Which versions of 7 for this network setup

[wcsjohn]

I run a small business with multiple locations. I need the following setup.

Main office: Quickbooks server and LAN (3 computers total)
2 remote offices: VPN to the Quickbooks server

Right now I have everything working with Vista Home Premium on all PC's, but am limited by the 1 active VPN connection to the server. I want to update all PC's to 7 but am unsure which versions I need. I have 2 copies of 7 Home Premium already from free upgrades, but I'm not sure if they network support is sufficient. Do I need Business for all PC's and 2008 for the server? And if 2008, which version? Thanks for the help.

 

[Jonathan_King]

Welcome!

Try this great tutorial for the differences between versions: http://www.sevenforums.com/tutorials/14422-compare-windows-7-editions.html

Hope this helps,
~JK

 

[ultraplanet]

It's been awhile but I didn't think Quickbooks server actually needed to be on a server.

Yea it doesn't look like a server is required according to this link....
System Requirements for QuickBooks 2010 and Enterprise Solutions 10

The only version of QuickBooks that is compatible with Windows 7 is QuickBooks 2010 (Pro, Premier, and Enterprise Solutions). Although QuickBooks 2009 and earlier versions will install successfully on Windows 7, Intuit's technical support for Windows 7 is limited to QuickBooks 2010 products only.

 

[chev65]

From what I have read about this, Windows Server 2003 web edition only allows one incoming VPN connection. The same for Win 7 VPN unless you use third party software like Cisco VPN or shrew.

The solution is to upgrade to Standard edition of Windows Server 2003 which has a limit of 1000 connections. Server 08 standard will do it also.

You can see it on the chart here if you scroll down to networking features.
http://www.winsupersite.com/showcase...3_editions.asp

Shrew just came out with a beta VPN client that might be worth trying. It will allow for multiple VPN connections when using Win 7 as the VPN server. Still in beta though and not completely stable from what I have read about it.
Shrew Soft Inc : Home

You can also use the Cisco VPN client on a Win 7 VPN but it needs to run in XP mode.

 

[zzz2496]

I personally suggest you use a different hardware for VPN access, leave the server for it's serving job alone...

VPN gateway is the front door of your network, if you put your server at your front door, either you're just plain mad or you don't know what you're doing...

I personally use Mikrotik routers as VPN gateways, it's small, light, very reliable, tons of features, and most of all, if you think that your network is compromised, just pull the router off the wall... You'd be isolated, but safe...

zzz2496

 

[wcsjohn]

It's been awhile but I didn't think Quickbooks server actually needed to be on a server.

Yea it doesn't look like a server is required according to this link....
System Requirements for QuickBooks 2010 and Enterprise Solutions 10

No, server is not required for QuickBooks, but I believe it is for the multiple VPNs, right?

I personally suggest you use a different hardware for VPN access, leave the server for it's serving job alone...

VPN gateway is the front door of your network, if you put your server at your front door, either you're just plain mad or you don't know what you're doing...

I personally use Mikrotik routers as VPN gateways, it's small, light, very reliable, tons of features, and most of all, if you think that your network is compromised, just pull the router off the wall... You'd be isolated, but safe...

zzz2496

The server is behind a gateway w/ firewall that passes through the VPN traffic. Is this not the safest way to do it? Would letting the gateway handle the VPN be a better option? If so, would I still need 7 Server for multiple VPNs?

And what about on the client side. Microsoft makes me think I need 7 Business to connect to any VPN server. True? Or is 7 Home Premium, which I already own for two of the PC's good enough?

 

[zzz2496]

Here's what I meant:

Server || Router/Gateway/Security Appliance <===> Internet

In this case, everything is fine, good, secure, BUT ONLY for those who tries to "test" your "Router/Gateway/Security Appliance". If you have a Web server behind the "Router/Gateway/Security Appliance", then everything that's connecting to your Web server will be filtered by the "Router/Gateway/Security Appliance".

