Connecting remote network locations

One of the requirements of an IT Manager working for an organization with remote locations is knowing how to connect the networks from each site. It’s really not a big deal. You just put a VPN between them. It’s very simple as long as you have sufficient bandwidth and know how to secure the connections with a good firewall. Everyone knows how to program firewalls, right?

My first experiencing in connecting two sites was back in the old Novell days. You remember Novell, don’t you? They made one of the first server operating systems designed for PC-based networks called Netware. There are still a lot of long-running Novell servers in small businesses out there even though Novell lost the majority of the market share to Microsoft back in the 90’s.

We used Arcnet back in the day – a coax-based network running at 2.5Mbs with active hubs every 2,000 feet. That’s why we used Arcnet instead of early Ethernet – which was limited to 600 feet end to end. We had multiple warehouses in a small business complex that needed every bit of the distance Arcnet provided. It’s hard to believe that we built that over twenty years ago.

Connecting international sites

Almost every company I’ve worked for since then has had multiple locations, both in their local campus and with locations in distant cities, some international. For the companies that had sites within a metropolitan area we used Frame Relay, an inexpensive way of sharing the public phone network to provide PVC’s – permanent virtual circuits – to each of our offices in the city.

For the international sites, we used 56K dial-up. Yep, you could network two Novell LANs via dial-up for the purpose of exchanging files and email on a demand basis. This was before the days when there was an ISP in every city to provide the connection. The demand became so constant that the long-distance calls from our Mexico plants were sometimes twelve hours a day.

Once Internet Service Providers finally came to the Mexico cities where we had our plants, we dumped the expensive long-distance calls and began setting up point-to-point VPN’s. They were still over the 56K dial-up modems, so they always seemed to be dropping the connection. I am sure it had something to do with the quality of the wiring infrastructure in Nogales and Mexicali.

From dial-up to DSL

When DSL finally came to Mexico, we at last had a halfway reliable method of connecting our two networks. You may wonder why we didn’t do leased 56K lines or T1’s. Remember, this is small business we’re talking about. International leased lines back in the 90’s were thousands of dollars a month. This was also right about the time we were dumping Novell for Microsoft NT.

Connecting remote sites these days is a piece of cake. As long as each location has a high speed connection to the internet, you can share files on servers and send email back and forth all day and night without it costing an arm and a leg. The only real concern is security in connecting your private business locations to the public internet. That’s why you need a good firewall.

We used to use Cisco PIX firewalls but we have switched to Juniper Netscreen’s mainly because they are easier to program and support more features for less money. Cisco to me is like the way IBM was just before they finally got out of the PC Business. They have a huge support structure in place and have to charge more for the same features giving smaller competitors an advantage.

Bandwidth and sharing data

Bandwidth is a critical part of a good VPN connection. It’s not so much the downlink speed as it is the uplink speed. Many people don’t realize that and try to go with a cheap DSL at 768Kbps down and 128Kbps up. Don’t do that. Get the 3Mbs down with at least 512Kbs up. Get more if they offer it. We pay $65 a month for our 3Mbs DSL line as a backup to our symmetrical T1.

Working at the airport is kind of like being on a campus. Although we have fiber between most of our hangars, some are just too far away or across a runway. We couldn’t very well dig up the runway to lay fiber so we opted to use the public network. Connecting a hanger 4,200 feet away is no different than connecting a remote office across the county or on the far side of the world.

As long as both locations have a good Internet connection you can make it look like a server at the other location is in a closet down the hall. This is especially true if you implement DFS – Distributed File System - which caches and replicates local copies of shared files on a Microsoft network. The replication is fault tolerant, fast and reliable even over slow WAN connections.

The VPN makes it happen

DFS is not intended to be used in a collaborative environment where multiple users might have the same file open, making changes at the same time. Just like you would not have two people working on the same spreadsheet on a local network, don’t expect DFS to provide file or record locking capabilities. For that, you need a true shared database application like MS SQL server.

