Connecting via remote

Discussion in 'Server Networking' started by Glenn, Sep 9, 2004.

  1. Glenn

    Glenn Guest

    Hi,
    I have connection dilemna.
    In my LAN I have an Exchange server taht hosts our
    email and also serves a proxy. Remote users can connect
    to the server. Internal users (main office) can use their Outlook to
    access their email in the Exchange server.

    Now our branch users are connected to the LAN
    thru a frame relay so that to access the email server
    they have to uses POP3 using their own high speed
    connection otherwise it slows down other applications
    flowing thru the frame relay from the branch to the main
    office as the Application server is located in the main
    office.

    Now I want the branch users to use their Exchange account
    to access their email using Outlook (instead of pop3). since you have to
    define the Exchange server in creating the profile in Outlook,
    obviously, it will direct the traffic thru the frame relay.

    Is there a way of directing the traffic to a VPN connection
    instead of to the frame relay in connecting to the Exchange
    server? Is the PC's routing table a good start (though I'm
    not very knowledgeable with it)?

    Your help is much appreciated.

    Glenn
     
    Glenn, Sep 9, 2004
    #1
    1. Advertisements

  2. Glenn

    Miha Pihler Guest

    Hi Glenn,

    Yes, you should be able to user route tables to direct your clients from
    branch office to your Exchange server over VPN.

    Details depend very much on your network setup. One major factor is how many
    clients you have in your branch office. If you have small number of clients
    you could use local routes on the clients themselves. If you have too much
    clients to manage them manually then you will have to setup additional
    routes on client's default gateway.

    In your main office your will also have to setup your Exchange server to use
    different routes to direct any traffic for branch office from the server to
    VPN and not frame relay.

    It will be helpful to you if your clients in branch office are in different
    IP subnet then clients in your main office.

    Feel free to post back if you need more information/help.

    Mike
     
    Miha Pihler, Sep 10, 2004
    #2
    1. Advertisements

  3. Glenn

    Glenn Guest

    Hi Mike,
    Thanks much for your response.
    I'll look into routing table as a viable solution.
    Is there a good site you can recommend that could guide me
    with this setup?

    I have a couple of questions though.
    When traffic are routed to the vpn connection would it affect
    telnet users? The same computer will have to telnet to
    the Risc box to run the applications and access the Exchange
    server at the same time.

    You mentioned Exchange server has to be setup as well to route
    traffic. When a user in an offsite location connects thru vpn
    (assumming that traffic is now routed not to flow thru frame relay)
    does it not direct the traffic requests to the vpn connection
    and not to the lan?

    Regards,
    Glenn
     
    Glenn, Sep 13, 2004
    #3
  4. VPN traffic terminates at the VPN Server. After that point there is no such
    thing as "VPN Traffic",...it is just simply LAN Traffic after it has been
    decapsulated from the VPN Tunnel and all LAN routing mechanisms you have in
    place apply at that point.

    VPN is just the "Tunnel" between the two VPN Servers or between the VPN
    Server and the VPN Client. It does not exist outside that boundary.
     
    Phillip Windell, Sep 13, 2004
    #4
  5. Glenn

    Glenn Guest

    Thanks Phillip.

    Please correct my understanding in this scenario if
    it is wrong. And pardon me for this sorry diagram.

    98.0.0.1
    98.0.0.20/207.123.123.55
    pc ----lan-----frame relay-----lan------Exchange/VPN server
    | | |
    | Risc 6000 |
    |_ vpn_______________________ |
    98.0.0.100

    With routing mechanism in place, after the pc connects as
    vpn client to the vpn server, all information (or traffic) is
    routed to the vpn tunnel. Telnet to the Risc 6000 is also made
    via the vpn tunnel? If so, then the frame relay is rendered useless
    is this case.


    Regards,
    Glenn




     
    Glenn, Sep 13, 2004
    #5
  6. Apples and oranges.
    The Frame relay is the "physical world", the VPN link is the "logical
    world". There is no relationship between the public IP#s on the Frame Relay
    and how the VPN works. They play the same role that a phone number played
    in an old dialup connection. Thinking that they effect routing is like
    thinking that a phone number effected the routing in and old dialup link and
    asking what subnet mask you should use with a phone number.