Now the case changes IF you add VPN to the mix as such

The topology as seen from Internet:
Server/VPN Server || Router/Gateway/Security Appliance <===> Internet

The topology as seen from a VPN client
Server/VPN Server <==> Internet

Where is your firewall...? Firewalls doesn't block VPN connection attempt, you MUST allow it to go through the firewall so that VPN clients can connect to your Network. Let's say one of your user's password has been compromised, the "attacker" will directly connect to your "SERVER", your super precious "SERVER", where you keep ALL OF YOUR DATA. This fact alone is disturbing...

See what I mean?

I have this in my setup:

Server || Router/Gateway/Security Appliance/VPN Server <===> Internet

Now for whatever reason if I see a user, connected over VPN, but I see the person in front of me with his/her laptop turned off, all I need to do is turn off the router, it is the VPN server, so if it's off, I can still check my Server, is it compromised, check for anything missing, etc...

zzz2496

Edit: If you have a head office and a branch office, both should be connected to each other, I think you need a VPN tunnel, it's way simpler and way better. I have several tunnels setup for several clients of mine, connecting several branch offices to regional head offices. I use Mikrotik Router to connect each sites, including from my home to the head office (the head of regional head offices). Here's what my network looks like:

Home <====VPN Tunnel====> Head office <==== VPN Tunnel ===> Regional Head Office(s) <====VPN Tunnel ===> Branch Office(s)

I can access every client/server in this network as if I'm in my own WAN (not internet).
Everything is routed and filtered properly in every checkpoint by Mikrotik routers.

 

[ickymay]

The server is behind a gateway w/ firewall that passes through the VPN traffic. Is this not the safest way to do it? Would letting the gateway handle the VPN be a better option? If so, would I still need 7 Server for multiple VPNs?

And what about on the client side. Microsoft makes me think I need 7 Business to connect to any VPN server. True? Or is 7 Home Premium, which I already own for two of the PC's good enough?

you will need professional or ultimate if you wish to join a domain , home is very cut back and doesn't include gpedit which is where i would be setting all my policies

 

[RedBirdDad]

I agree with zzz2496. Use a router/gateway with a built in VPN server. The router is better equipped to handle it. IPSec VPN's will be the most secure. IPSec VPN's are very robust but aren't lightweight and it's processing overhead that you really don't want on the server.

 

[zzz2496]

I agree with zzz2496. Use a router/gateway with a built in VPN server. The router is better equipped to handle it. IPSec VPN's will be the most secure. IPSec VPN's are very robust but aren't lightweight and it's processing overhead that you really don't want on the server.

Or create a special "VPN Gateway/Server" appliance...

 

[RedBirdDad]

Yup.

 

[wcsjohn]

Edit: If you have a head office and a branch office, both should be connected to each other, I think you need a VPN tunnel, it's way simpler and way better. I have several tunnels setup for several clients of mine, connecting several branch offices to regional head offices. I use Mikrotik Router to connect each sites, including from my home to the head office (the head of regional head offices). Here's what my network looks like:

Home <====VPN Tunnel====> Head office <==== VPN Tunnel ===> Regional Head Office(s) <====VPN Tunnel ===> Branch Office(s)

I can access every client/server in this network as if I'm in my own WAN (not internet).
Everything is routed and filtered properly in every checkpoint by Mikrotik routers.

Yes, this is the case. I have a head office and two branch offices. Both branch offices need to access the head office. They really only need to be able to map one network drive.

Right now the main office is behind a D-Link router w/firewall, which is behind a 2Wire U-verse router in DMZplus mode. The D-Link is passing only PPTP through to the main PC. I'm guessing using a router with VPN server is the safer option?

I'm a bit confused as to the difference between this and a VPN tunnel. I thought that's what I had set up.

If the VPN server is in the gateway/router, do I still need Server 2008 for the head office? I'm assuming I do for more than one active VPN connection.

