Critique net setup: VPNTunnel, 2 routers, VOIP, several Q's

[KingGheedora]

We're setting up a new branch office.

• ~10 users.
• Each user has a VOIP phone provided by a hosted solution.
• Users need access to resources on HQ (located in another state), so setting up VPN tunnel
• HQ only supports certain Cisco/Juniper devices. VOIP provider only supports SonicWall, so current plan is to have two routers w/ separate subnets for VOIP vs. PC traffic.
• PC's will plug into pass-thru Ethernet jacks on the VOIP phones, but the phones vs. PC's will point to different subnets.
• Cable Modem is 50Mbps / 5Mbps DOCSIS 3.0 business line w/ 5 static IP's.
• Each of the 2 subnets will map to one of the 5 public IP's.
• May or may not also need to support a VPN tunnel with a second branch office because of a file server they have there that some in the new office use. I'm pushing to have them move the files to a server on the HQ's network so we don't have to worry about setting up an additional tunnel.

Questions:

1. Do you foresee any issues with the below set-up?
2. Router recommendations by HQ IT staff: Cisco Router 2811, or Juniper SSG5 or SSG20.
   1. Any recommendations about these routers?
   2. We need Wi-Fi too – is it better to get one of these routers with built-in Wi-Fi, or buy a cheap one and hook it up to the Cisco/Juniper router to provide wi-fi?
3. Users need to be able to work from home. When working from home currently, they connect to a VPN server at an existing branch office that is closing down. Do the above routers support clients VPN'ing in from home? If so how hard is it to set up?
   1. If so, how is authentication handled? Right now we use AD credentials for the HQ's domain, but we currently don't plan to have an AD system in the new location since it's only 10 users. And I don't think I can tie the authentication system from the new location's router to the AD system of the HQ.
   2. All the PC's that will be in the new location are currently in the existing office that is closing down, and are already joined to the domain of the HQ. Please confirm: this + the VPN tunnel will be sufficient for them to connect to authenticated resources on the HQ's network, correct? Mainly SQL servers and file servers.

I'm sure i'll have some more questions, but can't think of them right now.

Thanks!

 

[KingGheedora]

please move this to Networking forum!

 

[KingGheedora]

Bump for moving this thread.

 

[spidey07]

If you want thread moved PM Anandtech Moderator. Normally they'll just catch it. Or try ScottMac or JackMDS - he's a networking moderator.

 

[drebo]

I'm exceptionally curious about which hosted PBX provider "only supports SonicWalls". As a hosted PBX provider who has had numerous troubles with SonicWalls, I'm curious to see what model they "only support" and why. Something here doesn't compute.

Otherwise, there is absolutely nothing that a SonicWall can do that an ASA5505 (the correct appliance for branch office setup) cannot...unless you want to include impeding VOIP usability. There is no reason to complicate your setup as you are trying. Just choose whatever Cisco device your IT group supports and go with it.

Any Cisco router or firewall will support multiple remote access IPSEC or SSL VPNs as well as site-to-site VPNs (routers also support GRE tunnels if you need to publish dynamic routing protocols over the tunnels). Authentication for remote access VPNs can be done either with local user accounts on the routers themselves or via RADIUS. If you want to share Active Directory credentials, you will need to use RADIUS. You can join machines to a domain across a VPN...just make sure your name server is configured properly. It is, however, strongly recommended that you have a local catalog server on the remote side of the VPN. A server configured for DNS and AD replication will only cost a couple thousand dollars and will provide decently fast centralized storage and backup for the users, as well as survivable authentication in the event that the VPN goes down for any reason.

As for Wifi, it would be better to get a stand-alone AP. An AP in your wiring closet usually isn't very efficient. Get an Aironet 1131...they're cheap and they work really well and they include t-bar ceiling mounts.

 

[Emulex]

hell any DD-WRT router can handle 10 PPTP using static authentication (ie you put their login/password into the router config).

The biggest problem i see in the picture: CABLE MODEM???

you do realize comcast business can pipe in 50 meg with a dozen phone lines for cheap?

What i'm seeing here is serious cheap with some serious expense - it just doesn't make sense. If you are so concerned about two routers - you'd have two switches as well to segregate the voip traffic - assuming you are going cheap switches like 1810G-24 or similar.

