In many organizations that have several branches, there is a need to combine local area networks of offices into a single corporate network. Connecting networks increase business efficiency and reduce costs associated with the remoteness of offices. Networking remote offices of the company allows you to solve the following tasks:

Work of employees of all offices in a single database (for example, 1C)
Providing remote employees with access to the company's shared corporate resources via the Internet (remote network access)
Fast and convenient data exchange between employees of remote offices

Connecting networks is carried out through public Internet networks, in view of this, the issue of security of network aggregation and confidentiality of transmitted information is acute. VPN technology (Virtual Private Networks) is used to securely and securely connect two networks over public communication channels.

Setting up VPN (Virtual Private Networks)

VPN setup(Virtual Private Networks) between company offices (connection of networks) provide encryption of transmitted data. Depending on the needs of the customer and the existing IT infrastructure, a VPN network can be created on the basis of a software or hardware complex. A fairly common way to create a VPN network is to configure a VPN based on a software package, which, in addition to implementing a VPN network, can serve as a firewall and filter network traffic.

Remote access to a computer

Although the topic is beaten, nevertheless, many often experience difficulties - whether it is a novice system administrator or just an advanced user who was forced by his superiors to perform the functions of an enikey. Paradoxically, despite the abundance of information on VPN, finding a clear option is a whole problem. Moreover, one even gets the impression that one wrote - while others brazenly copied the text. As a result, search results are literally littered with an abundance of unnecessary information, from which the worthwhile can rarely be isolated. Therefore, I decided to chew all the nuances in my own way (maybe it will come in handy for someone).

So what is a VPN? VPN (virtualPrivatenetwork- virtual private network) - a generalized name for technologies that allow one or more network connections (logical network) to be provided over another network (including the Internet). Depending on the protocols and purposes used, a VPN can provide three types of connections: node-node, node-network And network-network. As they say, no comment.

Stereotypical VPN scheme

A VPN makes it easy to combine a remote host with the local network of a company or another host, as well as combine networks into one. The benefit is quite obvious - we easily get access to the enterprise network from the VPN client. In addition, a VPN also protects your data through encryption.

I do not pretend to describe to you all the principles of VPN operation, since there is a lot of specialized literature, and to be honest, I don’t know a lot of things myself. However, if you have a “Do it!” task, you need to urgently join the topic.

Let's consider a task from my personal practice, when it was necessary to combine two offices via VPN - the head office and the branch office. The situation was further complicated by the fact that there was a video server in the head office that should receive video from the IP camera of the branch. Here's your task in a nutshell.

There are many ways to solve. It all depends on what you have on hand. In general, VPN is easy to build using a hardware solution based on various Zyxel routers. Ideally, it may also happen that the Internet is distributed to both offices by one provider and then you will not have any problems at all (just turn to Provo). If the firm is rich, CISCO can also afford it. But usually everything is solved by software.

And here the choice is great - Open VPN, WinRoute (note that it is paid), operating system tools, programs like Hamanchi (to be honest, in rare cases it can help out, but I don’t recommend relying on it - the free version has a limit of 5 hosts and another significant disadvantage is that your entire connection depends on the Hamanchi host, which is not always good). In my case, it would be ideal to use OpenVPN, a free program that can easily create a reliable VPN connection. But we, as always, will take the path of least resistance.

In my branch, the Internet distributes a gateway based on client Windows. I agree, not the best solution, but enough for a trio of client computers. I need to make a VPN server from this gateway. Since you are reading this article, you are probably sure that you are new to VPN. Therefore, for you, I give the simplest example, which, in principle, suits me.

Windows of the NT family already have rudimentary server capabilities built into them. Setting up a VPN server on one of the machines is not difficult. As a server, I will give examples of Windows 7 screenshots, but the general principles will be the same as for old XP.

Please note that in order to connect two networks, you need to they had a different range! For example, at the head office, the range can be 192.168.0.x, and at the branch, it can be 192.168.20.x (or any gray ip range). This is very important, so be careful. Now, you can start setting up.

On the VPN server, go to Control Panel -> Network and Sharing Center -> change adapter settings.

Now press the Alt key to bring up the menu. There, in the File item, select "New incoming connection".

Check the boxes for users who can log in via VPN. I highly recommend Adding a new user, giving it a friendly name, and assigning a password.

After you have done this, you need to select in the next window how users will connect. Check the box "Via Internet". Now all you have to do is assign a virtual network address range. Moreover, you can choose how many computers can participate in the data exchange. In the next window, select the TCP / IP version 4 protocol, click "Properties":

You will see what I have in the screenshot. If you want the client to access the local network where the server is located, simply check the "Allow callers to access the local network" checkbox. In the paragraph "Assignment of IP addresses", I recommend that you specify the addresses manually according to the principle that I described above. In my example, I gave the range only twenty-five addresses, although I could have just given two and 255.

After that, click on the "Allow Access" button.

The system will automatically create a VPN server that will orphanedly wait for someone to join it.

