Score:0

Best way to set the network infrastructure - Windows Server (AD, DHCP, DNS) + Router + VPN + Load Balance

ru flag

First of all, I'd like to say I really like working with networks and managing computers, but I do it as a hobby. I'm not really a professional and only do it for my own things as I love learning about IT. Btw, English is not my first language, so expect some weird expressions along the way.

So, I'm managing an office with approximately 20 computers connected to a server with AD. The server has two network cards, one NIC connected to the internet and the other to the LAN. This server is responsible for DHCP, AD, File sharing and I have configured a point-to-site VPN.

With that configuration, everything was working quite well so far. However, we recently had a problem with our internet provider, wich had a broken fiber and we let us without internet for 2 days. So, we decided to hire a new ISP to have load balance and failover. So we acquired a tplink er605 router to do the job. The detail is that the office is opening a branch and it would be very interesting to create a site-to-site VPN to use the same server with AD and access to files.

My question is regarding the best way to structure the network and server with this new router. As the router has VPN function, I could use it to make a site-to-site vpn with the branch. However, point-to-site vpns would be better handled by the windows server, as I don't need to create new user accounts directly on the router (just using AD accounts).

So, I have two options:

  1. Currently used option: Provider 1 + Provider 2 -> Router Er605 (192.168.0.1) -> (Nic1 192.168.0.2) Server (Nic2 192.168.100.0) -> Switch -> Network Computers, Printers, etc.

  2. Provider 1 + Provider 2 -> Router Er605 (192.168.100.1) -> Switch -> Server (Nic 1 192.168.100.2). This way, connecting the Router to the switch and setting everything to the same subnet.

I have several doubts about how this would work. Because in option 1, the router works only for the load balance, and all other functions would be with the server (but I lose the possibility of doing the site-to-site VPN through the router, since it is external to the server's firewall and on a separate subnet).

In option 2 I would have more freedom to configure the router, without depending so much on the server for dhcp and other network features. However, I don't know if this way I could create a site-to-site VPN on the router and a point-to-site VPN on the server, since now the server is after the router in the same IP range (and I would like to keep the vpns from clients using AD accounts).

Any tip is welcome, I would just like to understand a little better about how the network would work by setting it in different ways and how it could affect the VPN, Server and AD.

Score:0
us flag

As you've said you're a hobbyist let me lay down some rather emphatic truths that I think most people would agree with.

Your current setup

NEVER assign a public IP to a Windows Server without a reason, these could be for a webhost, or because its required for remote access as with Azure. If you do NEED to do this then you need to do it with extreme caution.

If a server needs an external connection, for instance to host a website, then the easiest way to do it is to forward the required ports.

Apologies if this doesn't translate well, I don't mean to be rude, but this is a massive no no

How to do things

In answer to your networking connection the above should give you a good idea what's best but my recommendation would be:

  • Server on private IP behind firewall/router
  • Site-to-Site tunnel on the firewalls/routers

That's pretty much it, job done! The VPN may be a bit tricky to set up but find and follow a guide and you should be fine.

Charles Tomazini avatar
ru flag
As i said, any tip/information is really welcomed. It's not rude at all. Btw, I don't know if I added the correct information in my question here. I have the two ethernet adapters, but none of them are directly exposed to the internet. One of them takes care of the lan (and goes to the switch) and the other conects to the modem/router that the ISP gave us. The only way to conect to the server is trough the l2tp vpn i have on WS (and uses port forward inside on the isp modem/router). We don't have websites hosted or anything, only AD and the file sharing.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.