Re: Windows Logon over Broadband

kevin.thomas · ‎04-24-2003

Im looking for a router that will permit connecitons over ADSL to our WAN and permit windows logon for each of the PCs at our branch offices.

Our telco has set us up with IP Stream (remote sites see me as a service provider) with designated Broadband connections routed directly to our WAN from the telco ADSL cloud (ie NOT via the internet).

Tried other manuf. SOHO routers and can get PCs to manually map drives, ping IP addresses and resolve host names in local LMHOSTS, as well as access the intranet. However we cant get the PC's to run the NT domain login script. Tried unblocking firewall ports, and even tried a router with firewall apparently switched off by default , but config options are limited on these products.

Is there a Cisco product that will allow detailed config of routing and firewall options? I need up to 1000 of these so cost is a major factor.

Any idea what is getting screwed up by the products we are already using?

Telco claims that they are not blocking traffic (e.g. UDP/IP ports) in any direction.

Thanks

Kevin

travis-dennis_2 · ‎04-24-2003

I don't know the numbers of users involved but perhaps you could get a Cisco router that accepts the ADSL WIC card (2600/3600 for sure but I am sure there are others)and create a VPN tunnel back to the main office. If configured correctly this should get you what you need. I personally have not done it this way but I thiink it can work, If you want a definite then get a 3002 VPN Hardware client behind that router and if you can establish a tunnel using Network Extension Mode then you are golden. All PCs behind the 3002 will actually be logging on to the windows domain at the central site, and all of your scripts will work.

I just read the part about needing 1000 of these units. If the telco gives you some sort of device that you can terminate your ADSL connection on an ethernet port then bring the ADSL into the remote site with ethernet, hook up a 3002 hardware VPN client and get a 5000 series concentrator at the central site. That would be the cheapest way I think. You could do this with a frewall as well but I like the concetrator for this type of application. If budget permits you could put a small PIX in front of the VPN client at each location as well for added security.

aforjeh · ‎07-29-2003

Sounds more like the problem is with name resolution than blocked ports etc - you mention you can ping IPs or use LMHOSTS to resolve names, however are you adding PDC records to LMHOSTS? If not you may have logon issues like this...

Try setting up WINS at your primary site and making sure the remote hosts are set up to use it for name resolution (that's if you're using NT4 - Win2K just use DNS). Once this is up and working you don't need to edit LMHOSTS and it should prevent any problems like those you mentioned.

You also want to use a VPN between your sites, computers on an NT domain will be unhappy if they have limited access to each other (i.e. file shares won't work properly, hence no access to SYSVOL where logon scripts are held).

ncorder · ‎08-14-2003

Use a PIX 501 for a VPN end point. the standard license is 10 users but you can expand that to 50 or unlimited depending on the size of your remote sites.