For our new hangar we simply created the VPN between our two firewalls, joined the servers at the remote location to the domain and began the replication process. Our remote employees are able to log in to a local server and have access to shared files at local speeds. We also employ Cached Exchange Mode on their Outlook client to create the local copy of their company email.

The VPN – Virtual Private Network – allows the administrator to perform maintenance on the remote servers and workstations as if they were onsite, because they are inside our network. We use Remote Desktop extensively to provide that support. The sensitive data that flows between our corporate office and our remote locations is secure because of the firewall encryption.

Microsoft technology employed

Where remote employees need to run client-server applications that don’t perform well over WAN distances, we use Microsoft Terminal Services. Our Flight Operations software and our accounting software both use this technology. Employees run their client on a server at the corporate office that is on the local LAN. It uses the same technology as Remote Desktop.

Our new hangar is 110% energy efficient meaning that the electricity it produces from the solar panels is more than sufficient to meet the needs of the electrical systems we have there. We are able to return 10% of the electricity to the city grid. The cameras on the security system are also available to our local authorized network users and are shared for executive home viewing.

Ordinarily I would not mention details like this from our new hangar but the company has gone public with it so if you would like to know more, you can read about it and view it online. We are very proud of the fact that it is the first platinum LEED certified aircraft hangar in the world. My part in the construction was minimal. I just made sure we are well connected and secure.

VPNs and Remote Desktop from home to office

More and more employees are working from home these days. That means they use Remote Desktop and need a VPN. Oh there are other ways, but I'm not going to allow employees to use GoToMyPC.com or logmein.com on my network. Sorry, I'm responsible for security so I'll control that access myself, thank you very much.

I don't even like to use PCAnyWhere. I mean, why should you pay for something that is built-in to Windows - Remote Desktop? The thing that makes it all works is the VPN. A virtual private network is just a secure method of getting through the company firewall. It's not a big deal to setup a VPN and Remote Desktop. I've done it dozens of times.

That's why I was really frustrated when our HR manager could not get it set up following the standard instructions that have worked for every other employee that has needed it. Now I don't give remote access to just anybody. They have to have a job that requires it or just can't get enough of work so they take it home with them.

I must have spent four or five hours working on this issue over several months. We tried everything. Sometimes the VPN would connect but the majority of the time it wouldn't. We could never get Remote Desktop to work when the VPN said it was working. So I did something I rarely do - I offered to make an on-site visit to her home to get it working.

Of course the HR Manager was over-joyed. She had shared her frustration with her husband who happens to have his own business and his own computer guy. She suggested that the other computer guy meet us there. All we needed to have a full complement of tech guys was to invite a tech from AT&T to join us. It turns out we didn't need him.

The router was setup to get it's IP address using DHCP. That's not a problem - either DHCP or static works fine and has worked for lots of other employees. The only problem was the gateway it was getting - 192.168.0.1. I would have expected an outside address from the ISP. So we got into the SpeedStream modem at that address. Ah ha! It was running PPPoE.

I've noticed this on a few modems setup by SBC (now AT&T) here in Southern California. My first thought was to change the IP address of the modem to 192.168.1.1. The DHCP on the router was handing out addresses in that range so it only made sense to make the modem the first address in that subnet. We decided to try something else instead.

The modem can run PPPoE, pass-through PPPoE or can be put into a complete bridge mode. We used the second option because the WRT54G router can also be programmed for PPPoE. It worked! The funny thing is that the modem reports that it has no connectivity. I suppose that's because it's PPPoE circuitry has been bypassed. Whatever - it works.

Conclusion: Sometimes it just takes an on-site visit to make things work. I confess I've been spoiled over the past few years because I've been able to support all our remote locations via Remote Desktop without having to physically go there. I like that. Remote Desktop is the greatest single thing on Windows for an IT Manager with multiple locations to support.