 

[wcsjohn]

you will need professional or ultimate if you wish to join a domain , home is very cut back and doesn't include gpedit which is where i would be setting all my policies

Is this new with 7? All my Vista Home Premium systems seem to talk to each other fine.

 

[zzz2496]

wcsjohn,

In my setup I have this:


[at Home] Mikrotik router A <====VPN tunnel=====> Mikrotik router B [at Head Office]

My computer only knows that it has Mikrotik router A as it's "Default Gateway". My Mikrotik router then have a VPN client embedded in it, and it connects to VPN server in Mikrotik Router B, so my router is a client to another router. I don't set anything about VPN on any of the PCs in any office/home. The routers is the one that will create the Tunnel by them selves. If the VPN tunnel for some reason got disconnected, it will act as if a cable got unplugged from it (the interface went down), and when the connection restored, it will redial by it self, everything automatic (and it has a very complete log for every kind of event, dial, redial, disconnected, etc). No VPN client, no nothing, you only know that Branch office is connected to Head office, period. This is a router to router comm link. How cool is that for an office

zzz2496

Edit: My routers costs around 150 USD, 2 sites = 300 USD, each site has 1 router, that's way cheaper than to buy and maintain individual VPN connections per computer per branch.

 

[zzz2496]

Edit: If you have a head office and a branch office, both should be connected to each other, I think you need a VPN tunnel, it's way simpler and way better. I have several tunnels setup for several clients of mine, connecting several branch offices to regional head offices. I use Mikrotik Router to connect each sites, including from my home to the head office (the head of regional head offices). Here's what my network looks like:

Home <====VPN Tunnel====> Head office <==== VPN Tunnel ===> Regional Head Office(s) <====VPN Tunnel ===> Branch Office(s)

I can access every client/server in this network as if I'm in my own WAN (not internet).
Everything is routed and filtered properly in every checkpoint by Mikrotik routers.

Yes, this is the case. I have a head office and two branch offices. Both branch offices need to access the head office. They really only need to be able to map one network drive.

Right now the main office is behind a D-Link router w/firewall, which is behind a 2Wire U-verse router in DMZplus mode. The D-Link is passing only PPTP through to the main PC. I'm guessing using a router with VPN server is the safer option?

I'm a bit confused as to the difference between this and a VPN tunnel. I thought that's what I had set up.

If the VPN server is in the gateway/router, do I still need Server 2008 for the head office? I'm assuming I do for more than one active VPN connection.

By the way, don't use "consumer" class network equipment for office use, especially when you have "special needs" like VPN.

zzz2496

 

[wcsjohn]

wcsjohn,

In my setup I have this:


[at Home] Mikrotik router A <====VPN tunnel=====> Mikrotik router B [at Head Office]

My computer only knows that it has Mikrotik router A as it's "Default Gateway". My Mikrotik router then have a VPN client embedded in it, and it connects to VPN server in Mikrotik Router B, so my router is a client to another router. I don't set anything about VPN on any of the PCs in any office/home. The routers is the one that will create the Tunnel by them selves. If the VPN tunnel for some reason got disconnected, it will act as if a cable got unplugged from it (the interface went down), and when the connection restored, it will redial by it self, everything automatic (and it has a very complete log for every kind of event, dial, redial, disconnected, etc). No VPN client, no nothing, you only know that Branch office is connected to Head office, period. This is a router to router comm link. How cool is that for an office

zzz2496

Edit: My routers costs around 150 USD, 2 sites = 300 USD, each site has 1 router, that's way cheaper than to buy and maintain individual VPN connections per computer per branch.

That is cool. So if I understand you correctly, the remote branch office and head office both think they're on the same LAN and know nothing of the VPN connection, right?

Two questions about this method.

First, can the head office router maintain multiple VPN connections, or do you need a new router for each? I'm pretty sure you're going to say yes, but want to make sure.

