Topic: WAN/VPN to SME V5 server setup for remote networks?

[Crewmember]

Hey all,

Ok, here goes - I'm thinking about setting up an SME V5 server in my main office to handle web access/email/file/print services for about 10 users, AND also handle email/file storage services for two remote offices connected via Cisco router-to-router VPN.

How would I setup the SME V5 server to handle services for the remote offices?  At the moment my internal network is a 192.168.0.x setup, and the remote networks are 172.24.89.x and 172.24.90.x.

Basically, I'm trying to setup a WAN with the remote offices using the SME V5 server here in my main office as their primary server for email/file storage, etc.  I'd actually like to have all their Internet and Web access also come back thru the WAN and out my SME V5 server for security and logging/auditing purposes.  By having a single server here in my main office it will make it easier and cheaper to administer, maintain and control my remote offices.

Does this WAN/VPN to SME V5 setup make any sense?  How would I do this?  What "mode" would the SME V5 server be setup in: server and gateway, private server and gateway, or server-only?  Thanks.

Crewmember

[Crewmember]

Oops, I forgot - I also need the SME V5 server setup so that email can be retrieved from the Internet?  I think there is a webmail feature which allows this, but I'm not sure what server mode I'd have to have for this type of access.  Thanks again.

[darren]

have a look at http://www.myezserver.com/docs/mitel/freeswan-howto.html

[Crewmember]

Thanks for the tip, but I had seen the freeswan-howto.  I'm not sure if that really answers my questions or will work in my case.  I actually have Cisco 1720 routers at each location with built in firewalling and router-to-router VPN already setup.  So with each location already connected, what I'm really asking is how to setup the SME server to handle web access/email/file storage/logon "domain" authentication services for the remote locations across the VPN connection.

I don't really want to put a server at each location, so I was wondering if anyone had setup a WAN with remote locations going back to a single SME server for all the services?  I assume the private server and gateway mode is what I will have to setup, but I don't know.  Ideas?  Thanks.

[Les Mikesell]

Web and email access will 'just work' as long as you have  permitted the network access over your VPNs.  Domain authentication and file storage will work too, but are less forgiving of network problems so your satisfaction will depend on the speed and reliability of the internet links under the VPN.

[Crewmember]

Thanks for your input, Les.  I am concerned about the VPN connection issues - which could cause lost productivity if the lines are "down" and those office cannot access their email/files, etc.  Not sure how I'll handle that - as I don't have redundant VPN setups at this point.  I guess I could somehow setup a POTS dialup VPN to my SME server in case the T1/frame relay circuits/cable modem connections go out.  Thoughts?

What server mode would I need to implement this type of setup/access - private server and gateway I assume?  (Since all the machines/networks are behind a router/firewall.)

Also, since the remote locations are using a different network (172.24.89.x) I assume I'd need to set them up under server manager as additional 'local networks'?  I'm not sure I fully understand what services SME gives to those networks - do you know?

I'd still love to hear from others that have tried something like this, thanks.

Crewmember

[Steve Bush]

I have three e-smith servers connected to the Internet via DSL (2) and ISDN (1).  I used the how-to to setup freeswan for a VPN.  Each site uses their own SME server for file/print/e-Mail.  The VPN is for access to an IP based server on one of the local networks.  If you want to log into one server via a VPN and have it serve all users, local and remote, you can either setup your remote PC's IP information manually to point to the remote server, ie DNS, WINS, gateway, or setup a dhcp server to give out the remote servers information for you.

As far as reliability, if your Cisco has another port either sync or asyn, you could setup a dial backup that will only come up if your primary link fails.

[Patrick]

Okay guys....

My remote offices and main location already have Cisco 1720 routers in place with hardware VPN setup and configured in a "router-to-router" mode.  [If I had learned about e-smith/SME 6 months ago I probably would not have made the investment in the Cisco routers....but that's what I have now, so I'm using them.]  This way my routers will do the VPN handling/processing, which should free my SME server to handle other chores.

So now to my question.  Here in my home office I have SME setup now in 'Server and gateway' mode - with the external NIC connected directly with a cross over cable to the Cisco router.  So my internal LAN (192.168.0.x) is accessing the Net only through the SME server.

The problem is that the remote sites (172.24.89.x and 172.24.90.x) cannot access the 192.168.0.x LAN across the VPN and through the SME external nic.  Any ideas why?  I assume there is a security setting which is stopping the external SME nic from accepting that traffic as "local" and letting it inside my LAN.

I would like ALL my traffic flowing through the SME server for administrative and security reasons - including the VPN traffic.  But I also need those VPN connections to have access to my local LAN segment.  I know there is a way for the SME server to handle services for "local networks", but is that only for the internal NIC on the SME box?

Thanks for your responses,

Patrick