Or you can wait till Windows Server 2003 which purportedly can create VPN's
using IPSEC/L2TP that can traverse NAT. Or did I not read the MS sales
literature closely enough.

Tom Sutherland
silver-lake resources

-----Original Message-----
From: Chris Weiscopf [mailto:chrisbamcom.net]
Sent: Monday, January 13, 2003 12:06 PM
To: 'Valentine M. Smith'; focus-mssecurityfocus.com
Subject: RE: AD replication over WAN

At the very least you can deploy a site to site VPN using Windows 2000
Routing and Remote Access Service. Open you LAN routers to pass the VPN
traffic, set up the site-to-site VPN in RRAS and set a static route in your
router pointing back to the server to reach the remote network. VPN
benefits with no additional hardware costs.

Chris Weiscopf
MCSE 2000, CCNA, Network+, A+
Uni-Point, LLC

-----Original Message-----
From: Valentine M. Smith [mailto:vmsmithgrokking.org]
Sent: Thursday, January 09, 2003 6:21 AM
To: focus-mssecurityfocus.com
Subject: AD replication over WAN

Hi,

I'm looking for some feedback from the community regarding the transfer of
AD
traffic over a public WAN.

The basic plan is this:

Single Win 2000 domain spread over two sites in different cities. Each site
has perimeter NAT device and are obscuring internal subnets with IP
addresses
provided by a single ISP. No internetwork VPN planned. DNS is AD-integrated
at both sites. Both DCs are patched to SP3.

The MS documentation I've consulted indicates that AD replication, and by
extension, DNS zone information that is AD-integrated is automatically
encrypted.

My question: if the data is already encrypted and is passing only across a
single ISP's network, should one be bothering with a router-router VPN
tunnel
for this traffic? IOW, would setting up such a tunnel for this data be
redundant/unnecessary or am I missing something important here? Would anyone

care to comment on the relative safety of AD encryption out-of-the-box?

Thanks in advance for any feedback,

VS

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]