Wifi: Any router is fine. use WPA2-AES with mac filtering - change the password when people leave. This is cheap - real cheap - and you can run a hard line to cover the floor - or run 2 or 3 to cover a larger area (just change the SSID on each). you know $25 buffalo special configured as AP. I've been rocking out to this for the past 5 years (WRT54 v2's).

I'd re-evaluate your options maybe? cbeyond, comcast business, hell all cable providers have a business end and many do etherchannel and VOIP termination (sip,T1,PRI,POTS) nowadays too!

Comcast business 22 meg with 15 voip -> linksys WRT54GL - DDWRT w/PPTP server -> switch

done

 

[KingGheedora]

I'm exceptionally curious about which hosted PBX provider "only supports SonicWalls". As a hosted PBX provider who has had numerous troubles with SonicWalls, I'm curious to see what model they "only support" and why. Something here doesn't compute.

Otherwise, there is absolutely nothing that a SonicWall can do that an ASA5505 (the correct appliance for branch office setup) cannot...unless you want to include impeding VOIP usability. There is no reason to complicate your setup as you are trying. Just choose whatever Cisco device your IT group supports and go with it.

Any Cisco router or firewall will support multiple remote access IPSEC or SSL VPNs as well as site-to-site VPNs (routers also support GRE tunnels if you need to publish dynamic routing protocols over the tunnels). Authentication for remote access VPNs can be done either with local user accounts on the routers themselves or via RADIUS. If you want to share Active Directory credentials, you will need to use RADIUS. You can join machines to a domain across a VPN...just make sure your name server is configured properly. It is, however, strongly recommended that you have a local catalog server on the remote side of the VPN. A server configured for DNS and AD replication will only cost a couple thousand dollars and will provide decently fast centralized storage and backup for the users, as well as survivable authentication in the event that the VPN goes down for any reason.

As for Wifi, it would be better to get a stand-alone AP. An AP in your wiring closet usually isn't very efficient. Get an Aironet 1131...they're cheap and they work really well and they include t-bar ceiling mounts.

Thanks for your reply.

They are a small company in NYC, they do more than just VOIP, and I'm not sure how my manager found them. I'm not sure if they provide the VOIP or if they contract the hosted PBX part to someone else.

They were willing to support at first a SonicWall TZ210, but when we found that HQ IT team would only allow Cisco/Juniper, they decided to go with the 2-router setup I diagramed. They would go with a TZ100 instead, to handle the VOIP, and let us pick a Cisco for our VPN-tunnel requirements.

Can you elaborate on how the SonicWall routers might impede our VOIP use? I want to know now if this will present a problem. Ultimately, even if it's not ideal, the setup in the diagram should in theory work, right?

I have further questions about the VPN endpoint configuration, it seems like that is more complex than I initially thought.

 

[KingGheedora]

The VPN for working remotely seems like the most complicated issue.

3 employees work remotely full time (they live in different cities and therefore do not have physical access to the office), and at least two technically work from the office but work remotely most of the time.

Some terms:

• KingCorp - my company, small company of close to 20 people.
• HQCorp - our partner company. KingCorp used to share an office with them, but they are closing their office, which is why we have to now set up our own. KingCorp employees basically were supported by HQCorpm IT as if they were HQCorp employees.
• HQDom - let's say that is the AD domain of HQCorp. All KingCorp employees have AD accounts in HQDom. For example I login to my work computer using HQDom\KingGheedora. I use that same login to VPN in from home, and for Outlook email, connecting to HQDom's SQL servers, file servers, and remoting into virtual machines, etc.

So here are the scenarios in KingCorp employees login for work (under the current system, of sharing HQCorps office space):

1. Sit at desk in HQCorp's office. Login using HQCorp\EmployeeName. The desktop is physically on the network and joined to the HQCorp domain.

2. Use a laptop that is joined to HQCorp domain. The login for the laptop is HQCorp\EmployeeName. Remote in from wherever using Windows VPN client, and HQCorp\EmployeeName.