    The PC becomes part of the LAN (same IP# range) and uses the Exchange/VPN as
    the connection point. Since the PC is now in the same subnet as the rest of
    the LAN,...the Exchange/VPN machines is acting as a bridge between the PC
    and the LAN. Now if you involve other subnets, then it is possible that the
    Exchange/VPN box could be acting as a router,...it just depends on the exact
    situtation.

    Of course I may misunderstand what you are asking.
     
    Phillip Windell, Sep 13, 2004
    #6
  7. Since the Remote Client PC is on the same LAN, and probably the same subnet,
    after the VPN is established, it would simply connect to any server (RIS or
    whatever) directly via the normal IP# that servers have on the LAN.

    You may need to use the IP# instead of the name unless you have established
    provisions for "naming" to work.
     
    Phillip Windell, Sep 13, 2004
    #7
  8. Glenn

    Glenn Guest

    Hi Phillip,

    I think what confuses me is that without the routing mechanism
    in place, when the pc is connected via vpn with the same ip
    number subnet, 98.0.0.1 (physical ) and 98.0.0.100 (logical vpn)
    where does the traffic flow since both are part of the lan? Does it
    flow thru the frame relay or the internet?
    Say if I telnet to a risc box, which route does it take?

    Glenn
     
    Glenn, Sep 13, 2004
    #8
  9. It should not be 98.0.0.x. What is the LAN IP of the Exchange/VPN box? It
    would be an address associated with that.
    Doesn't the frame relay run over the Internet?...or is it a private link?
    If it is a private link, then you should not be using VPN with it to begin
    with. VPN is for running over the Internet, not over private links. If it is
    a private link, then why are there public IP#s associated with it?
    (98.*.*.* is a public address block).

    I guess you have confused me with this. It continues to become more unclear
    as to exactly what you have built there. Terminology is everything with
    this stuff. I am trying to deal with a system I have never seen and can
    never see with my own eyes. Choose your terminology carefully or you will
    just create more confusion.
     
    Phillip Windell, Sep 13, 2004
    #9
  10. Glenn

    Glenn Guest

    Phillip,
    You are absolutely correct in saying that our setup is confusing and
    probably one
    of a kind having been started a decade ago with the wrong ip scheme by
    the wrong people and as it grew, was never rectified and so is causing us
    grief.

    I'll try and describe our network topology the best way I can.
    Everything in the lan (branch and main office) has the same subnet mask
    and has a very bad ip scheme at that. I only used 98.0.0.x as an example
    but
    we have an ip range of 124.x.x.x subnet 255 .0.0.0 which we are not suppose
    to be
    using in the first place and it worked since day one but that's another
    story.
    The setup is that branch users are part of the lan that is connected to the
    office lan by the
    frame relay which is a dedicated connection. I guess you're correct when
    you say
    it is a private link. The exchange/isa/vpn server is in the main office.
    The branch has it's own
    proxy server to connect to the internet and is part of the 124.x.x.x range.
    Branch users telnet
    to the Risc box in the main office to run Aix applications. They don't
    access the exchange mailbox
    directly because of frame relay issue (56k) but use Pop3 to access their
    Exchange mailbox.
    Now that we are implementing public folders, they have to create an
    exchange account to use
    Exchange's functionality fully. An dthat's where the dilemna starts.

    I hope this diagram helps.

    Branch Lan |
    | Main Office Lan
    pc 124.0.0.x subnet 255.0.0.0 | 124.x.0.0 (weird
    address but works) | pc 124.0.0.x subnet
    255.0.0.0
    pc
    |---------------------framerelay (dedicated)--------------------| Risc
    Box 124.x.x.x subnet 255.0.0.0
    pc |
    | Exchange/Isa/VPN 124.0.0.x / 207.x.x.x (internet)
    Proxy server 124.0.0.x |
    |

    I would like branch users to access their Exchange mailbox using a vpn
    connection and not thru the frame relay.

    Regards,
    Glenn



     
    Glenn, Sep 13, 2004
    #10
  11. Ok, well, it makes more sense now. But you better correct the ipromper
    addressing scheme someday because you will run into routing issues with it
    where is "clashes" with the Internet.

