Branch Office Access to Headquarter's Services RRS feed

  • Question

  • We have a Headquarters with 6 Branch Offices.

    We have services, such as Exchange and VMWare View, that live on servers hosted at Headquarters.  These services are made available to the public Internet.

    While we do have an MPLS connecting all the sites, its bandwidth is small and expensive.  Meanwhile, each Branch Office has cheap, high bandwidth Internet connections.

    We are looking for a way to have all our Branch Offices' clients to reach these services via their Internet Connection rather than the MPLS.

    We use Active Directory Integrated DNS.  Subnet Mask Ordering will not fulfill our needs.  I know BIND has "views" that would fulfill our needs, but I'm hesitant to leave ADI DNS.

    Any solutions? 

    Tuesday, October 1, 2013 4:49 PM

All replies

  • Hi,

    If your branch office has internet connections to your Headquarters, then we could open those ports needed by those service. And then branch office users should be able to connect to those services.

    In addition, hope the below thread could be helpful:



    Yan Li

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

    Cataleya Li
    TechNet Community Support

    Wednesday, October 2, 2013 9:29 AM
  • To further clarify, the challenge stems from name resolution.  All of our Sites' DNS-clients use internal DNS Servers that share ADI Zones.  We have split-DNS for all our DNS Zones.

    Given that all our servers live at Headquarters, our goal is to have only Headquarters' computers use internal network routes to communicate to those servers, everyone else (including Branch Offices) should use the public Internet and connect through our DMZ servers (reverse-proxies, etc.).

    I know that if we were using BIND DNS servers, we could use "views".  Views do not exist in Windows Server DNS.

    I'm searching for someone in the community with a clever idea to handle this.

    Wednesday, October 2, 2013 1:17 PM
  • A bit extreme, but you could keep your MPLS as a failover only, and run everything through the Internet with a secure VPN between each branch office and the main office ?

    If Internet fails, you switch everything to MPLS. If Internet works, why use the MPLS link ?

    I do not know if this is a clever idea or not... ;-)

    Understanding XP Mode, the key to success

    Wednesday, October 9, 2013 10:00 PM
  • Thanks for the reply, Konnan.

    Yes, using our VPN tunnels as our primary site-to-site links was an option.  I neglected to mention another piece to our puzzle is that we want certain critical traffic VoIP traffic, for example) to remain flowing over the MPLS, which makes this option a real challenge.

    I really wish Microsoft Windows Server DNS had the equivalent of BIND "views", rather than just netmask-ordering.  That would solve our problem.  We even considered implementing BIND servers to supplement our Windows DNS servers.

    The solution we ultimately have decided on is to use "split-DNS" on our Cisco routers at each branch office.

    Thursday, October 10, 2013 1:15 PM
  • Hello again,

    I may be missing something, I'm no network expert, but what's preventing you from using a completely different VLAN for your VoIP with independant DNS servers if needed (that could be virtual) ? That way you could route the VoIP VLAN through MPLS ?

    Understanding XP Mode, the key to success

    Thursday, October 10, 2013 9:05 PM