Now the only thing left is to configure the VPN client. On the client machine, also go to the Network and Sharing Center and select Set up a new connection or network. Now you will need to select an item "Connecting to a workplace"

Click on "Use my Internet connection" and now you will be thrown into a window where you will need to enter the address of our Internet gateway in the branch. For me it looks like 95.2.x.x

Now you can call the connection, enter the username and password that you entered on the server and try to connect. If everything is correct, then you will be connected. In my case, I can already ping any computer in the branch and query the camera. Now its mono is easy to cling to the video server. You may have something else.

Alternatively, when connecting, error 800 may pop up, indicating that something is wrong with the connection. This is a firewall issue on either the client or the server. Specifically, I can’t tell you - everything is determined experimentally.

That's how unpretentiously we created a VPN between two offices. Players can be combined in the same way. However, do not forget that this will still not be a full-fledged server and it is better to use more advanced tools, which I will discuss in the following parts.

In particular, in Part 2 we will look at configuring OPenVPN for Windows and Linux.

The main goal of combining local area networks of offices is to provide transparent access to the geographically distributed information resources of the organization. Consolidation of office networks allows you to solve the following most common tasks:

use a single numbering capacity of the office automatic telephone exchange;
provide authorization for users to access resources (shared folders, intranet site, e-mail, etc.) regardless of their current location;
provide secure access for employees of the organization to resources located in different offices (for example, ensure the work of employees with a 1C-enterprise server installed in one of the offices);
work on a remote computer using terminal access (remote desktop control);
improve the efficiency and responsiveness of the technical support service through the ability to remotely manage computers, servers and other equipment, as well as the effective use of built-in Windows tools to provide assistance - Remote Assistant.

Methods for Implementing Office Network Aggregation

In order to unite the local networks of offices and remote branches, the technology of virtual private networks - VPN (Virtual Private Network) is used. This technology is designed for cryptographic protection of data transmitted over computer networks. A virtual private network is a collection of network connections between multiple VPN gateways that encrypt network traffic. VPN gateways are also called cryptographic gateways or crypto gateways.

There are two methods for building a single secure corporate network of an organization:

using the equipment and the corresponding set of services of the Internet provider;
using own equipment located at the head office and branches.

VPN and services provided by the ISP

This solution is applicable if the head office and branches are connected to the Internet through the same ISP. If the company's branches are scattered around the cities, and even in different countries, it is unlikely that there will be a provider that can provide you with the required level of service, and even for reasonable money.

If your offices are within the same city, check with your ISP to see if they can connect your office LANs into a single network. Perhaps this solution will be optimal for you in terms of cost.

Consolidation of networks of offices and branches on their own

The method of combining two networks using VPN technology is called "Peer-to-Peer VPN" or "site-to-site VPN" in the English-language literature. A "transparent encryption" mode is established between the two networks. IPSec is the most commonly used protocol for encrypting and transmitting traffic in IP networks.

To organize VPN connections (VPN tunnels) between the central office and branches of small companies, we recommend using hardware Internet gateways (firewalls) with built-in VPN support. An example of such gateways would be ZyXEL ZyWALL , Netgear Firewall , Check Point [email protected], and so on. This class of products is designed for use in small companies with an average number of employees from 5 to 100 people. These devices are easy to set up, have high reliability and sufficient performance.

At the head office of an organization, software integrated network security solutions are often installed, such as "Microsoft Internet Security and Acceleration Server 2006" (Microsoft ISA 2006), CheckPoint Express, CheckPoint VPN-1 Edge, and others. Managing these protections requires highly skilled personnel, which is usually either available at the head office or borrowed from the outsourcing company.

Regardless of the equipment used, the general scheme for building a Peer-to-Peer VPN for securely combining local networks of remote offices into a single network is as follows:

It should also be noted that there are specialized hardware crypto-gateways, such as Cisco VPN Concentrator, "Continent-K", etc. Their scope is networks of medium and large companies where it is necessary to ensure high performance when encrypting network traffic, as well as special possibilities. For example, provide data encryption in accordance with GOST ("Continent-K").

What to look for when choosing equipment

When choosing equipment for organizing a virtual private network (VPN), you need to pay attention to the following properties:

the number of simultaneously supported vpn tunnels;
performance;
the ability to filter network traffic inside the vpn tunnel (this function is not implemented in all Internet gateways);
support for QoS quality control (very useful when transferring voice traffic between networks);
compatibility with existing equipment and applied technologies.

Hardware solutions

Advantages of solutions built on low-cost hardware Internet gateways

Low cost;
High reliability (no need for backup, when the power is turned off, nothing breaks down);
Ease of administration;
Low power consumption;
Takes up little space, can be installed anywhere;
depending on the chosen platform for building a VPN, it is possible to install additional services on the vpn gateway: anti-virus scanning of Internet traffic, detection of attacks and intrusions, etc., which significantly increases the overall level of network security and reduces the total cost of a comprehensive network protection solution .

