VPN - Router-to-router or router-to-server?

[5tephen]

I want to link a site of a customer to their head office where they have Small Business Server 2003 installed. I have set the server to allow VPN connections, and a couple of laptops access this as a dial-up connection when the users are off-site.

If new hardware is required it's not a problem although it will be Drayteks at the most, no Cisco stuff. The head office has a Netgear DG834 giving Internet to the server - DHCP is disabled, it only does port forwarding. The remote office has a BT Business hub thing just provided by BT, does a lot of stuff but no VPN's from what I can see; all it has is public network bridging if this is any use? Would I need to change the BT device for a start?

The DG834 has VPN support. I'm considering changing it to a Draytek anyway, for stability. Is it better for the routers to talk to each other through their own VPN capabilities, or for one router to dial and have the head office router forwarding port 1723 to the server and let the server do the work?

 

[5tephen]

Ok. I've taken a look through the Draytek's VPN/Remote access interface and I could go with that alright.
What about the existing VPN functionality I have set in Small Business Server (through Routing & Remote Access) - will this have to be disabled altogether?
For existing laptop VPN users, will they still be able to dial into the VPN as normal with their Windows domain username & password?

 

[5tephen]

Thanks Jon, will give that a go.
I'm thinking of putting a Draytek into the head office and taking the DG834 that was there before, and putting it into the remote office. The DG834 does have VPN support, but has anybody had experience of its performance and stability?

 

[5tephen]

Well I've bought 3 Drayteks (a 2900 and 2x2910's) today just to have because I know they'll be used. 4 of my customers have Drayteks installed and they're just devices you set up at the start and completely forget about them. Jimathy - I'll bear your advice in mind, I'm not expecting wonders but I'll give the Netgear a go for a short while anyway and see how it goes.

No, this just needs port 1723 TCP passed thorugh to the server.
IKE uses UDP ports 500 and 4500.

Remote workers can still dial in on PPTP ports in RRAS.

Thanks.
One more thing. How do people find the speed of VPN's on standard 2mbit ADSL lines with e.g. logging onto domains, Exchange traffic and basic file browsing, if the domain controller is on a remote site?

 

[5tephen]

Main thing you have to remember is that the 2Meg means nothing. It's the UPLOAD speed that is the choke point. If this is going to be used by more than a couple of users at a time i would highly recommend upgrading the line (at least at the HQ site) to SDSL or better.

I know, and SDSL isn't available at the head office site I registered interest with BT a month ago but I don't know what significance that will have to them. I was thinking of keeping them on separate connections and just using Outlook over HTTP and keep documents stored on local computers on remote sites if I found that the VPN wasn't coping. I'll give the VPN a go anyway and see how it works out; there's only one remote site for now but another will be set up in a couple of months time; there's 2 computers per remote office.

 

[5tephen]

Another note, now that I have a Draytek or two sitting around, what do you recommend for the actual DSL connection? The 2900 and 2910 models I have here do not have built-in DSL modems - do I have to have a similar-grade modem to withold the same quality of connection, if all it is doing is literally dialing to the web?

 

[5tephen]

I think they will get by on ADSL, it's just that I'm wondering how so many companies out there are able to work with such low-speed connections. How do they cater for it? I have been talking to a couple of people who work in companies that have leased lines sitting at 128k both ways and pay hundreds of pounds/euros a month for the priviledge. And there's at least 20 - 30 computers on either end. What use is 128k between even 1 or 2 computers, never mind that amount?

Also, Pint - because I'm using a separate ADSL modem, is my service:
a) improved because there's 2 devices splitting the workload
b) reduced because there's a lower grade device actually dialing to the Net? Zyxels are good and I use them, but just how much work would it be doing with say 30 or 40 computers communicating over it?
And thanks so far for all your advice.