    Anyway, forget VPN altogether. There is no reason for VPN to exist in this
    picture at all. Treat the Frame Relay as if it is just another CAT5 cable
    running between two segments of the private LAN,..and the geographical
    distance means *nothing*,...the fact that it is Frame Relay also means
    *nothing*. It is no different "logically" than a simply LAN link between to
    segments of a LAN in the same building.

    If you view it as I describe then you will see that, at most, you only have
    a simple routing issue assuming that the two sites run different subnets
    (they do run different subnets, right?).

    Without knowing the exact routing design, number of routers, where they are
    located, how they are implemented, the exact IP scheme, the exact nature of
    the Internet connection at each and how it is implemented. I doubt I could
    be any more specific than that. I don't expect you to try to explain all
    that and I doubt I would be able to follow the description anyway.
     
    Phillip Windell, Sep 14, 2004
    #11
  12. Glenn

    Glenn Guest

    Sorry Phillip but everything runs under one subnet. That's the irony.
    Anyway, I appreciate your time very much. Thank you.

    Glenn
     
    Glenn, Sep 14, 2004
    #12
  13. Then the 56k Frame relay would be a bridged connection. We used to have two
    here but are down to one. We use a "Nailed" 56k line to connect our "Press
    Office" in the State Capitol Building. Since it is the same subnet on both
    ends there isn'at any routing involved, so in your case this is not a
    routing issue nor VPN as I mentioned earlier. Unfortuneately, I don't know
    what the root of your problem would be,...all I can say is that routing is
    not involved since there is no routing in the first place and VPN would not
    be used in this type of situation.
     
    Phillip Windell, Sep 14, 2004
    #13
  14. Glenn

    Glenn Guest

    My initlal and real problem is how to setup the branch users
    to access Exchange mailbox and public folders without passing thru the frame
    relay and without changing our ip addressing scheme.

    Glenn
     
    Glenn, Sep 14, 2004
    #14
  15. Ok, well let me re-hash a bit,... It is all the same subnet, there aren't
    any "routes", so there is no way to have them follow a non-existant route.
    Both the Source and Destination are in the same logical segment, there is no
    "routes" involved,..it is just that simple. *So* we have to find a way for
    there to be two differnt subnets without changing any topology or addressing
    schemes.

    The only thing I can think of it this. Your Exchange Server has a Public
    presents, right?..it would have to be or you would never receive anything on
    it. It must use some kind of FQDN resgistered with your ISP (like maybe
    mail.mycompany.com). Whatever you use, the Public FQDN should resolve to the
    Public IP# that you publish it to,..it should *not* be allowed to resolve to
    the pivate IP# of the actual machine.

    Now the remote site would have their own independent Internet connection
    separate from yours that doesn't involve the 56k line, correct? ...if not
    then forget it, we are dead in the water,..we aren't going to get anywhere.

    The users would go over the Internet to the mail server's Public FQDN which
    is resolving to a Public IP# using IMAP/SMTP instead of POP3/SMTP. I think
    IMAP will let you see Public Folders while POP3 would not (not sure, I don't
    use it). They could also use a web browser with OWA if you have that setup,
    I think OWA might give access to Public Folders too. I hear that it is also
    possible to publish Exchange to the Internet from behind a Firewall that
    allows Outlook Clients out on the Internet to function as regular Exchange
    Clients, but you may have to research that, I have no specific data on that.
    However an "Exchange Client" is high bandwidth and may kill even the faster
    Internet link.

    This would let them use their greater speed of thier Internet connection
    rather than the private 56k line. The reason this would work is because the
    Public IP# the mail server is published to is a different subnet than the
    LAN, and hence, a route exists that can be followed.

    This is also why VPN doesn't work even if the Tunnel is run over the
    Internet instead of the 56k line, because routing with VPN is determined by
    the Private IP#s that are *inside* the Tunnel,...the Public IP#s outside the
    Tunnel don't mean anything. Since the Source and Destination are the same
    segment the VPN would simply get ignored and the 56k line would be used.

    If something cannot be done along these lines, then I am totally out of
    ideas for now.
     
    Phillip Windell, Sep 14, 2004
    #15
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.