Second, is there any need for Server 2003/8 using this method? Again, I'm pretty sure you're going to say no and the only OS requirements are 7 Business. Please say yes.

By the way, don't use "consumer" class network equipment for office use, especially when you have "special needs" like VPN.

zzz2496

I know. We're a "small company" moving to the realm of "not so small" and going through some growing pains. The move from consumer grade equipment to professional is happening, but taking time.

 

[wcsjohn]

Also, with these routers, is there a way to direct only the VPN traffic through the VPN connection, and allow general internet traffic through the regular ISP connection?

One more thing. Would you mind giving a sugestion for those Mikrotik routers? Their site looks to be a bit of a DIY sort of thing.

 

[zzz2496]

That is cool. So if I understand you correctly, the remote branch office and head office both think they're on the same LAN and know nothing of the VPN connection, right?

Yup, all they know that they are connected to each other.

Two questions about this method.

First, can the head office router maintain multiple VPN connections, or do you need a new router for each? I'm pretty sure you're going to say yes, but want to make sure.

Second, is there any need for Server 2003/8 using this method? Again, I'm pretty sure you're going to say no and the only OS requirements are 7 Business. Please say yes.

1. The Mikrotik Router I use (RB450) can maintain as much as 2000 VPN connection at a time, so that's way overkill for my purposes. Each branch needs to have a similar Mikrotik router (that is in my case, I think you can use other routers that have VPN client embedded in them, but I use Mikrotik routers for compatibility and manageability).
2. For creating and maintaining VPN connection, no server OS needed, everything is handled by the routers. So the answer is NO, no need 2k8/7 pro.

I know. We're a "small company" moving to the realm of "not so small" and going through some growing pains. The move from consumer grade equipment to professional is happening, but taking time.

You remind me of my current client

Also, with these routers, is there a way to direct only the VPN traffic through the VPN connection, and allow general internet traffic through the regular ISP connection?

One more thing. Would you mind giving a sugestion for those Mikrotik routers? Their site looks to be a bit of a DIY sort of thing.

1. The routers will know when you requested for "www.yahoo.com" and will direct your traffic to the "internet" interface accordingly. It will know which to use.

2. In my setup, I use many RB450/RB450G, google that...

 

[ultraplanet]

I have deployed these routers in the fashion being described here if you are looking for an alternative for Mikrotik. 3 branch offices connecting back to the main office....

Cisco RVS4000 4-port Gigabit Security Router - VPN - Cisco Systems

 

[wcsjohn]

1. The Mikrotik Router I use (RB450) can maintain as much as 2000 VPN connection at a time, so that's way overkill for my purposes. Each branch needs to have a similar Mikrotik router (that is in my case, I think you can use other routers that have VPN client embedded in them, but I use Mikrotik routers for compatibility and manageability).
2. For creating and maintaining VPN connection, no server OS needed, everything is handled by the routers. So the answer is NO, no need 2k8/7 pro.

I understand not needing server, but wouldn't I still need Pro?

You remind me of my current client

I should have said thanks for all the help earlier. Check your PMs.

1. The routers will know when you requested for "www.yahoo.com" and will direct your traffic to the "internet" interface accordingly. It will know which to use.

Thanks for using the technical terms. I ask because when using the built-in VPN server with Vista, ALL traffic from the branch office is routed through the main office. Not exactly speedy.

2. In my setup, I use many RB450/RB450G, google that...

Thanks. I'll take a look. They seem to have a lot of options. Not knowing anything about them, it's nice to have a place to start. We do have a pretty hefty QB datafile that needs to be read remotely, so speed is a concern. Although, I'm sure any of these routers is faster than our service speed (just Verizon fios at the head office).

I have deployed these routers in the fashion being described here if you are looking for an alternative for Mikrotik. 3 branch offices connecting back to the main office....

Cisco RVS4000 4-port Gigabit Security Router - VPN - Cisco Systems

Thanks for the optional suggestion. This forum is great.