but it is possible.
  Whether or not you need or want it I don't know.
  Your other option is as you have proposed to treat each OSPF area as an isolated one and simply redistribute into OSPF at each CE. Then within each site all non local routes would be seen as OSPF external routes.
  Either way in terms of backup I would keep it simple and use a default route at each site pointing to the ASA device. I can't see what you gain from IP SLA because if the main MPLS link goes down at any site the only other path they have out is via the ASA so there is nothing really worth tracking.
  The only other thing I would mention is remote site to remote site traffic. If there is any then presumably with your VPN tunnels you would be doing a sort of hub and spoke where the hub is the main site so you may need to think about traffic coming in from one VPN tunnel and going out to another VPN tunnel on the main site ASA.
  This would only really be needed if two or more sites had to use their backup links at the same time.
  In terms of which is better ie. OSPF inter area across the MPLS cloud or OSPF externals I can't really say to be honest. With the MPLS networks i have worked on we ran EIGRP and simply treated each remote site as an isolated AS.
  If you are already running OSPF then you may want to preserve your existing areas so it would make sense to go with the inter area option.
  If it is a new setup then I don't really know the pros and cons of either so can't really comment.
  Perhaps others may add to the thread with their thoughts.
  Jon

• Can't get syslog messages from Remote SA520 over VPN

  I'm trying to set up a central logging server on a debian system running rsyslog.
  The syslog server is local & I have a branch office connected via a VPN. Both buildings have SA520 routers.
  I have set up both firewalls to allow ANY from each network 192.168.150.X & 19.168.160.X
  (also tried to add a rule for UDP514 but that didn't help)
  The debian system is new & has no iptables set up
  I've entered the syslog server IP in remote logging.
  I've set up facilities in Send to syslog for both routers.
  I am logging messages from the local router but don't see anything from the remote.
  I've checked with wireshark & see no syslog packages from the remote (I do see SSL negotiation & others when using the web admin and of course the functioning vpn)
  I rebooted the router to see if that mae a difference but no luck.
  Any ideas why I can't get the syslog traffic across the VPN?

  I do have the correct IP address of the syslog server set up. I do not want email logs so have not enabled that.
  My setup is
  remote lan > SA520-remote (192.168.160.1) > [ site to site IPSec VPN over WAN ] > SA520-local (192.168.150.1) > syslog server (192.168.150.25) & local lan
  Firewall is set up to allow ANY IN & OUT to local lan on both routers.
  I have also set up specific rules for UDP 514 Syslog traffic (no difference, currently disabled)
  syslog server has -no- firewall at the moment.
  Syslog server is receiving messages from the local router with no issues.
  Log Severity is set to Information &  Log Facility is set up to send to Syslog.
  I have also setup a SNMP trap on the syslog server & pointed the remote router to it in hopes of diagnosing the issue.
  Both routers have the latest firmware applied.
  Using wireshark on the syslog server I see no traffic on UDP 514 (syslog) or UDP 162 (snmp)
  I can use the WUI for the remote & ping the 160.1 with no problem. Both ping & TLS/TCP traffic show up in wireshark on the syslog server when I do so.
  It looks to me like there is a problem routing the syslog messages out of the router & then back through the VPN.
  Worst case I'll set up another syslog server on an old machine at the remote location & then cron the logs to the central syslog server but it really seems I shouldn't have to.

• Hi I am looking for a way to have trace32 open multiple files on remote computers

  Simply put I am looking for someone who could afford to give me a basic script (vbs) that I could run from an elevated command prompt. It would need to be available for me to type in the name of a remote computer or (mulitple if possible) and also
  allow me to choose log files to open or multiple files and then open them using trace 32. Hopefully it would detect the available log files and show me what is available to choose to open... anyone know of such a thing or know how to go about setting up something
  like this for people to use?
  EDIT
  I was able to create a basic script to do what I wanted but I want to be able to add wildcards for the rollover logs... Can someone suggest the easiest way to do that as I am not sure how to add the wildcards directly before the .log
  here is the script.
  ' ******Created by Luis Delgado*********
  'This script will get a remote computers .log files depending on which documents you enter in the "files to open on remote computer using trace32" section
  'Get and open log files on remote Computer
  on error resume next
  Set WshShell = Wscript.CreateObject("Wscript.Shell")
  strcomputer   = inputbox("Enter remote computer name or leave as localhost for this computer","Get log files from a remote computer with Trace32","Localhost")
  If strComputer = "" Then
    WScript.Quit
  End If
  'Opens trace32
  wshShell.run "C:\Program Files\ConfigMgr 2007 Toolkit\CCM Tools\Trace32.exe"
  'Files to open on remote computer using trace32
  wshShell.Run "\\" & strcomputer & "\c$\Windows\System32\CCM\Logs\datatransferservice.log"
  wshShell.Run "\\" & strcomputer & "\c$\Windows\System32\CCM\Logs\ccmexec.log"
  wshShell.Run "\\" & strcomputer & "\c$\Windows\System32\CCM\Logs\locationservices.log"
  !!!!NOTE!!!
  What I need is for any file that starts with datatransferservices, ccmexec, or locationservices to open in trace32
  my thought would be place a wild card in its respective spots but it does not work see below
  wshShell.Run "\\" & strcomputer & "\c$\Windows\System32\CCM\Logs\datatransferservice*.log"
  wshShell.Run "\\" & strcomputer & "\c$\Windows\System32\CCM\Logs\ccmexec*.log"
  wshShell.Run "\\" & strcomputer & "\c$\Windows\System32\CCM\Logs\locationservices*.log"

  The roll over logs all have the same name exact the extension is .lo_ , So.. I'm not sure what you are looking for.
  Garth Jones | My blogs: Enhansoft and
  Old Blog site | Twitter:
  @GarthMJ

• Branch Office Mail Server?

