There are a number of solutions that are now particularly in demand by clients. One of them is working in 1C or other applications remotely on an enterprise server. Let's imagine you have a server, and you need to provide the ability to work with data and applications to a director who is always traveling, or an accountant who works from home.

Below we will describe a project we completed for a client with a head office in Moscow and three divisions in Yaroslal (office, production and warehouse). We were given the task of uniting offices and departments in such a way that work was carried out remotely in 1C installed on a server in Moscow, and it was also possible to work with documents and an email server located in the central office. We also have to maintain servers and computers in remote locations. In other words, it is necessary to create a unified environment in which users can work with general documents(certificates, orders, invoices), keep records online and work with e-mail.

Working in 1C remotely

A hardware VPN router is installed in every office and department where more than 1 person works. This is a device that allows, on the one hand, to allow users to surf the Internet, and on the other, to create VPN channels. A VPN channel is a secure encrypted connection, a tunnel that allows your users to freely exchange data and, at the same time, is inaccessible from the outside. To build such channels it is used ipsec protocol, providing high level cryptographic strength.

The figure shows a diagram of the connection of two offices.

Thus, with the help of two routers we can provide communication between offices.

It would seem that you can launch 1C remotely and work. Alas! It should be remembered that this channel is forwarded via the Internet, and therefore has a number of limitations:

• As a rule, you have to pay for traffic;
• Internet speed, and therefore throughput such a channel is relatively small.

By launching such a remote 1C, we get a “everything hangs” situation.

The problem is solved by using terminal access. We configure one of the servers in the central office, which has significant computing capabilities, as a terminal server. To do this, the Terminal Services built into Windows is used. You must install and configure this component, activate the Terminal Services licensing server, and install licenses. After that you need to install it on the 1C server, and after that you can work in 1C remotely in the terminal.

Terminal access technology is that all tasks that you run in the terminal are physically performed on a remote server, and only the image is transmitted to you on the screen. A user who launched 1C in a terminal from Yaroslavl may not know that 1C is running remotely on a server in Moscow.

What does this give? Reduced traffic. Increasing the speed of processing procedures in a remote 1C database. The ability for people to work from anywhere on the planet with one 1C database remotely, or with the same files.

But every barrel of honey must have its fly in the ointment. In this case, it lies in the fact that the quality and the very possibility of working in the terminal depend on the reliability of the Internet connection. Often the channel is enough to surf the Internet, but to work in the terminal you need quite reliable internet. By reliability we mean not so much speed as the absence of packet loss in the network. Thus, the radio channels used by many providers often provide very high peak speeds, but the percentage of packet losses can reach 10%. In this situation, the terminal connection will be interrupted all the time, and it will be difficult to work.

But in most cases, we manage to establish the ability to work in the terminal with both remote 1C and other applications. This allows our clients to develop dynamically, minimize costs and ensure sustainable operation of business processes.

Note that distant work in 1C has now become a fairly widespread technology, sufficiently proven and, if properly configured, quite safe, and can be successfully implemented within the framework.

Although the topic is hackneyed, nevertheless, often many people experience difficulties - be it a novice system administrator or simply an advanced user who was forced by his superiors to perform the functions of an Enikey specialist. It’s paradoxical, but despite the abundance of information on VPNs, finding a clear option is a real problem. Moreover, one even gets the impression that one wrote it, while others brazenly copied the text. As a result, search results are literally cluttered with an abundance of unnecessary information, from which something worthwhile can rarely be extracted. Therefore, I decided to chew on all the nuances in my own way (maybe it will be useful to someone).

So what is a VPN? VPN (VirtualPrivateNetwork- virtual private network) is a generalized name for technologies that allow one or more network connections (logical network) to be provided over another network (including the Internet). Depending on the protocols and purposes used, VPN can provide three types of connections: node-node, node-network And network-network. As they say, no comments.

Stereotypical VPN scheme

VPN allows you to easily combine a remote host with the local network of a company or another host, as well as combine networks into one. The benefit is quite obvious - we can easily access the enterprise network from the VPN client. In addition, VPN also protects your data through encryption.

I don’t pretend to describe to you all the principles of VPN operation, since there is a lot of specialized literature, and to be honest, I don’t know a lot of things myself. However, if your task is “Do it!”, you urgently need to get involved in the topic.

Let's look at a problem from my personal practice, when I needed to connect two offices via VPN - a head office and a branch office. The situation was further complicated by the fact that there was a video server at the head office, which was supposed to receive video from the branch’s IP camera. Here's the task in brief.

There are many solutions. It all depends on what you have on hand. In general, a VPN is easy to build using a hardware solution based on various Zyxel routers. Ideally, it may also happen that the Internet is distributed to both offices by one provider and then you will not have any problems at all (you just need to contact the provider). If the company is rich, then it can afford CISCO. But usually everything is solved using software.