Flaws

The solution is not scalable, the increase in performance is achieved by a complete replacement of equipment;
Less flexible in settings;
Integration with Microsoft Active Directory (or LDAP) is generally not supported.

Software solutions

Benefits of software solutions

Flexibility;
Scalability, i.e. the ability to increase productivity as needed;
Tight integration with Microsoft Active Directory (Microsoft ISA 2006, CheckPoint)

Flaws

High price;
Complexity of administration.

Where to begin

Before you start choosing hardware and software (hereinafter referred to as software) for the implementation of a project to combine local office networks into a single network via VPN, you must have the following information:

Define topology:
- Meshed (fully connected) - each site can automatically organize an encrypted connection with any other site;
- Star (star) - branches can establish secure connections with the central site;
- Hub and Spoke (connection through the hub) - branches can be connected to each other through the hub of the central site;
- Remote Access (remote access) - users and groups can organize secure connections to one or more sites;
- Combinations of the above methods (for example, a Star with Meshed Center topology - a star with a fully meshed center - in which remote branches can exchange information with all members of the central VPN, which has a fully meshed topology).
Number of branches (how many simultaneous VPN connections the head office equipment should support);
Number of users in the central office and in each branch;
What equipment and/or software is used in each branch (data are needed to take into account the possibilities for using existing equipment and/or software);
Data on connecting branches to the Internet: IP address assignment - dynamic or static, communication channel speed;
What approach to information security management (network perimeter protection, anti-virus security) will be applied: centralized management of the head office and branches by one security administrator (system administrator), or each branch has its own system administrator.

To minimize the threat of penetration into the central office network, it is necessary to pay due attention to the protection of the networks of the branches of the organization. Using a VPN does not guarantee reliable intrusion protection unless the branch networks are also well protected. If an attacker can gain unauthorized access to the branch network, then he will also be able to gain access to the information system of the head office, since the networks of the head office and the branch are combined into a single network via VPN.

There are a number of solutions that are now particularly in demand by customers. One of them is working in 1C or other applications remotely on the enterprise server. Imagine you have a server, and you need to provide the ability to work with data and applications to a director who is always on the road, or an accountant who works from home.

Below we describe a project we completed for a client with a head office in Moscow and three subdivisions in Yaroslal (office, production and warehouse). We were given the task of uniting offices and divisions in such a way that work was carried out remotely in 1C installed on a server in Moscow, and it was also possible to work with documents and an e-mail server located in the central office. We also have to maintain servers and computers in remote departments. In other words, it is necessary to create a single environment in which users can work with common documents (certificates, orders, invoices), keep records online and work with e-mail.

Work in 1C remotely

Each office and department where more than 1 person works has a hardware VPN router installed. This is a device that allows, on the one hand, to allow users to surf the Internet, and on the other, to create VPN channels. A VPN channel is a secure encrypted connection, a tunnel that allows your users to freely exchange data and, at the same time, is inaccessible from the outside. To construct such channels, one uses ipsec protocol, providing a high level of cryptographic strength.

The figure shows a diagram of the connection of two offices.

Thus, with the help of two routers, we can provide communication between offices.

It would seem, run 1C remotely and work. Alas! It should be remembered that this channel is forwarded via the Internet, and therefore has a number of limitations:

you usually have to pay for traffic;
the speed of the Internet, and therefore the bandwidth of such a channel, is relatively low.

By launching such a remote 1C, we get the situation "everything hangs".

The problem is solved using terminal access. One of the servers in the central office, which has noticeable computing capabilities, we set up as a terminal server. To do this, use the built-in Windows Terminal Services service. You must install and configure this component, activate the Terminal Services license server, and install the licenses. After you need to install on the 1C server, and after that you can work in 1C remotely in the terminal.

The terminal access technology means that all tasks that you run in the terminal are physically executed on a remote server, and only the image on the screen is transmitted to you. A user who launched 1C from Yaroslavl in the terminal may not know that 1C is working remotely on a server in Moscow.

What does it give? Decrease in traffic. Increasing the speed of processing procedures in a remote 1C database. The ability for people to work from anywhere on the planet with one 1C database remotely, or with the same files.

But any barrel of honey should have its own fly in the ointment. In this case, it lies in the fact that the quality and the very possibility of working in the terminal depend on the reliability of the Internet connection. Often, the channel is enough to surf the Internet, however, to work in the terminal, you need a fairly reliable Internet. By reliability, we mean not so much speed as the absence of packet loss in the network. Thus, the radio channels used by many providers often provide very high peak rates, but the percentage of packet loss can reach 10%. In this situation, the terminal connection will break all the time, and it will be hard to work.

But in most cases, we manage to establish the ability to work in the terminal with both remote 1C and other applications. This allows our clients to develop dynamically, minimize costs and ensure the sustainable operation of business processes.

Note that remote work in 1C has now become a fairly common technology, quite mature and, with the right settings, quite safe, and can be successfully performed within the .