  I have Mac OS X providing mail services to about 100 users at a main office. We are opening a branch office with 20-30 users. I'm wondering if it is possible to setup another mail server for the branch office using the same domain. The users at the branch office are moderately heavy users who will often deal with lots of attachments. I would like them to have an IMAP server that is local to them for better performance and to reduce traffic on the main office network.
  I thought I'd give it a try. There's a field called "Mail Server" on the mail tab of WGM for each user. I put the address of the branch office server in that field. However, the main office server keeps the messages in its own mailstore. So, what's this field for? It doesn't seem to do anything.
  I see a way to accomplish this by editing the postfix alias file for each user and adding a line for each branch office user like branchofficeuser: [email protected] but that wouldn't be so nice if I ever have to turn over administration of these servers to someone else.
  Is there any way to distribute mail for users of the same domain across more than one IMAP server without resorting to entering aliases to subdomains for each user?

  x

• Branch office Exchange 2010 Role base administration control for branch site administrator

  Dear sir,
       Customer has a Exchange 2010 Main and Branch office environment:
  - Main office Exchange 2010 CAS x2 +HTS & Mailbox x2  (Server1,2 & Server 3,4)
    (Main office administrator:domain1\administrator) - DAG1
  - Branch office Exchange 2010 CAS+HTS x2 & Mailbox with DAG x2 (Server5,6 & Server7,8
     (Branch Administrator: domain1\badmin) - DAG2
       Customer would like to know what is the role which permission should grant / delegate for ID: badmin in order to manage Exchange server 5,6,7,8 ?  (with manage user account and performance in DAG2 failover & branch exchange server)
  Regards,
  Joe Tam

  Dear Brian,
     I have try in my lab to scale down into 2 x Server in 1 AD Single Domain And Single Forest.  It still have many unexpected behaviour, can you please suggest whether it is a design or bug of Exchagne 2010 SP1?
  Procedure:
  ============================================================================
  Exchange 2010 Role Delegation Problem: (Single AD, Single Site)
  Environment:
  Server: Windows 2008 R2 AD x1 + (CAS+HTS+Mailbox) Server x1
  AD Server: AD1
  Exchange2010 Server : EX2010 (with SP1) – Member Server Joined to testdomain1.net
  Domain Name: testdomain1.net (NETBIOS: TESTDOMAIN1)
  In AD,
  Login as domain administrator: Testdomain1\administrator
  1. Create an Organization Unit OU1.
  2. Create User User1 under OU1
  3. Delegate User1 to allow create user in OU1
  Select all item in “Delegate the following common tasks:
  In Exchange 2010 Server,
  Login as domain administrator: Testdomain1\administrator
  1. Rename existing database name to HKDB1
  2. Create a new database AUDB1 in EX2010 Server:
  AUDB1 Create Done.
  Assign testdomain1\User1 as Exchange 2010 local administrators group.
  Logoff Testdomain1\administrator and Login Testdomain1\User1
  Open Exchange EMC: (Failed, because no user management roles is grant).
  Logoff Testdomain1\User1, Login Testdomain1\Administrator
  Open Exchange 2010 PowerShell:
  Delegate User1 to allow perform recipient management in HKDB1 only:
  ====================================================================
  New-ManagementScope "HKDBSCOPE" -DatabaseRestrictionFilter {Name -Eq 'HKDB*' }
  $RoleGroup = Get-RoleGroup "Recipient Management"
  New-RoleGroup "HKDBRecipientManagement" -Roles $RoleGroup.Roles -CustomConfigWriteScope "HKDBSCOPE"
  Add-RoleGroupMember “HKDBRecipientMANAGEMENT” -Member User1
  ====================================================================
  Result:
  In Exchange 2010 Server, logon as domain user: Testdomain1\User1
  Open Exchange Management Console: (User1 able to open EMC now)
  Perform Create User User2 in OU1 with Mailbox located in HKDB1
  Mailbox Creation Failed because it cannot match the Database name = HKDB*
  Logoff Testdomain1\User1, Login Testdomain1\Administrator
  In Exchange Management Shell, enter:
  Set-ManagementScope "HKDBSCOPE" -DatabaseRestrictionFilter {Name -Like 'HKDB*' }
  Logoff Testdomain1\administrator, Login Testdomain1\User1
  Open Exchange Mangement Shell and Create User2 again.
  Create user successfully.
  Perform create User User3 in OU1 with Mailbox located in AUDB1
  User3 Creation Failed because it is not meet the Database restriction of User1 – Like HKDB*
  Logoff Testdomain1\User1, Login Testdomain1\Administrator
  Open Exchange Management Console, create User3 in AUDB1
  Create User3 in Users Container, by administrator ID.
  Logoff Testdomain1\administrator, Login Testdomain1\User1
  Perform mailbox remove of User2
  User2 mailbox remove successfully.
  Perform deletion of User3
  Mailbox User3 Remove Successfully.
  Why User3 is allowed to deleted mailbox which is located in by using delegated of User1?
  Moreover, it found that User3 properties can also be changed by using User1. Why?
  Does it mean delegation cannot handle delete operation?
  In Active Directory User and Computer: User2 is deleted successfully by using User1 ID.
  In Active Directory User and Computer: User3 is also deleted successfully by using User1 ID.