And here the choice is great - Open VPN, WinRoute (note that it is paid), tools operating system, programs like Hamanchi (honestly, in rare cases it can help out, but I don’t recommend relying on it - the free version has a limit of 5 hosts and another significant disadvantage is that your entire connection depends on the Hamanchi host, which is not always gud). In my case, it would be ideal to use OpenVPN - free program, which can easily create a reliable VPN connection. But, as always, we will follow the path of least resistance.

In my branch, the Internet is distributed by a gateway based on client Windows. I agree, not the best The best decision, but for three client computers it will be enough. I need to make a VPN server from this gateway. Since you are reading this article, you are probably sure that you are new to VPN. Therefore, for you I give the simplest example, which, in principle, suits me.

The Windows NT family already has rudimentary server capabilities built into it. Setting up a VPN server on one of the machines is not difficult. As a server, I will give examples of Windows 7 screenshots, but general principles will be the same as for old XP.

Please note that to connect two networks, you need to they had different range! For example, at the head office the range could be 192.168.0.x, and at the branch – 192.168.20.x (or any gray IP range). This is very important, so be careful. Now, you can start setting up.

Go to the VPN server in Control Panel -> Network and Sharing Center -> change adapter settings.

Now press the Alt key to bring up the menu. There, in the File item, you need to select “New incoming connection”.

Check the boxes for users who can log in via VPN. I highly recommend Adding a new user, giving it a friendly name and assigning a password.

After you have done this, you need to select in the next window how users will connect. Check the box “Via the Internet”. Now you just need to assign a range of virtual network addresses. Moreover, you can choose how many computers can participate in data exchange. In the next window, select TCP/IP version 4 protocol, click “Properties”:

You will see what I have in the screenshot. If you want the client to gain access to the local network in which the server is located, simply check the “Allow callers access to the local network” checkbox. In the “Assigning IP addresses” section, I recommend specifying addresses manually according to the principle that I described above. In my example, I gave the range only twenty-five addresses, although I could have simply specified two or 255.

After that, click on the “Allow access” button.

The system will automatically create a VPN server, which will lonely wait for someone to join it.

Now all that's left to do is set up a VPN client. On the client machine, also go to the Network and Sharing Center and select Setting up a new connection or network. Now you will need to select the item "Connecting to the workplace"

Click on “Use my Internet connection” and now you will be thrown out a window where you will need to enter the address of our Internet gateway at the branch. For me it looks like 95.2.x.x

Now you can call the connection, enter the username and password that you entered on the server and try to connect. If everything is correct, you will be connected. In my case, I can already ping any branch computer and request a camera. Now its mono is easy to connect to a video server. You may have something different.

Alternatively, when connecting, an 800 error may pop up, indicating that something is wrong with the connection. This is either a client or server firewall issue. I can’t tell you specifically - everything is determined experimentally.

This is how we simply created a VPN between two offices. Players can be united in the same way. However, do not forget that this will still not be a full-fledged server and it is better to use more advanced tools, which I will talk about in the following parts.

In particular, in Part 2 we will look at setting up OPenVPN for Windows and Linux.

Data exchange between remote departments of one organization always requires time and sometimes complex technical manipulations. Today, such inconveniences are quite easy to eliminate, which means you can increase the productivity of the enterprise as a whole by combining its branches and remote offices into a single infrastructure. This can be done realistically by combining offices into a common corporate network.

The Bit and Byte company offers setup of a single VPN network to all organizations with representative offices, including in other cities. After all, most often the specifics of their activities are such that branches have to exchange information every day and look into each other’s databases. Common software for all local networks is the most practical and rational way to organize the rapid exchange of information and the ability to remotely manage an enterprise.

What will you get by combining offices into a single network?

The service of combining offices into a single network involves the creation of a full-fledged network between two or more divisions (branches, offices) of one enterprise, which is created for the rapid exchange of protected information based on VPN protocols. In the current conditions of business development, such corporate networks are especially relevant, as they provide an opportunity to improve the management of an enterprise and its territorial branches.

By uniting all branches of your enterprise into a single network, you will be able to:

1. manage a network of offices remote from each other via the Internet, gaining access to the equipment of each branch;
2. create a central database and use it, which is very convenient for managing a network of offices;
3. provide access to all departments to the internal resources of the enterprise without the risk of information losses.

Consolidation of offices by creating a single network is a service not worth big money. It can be configured at the main server level by purchasing additional VPN access points. Before merging office networks, you will be asked to check and process all information. This will make it possible to classify all data from branches to protect them from hacking.

Consolidation of offices into a single network is beneficial

Today, more and more enterprises are resorting to combining office networks, and not only because it is convenient and safe. The purpose and objective of such an association is also the benefit received from such a service:

• costs are noticeably reduced, because the need to maintain each office disappears, and the resources of the central server become available to each branch;
• when obtaining a software license, the benefits are also noticeable;
• all offices use each other’s information resources, regardless of where a particular branch is located;
• there is no need for a large staff of technical specialists, because the vast majority of problems are solved remotely;
• you will be able to conduct video conferences, seminars and meetings with all departments at the same time, and this is a significant time saving.

