1

Is it safe/viable to connect a Windows Server 2012 to a remote site's router by VPN?

We have an existing "head office" that has a hardware VPN-capable router and a SBS 2011 Essentials DC. We have just taken over an additional office that has an existing Internet connection but the BT BusinessHub does not have any built-in VPN client or server capability.

Now, I have two options...

  1. Buy a VPN-capable router that I can put behind the BT BusinessHub modem/router (and port forward what I need). OR
  2. Can I use the new office's Windows Server 2012 built-in VPN capability to connect the server to the head office VPN device.

Because the Windows Server 2012 at the new office is a DC and all the clients point to it for DNS (with secondary DNS pointing to the head office IP and forwarders configured for Internet requests) then (am I right in saying?) that it should be able to provide resolution to the head office so that the clients can access head office resources?

Obviously I am aware that if the DC goes down then the VPN will not work (but sames goes for if the VPN box goes down)... I am also unsure if there are any security things I need to be cautious of if I do this?

Would this work?

Thank you!!

Kinnectus
  • 260
  • 1
  • 11
  • `with secondary DNS pointing to the head office IP` - What does that mean? Do you mean that the secondary DNS configured on your clients is the head office DNS server? If so, that's not going to work for resolving head office resources. But to directly answer your question: Should you put this on your DC? I wouldn't, for a number of reasons. My personal recommendation would be that you purchase a hardware VPN and task it for the job. – joeqwerty Mar 12 '15 at 14:55
  • Thanks @joeqwerty. So why should the member DC have itself as the primary DNS and the head office DC as the secondary DNS - this is fairly standard across Windows Server domains? Replication?... What have I missed? Obviously, I know that the routers will deal with the two subnet routing - is this the key to the ability to resolve head office resources? :S My full intention is to buy a hardware device that I can VPN the two sites. I just wanted to confirm that it's not the best way to go (to use the server to initiate the VPN connection). Thank you! – Kinnectus Mar 12 '15 at 15:05
  • These are two different AD domains right? – joeqwerty Mar 12 '15 at 15:16
  • The new office didn't have a server at all so I've installed Server 2012 Standard onto a machine and configured it (dcpromo, DNS, DHCP etc.) to the SBS 2011 Essentials domain. Basically it's a member server of an existing domain and all the clients will be joined but the two locations need to be able to talk to each other for resources, remote desktop etc. - just like any other mult-site setup. – Kinnectus Mar 12 '15 at 16:27
  • OK, I missed that in your question. A DC isn't considered a member server, it's just considered a DC. Non-DC servers are considered member servers. Since both servers are DC/DNS servers in the same domain then you can set them both as DNS servers for the domain clients. I would configure the server in each site to be the primary DNS server for clients in the same site and configure the server in the remote site as the secondary DNS server, and vice versa. I'm assuming your AD DNS zones are AD integrated and have replicated to the new DC/DNS server? – joeqwerty Mar 12 '15 at 16:36
  • Yes, I have done precisely that. Each server is its own primary DNS and the other secondary. I've created the separate sites in Sites and Services and everything seems OK. I configured DC2 at head office so both were talking to each other. It's the second DC at its new site that we've encountered the lack of site-to-site VPN. Hence asking if I could use DC2 to dial to head office router. I would (just as you say) prefer to have a dedicated device. I just wanted the community advice as to if it were safe to get the second DC to initiate the site-to-site VPN. It's obviously not! :) – Kinnectus Mar 12 '15 at 16:47
  • I'll just add that for your DC in the remote office to act as a S2S VPN endpoint, you would install the RRAS role and it would basically become a router. You typically need two NICs and I bet trying to set the routes up to handle replication traffic, and internal DS requests would be a huge pain in the ass. – Jordan Mar 12 '15 at 16:58
  • Yeah that's what I [obviously] don't want or need lol! I'll be getting a dedicated device or see if I can re-purpose an old Netgear with a different firmware... cheers for the advice guys :) – Kinnectus Mar 12 '15 at 17:06

1 Answers1

0

Definitely buy a VPN capable router. With that said, however, keep in mind not all S2S VPN boxes play nicely together. I would make sure to research the compatibility of the two end points or purchase two of the same brand together to ensure proper functionality.

Also, as an aside, it is probably possible to do what you originally asked by installing Hyper-V on the remote office hardware. Then set the 2012 DC as one VM and setup another VM with 2012 (R2?) and the RRAS role and configure them appropriately.

Jordan
  • 128
  • 4