3. Use a home desktop or laptop tha tis not joined to the HQCorp domain. Remote in using Windows VPN client and HQCorp\EmployeeName AD account. Most things work but only the developers of KingCorp sometimes have problems if they want to configure jobs or services on this type of machine to run using an HQCorp AD account. This is rare and we usually remote into the desktops in the HQCorp office to do these types of work.

From what I understand scenario 1 will continue to work once KingCorp users are in the new location, and the VPN tunnel to HQCorp is set up.

I think #2 and #3 will need special consideration though. At first glance I want to keep things as simple as possible so would just like to set up accounts on the router to support users working remotely, but if I do that would remote users be able to access resources on the HQCorp network, over the VPN-tunnel? I'm unclear as to how they would pass authentication in that case.

For example in scenario #3, I configure Win VPN client to connect using HQCorp\KingGheedora. And when I access a network share on HQCorp's network it uses that account to authenticate without asking me for username/pass. Same thing if I open SQL server management studio and connect to a SQL server, I don't know how it works under the hood but Windows takes care of some how telling HQCorp's SQL Servers that I am HQCorp\KingGheedora, and I don't get prompted for credentials.


In the new office how would this work? I know that #1 works because the desktops in the new office are joined to the domain, and assuming VPN tunnel is up users can login using their HQCorp accounts and access everything that way.

Scenario #2 seems like it should work the same as I just described for scenario #1. THe only assumption is that users are able to login to their laptops using their HQCorp\EmployeeName accounts without being connected to the HQCorp network (and therefore not able to connect to an HQCorp domain controller or whatever to authenticate). I'm not sure if that is possible.

Scenario 3 seems like it would not work, because if I connect from home to our new office, and use an account that was created on the Cisco 2811/Juniper SSG5 or SSG20, I should be able to have connectivity to HQCorp servers (so I should be able to ping them and see them on the network), but how would apps on my computer know to authenticate using HQCorp\KingGheedora?


I know that drebo probably answered my question already with his suggestion of RADIUS server along with a local catalog server. But I'm just checking if there are any alternatives to achieve this. Could I for example do something on the client-side that tells my home machine to use HQCorp\KingGheedora after I have connected? Or can I tell the router to map the router specific account to HQCorp\KingGheedora somehow?

 

[KingGheedora]

Also, what is the potential for problems with the diagrammed setup, in regards to QoS, and competing traffic between the VOIP/SonicWall and internet/Cisco segments?

 

[jlazzaro]

2 words...paid consultant. if you need a message board to design your networks, you aren't qualified to do the work in the first place.

 

[drebo]

Thanks for your reply.

They are a small company in NYC, they do more than just VOIP, and I'm not sure how my manager found them. I'm not sure if they provide the VOIP or if they contract the hosted PBX part to someone else.

They were willing to support at first a SonicWall TZ210, but when we found that HQ IT team would only allow Cisco/Juniper, they decided to go with the 2-router setup I diagramed. They would go with a TZ100 instead, to handle the VOIP, and let us pick a Cisco for our VPN-tunnel requirements.

Can you elaborate on how the SonicWall routers might impede our VOIP use? I want to know now if this will present a problem. Ultimately, even if it's not ideal, the setup in the diagram should in theory work, right?

I have further questions about the VPN endpoint configuration, it seems like that is more complex than I initially thought.

Google "sonicwall sip problems". SonicWalls are notoriously bad at NATing SIP traffic. I have never, ever had it work properly. They're worse even than 2wires when it comes to NATing SIP. Mostly this is because it is not possible (despite what the GUI says) to disable the SIP ALG which does not work. Now, I haven't worked with the TZ200 series, but I don't expect it to be much changed. In my experience, not one of the TZ100 series routers I've ever used has been a positive experience, especially when it comes to SIP.

 

[KingGheedora]

Google "sonicwall sip problems". SonicWalls are notoriously bad at NATing SIP traffic. I have never, ever had it work properly. They're worse even than 2wires when it comes to NATing SIP. Mostly this is because it is not possible (despite what the GUI says) to disable the SIP ALG which does not work. Now, I haven't worked with the TZ200 series, but I don't expect it to be much changed. In my experience, not one of the TZ100 series routers I've ever used has been a positive experience, especially when it comes to SIP.

BTW, this is the company that only wants to use SonicWall:

http://v3comm.com/