In addition, document flow between branches is as secure as possible, thanks to special data processing.

How to combine office networks

The main goal of combining local office networks is to provide transparent access to geographically distributed information resources organizations. Consolidating office networks allows you to solve the following most common problems:

• use a single number capacity of an office PBX;
• ensure user authorization to access resources (shared folders, intranet site, Email etc.) regardless of their current location;
• provide secure access for employees of the organization to resources located in different offices (for example, ensure that employees work with a 1C enterprise server installed in one of the offices);
• work on a remote computer using terminal access (remote desktop control);
• increase the efficiency and efficiency of the technical support service due to the ability to remotely manage computers, servers and other equipment, as well as effective use built-in Windows tools for providing assistance - Remote Assistant.

Methods for implementing the integration of office networks

In order to unite local networks of offices and remote branches, virtual private network technology is used - VPN (Virtual Private Network). This technology is intended for cryptographic protection of data transmitted over computer networks. A virtual private network is a collection of network connections between several VPN gateways that encrypt network traffic. VPN gateways are also called cryptographic gateways or crypto-gateways.

There are two methods for building a single secure corporate network of an organization:

1. using equipment and the corresponding range of services of an Internet provider;
2. using our own equipment located in the head office and branches.

VPN and services are provided by the Internet provider

This solution is applicable if the head office and branches are connected to the Internet through the same Internet provider. If the company's branches are scattered across cities, and even in different countries, there is hardly a provider who can provide you with the required level of service, and even at an affordable price.

If your offices are located within the same city, check with your Internet provider to see if they can combine the local networks of your offices into a single network. Perhaps this solution will be optimal for you in terms of cost.

Consolidation of networks of offices and branches on your own

The method of combining two networks using VPN technology is called “Peer-to-Peer VPN” or “site-to-site VPN” in English-language literature. A "transparent encryption" mode is established between the two networks. The IPSec protocol is most often used to encrypt and transmit traffic in IP networks.

To organize VPN connections (VPN tunnels) between the central office and branches of small companies, we recommend using hardware Internet gateways (firewalls) with built-in VPN support. An example of such gateways could be ZyXEL ZyWALL, Netgear Firewall, Check Point Safe@Office, etc. This class of products is designed for use in small companies with an average number of staff from 5 to 100 people. These devices are easy to configure, highly reliable and have sufficient performance.

At the head office of an organization, software integrated network security solutions are often installed, such as Microsoft Internet Security and Acceleration Server 2006 (Microsoft ISA 2006), CheckPoint Express, CheckPoint VPN-1 Edge and others. To manage these protections, highly qualified personnel are required, which, as a rule, is either available at the head office or borrowed from an outsourcing company.

Regardless of the equipment used, general scheme building Peer-to-Peer VPN for securely combining local networks of remote offices into a single network, as follows:

It should also be noted that there are specialized hardware crypto gateways, such as Cisco VPN Concentrator, "Continent-K", etc. Their scope is the networks of medium and large companies, where it is necessary to ensure high performance when encrypting network traffic, as well as special possibilities. For example, provide data encryption in accordance with GOST ("Continent-K").

What you need to pay attention to when choosing equipment

When choosing equipment for organizing a virtual private network (VPN), you need to pay attention to the following properties:

1. number of simultaneously supported VPN tunnels;
2. performance;
3. the ability to filter network traffic inside a VPN tunnel (this function is not implemented in all Internet gateways);
4. support for QoS quality management (very useful when transmitting voice traffic between networks);
5. compatibility with existing equipment and applied technologies.

Hardware solutions

Advantages of solutions built on inexpensive hardware Internet gateways

• Low cost;
• High reliability (no need for backup, nothing goes wrong when the power is turned off);
• Ease of administration;
• Low power consumption;
• Takes up little space, can be installed anywhere;
• depending on the chosen platform for building a VPN, it is possible to install additional services on the VPN gateway: anti-virus scanning of Internet traffic, detection of attacks and intrusions, etc., which significantly increases the overall level of network security and reduces the overall cost of a comprehensive network protection solution .

Flaws

• The solution is not scalable; increased productivity is achieved by completely replacing the equipment;
• Less flexible in settings;
• Integration with Microsoft Active Directory (or LDAP) is generally not supported.

Software solutions

Benefits of software solutions

• Flexibility;
• Scalability, i.e. the ability to increase productivity as needed;
• Tight integration with Microsoft Active Directory (Microsoft ISA 2006, CheckPoint)

Flaws

• High price;
• Complexity of administration.

Where to begin

Before you start choosing equipment and software(hereinafter - software) to implement a project to combine local office networks into a single network via VPN, you must have the following information:

1. Define topology:
   • Meshed (fully connected) - each site can automatically organize an encrypted connection with any other site;
   • Star (star) - branches can organize secure connections with the central site;
   • Hub and Spoke (connection through a hub) - branches can connect to each other through the hub of the central site;
   • Remote Access - users and groups can establish secure connections to one or more sites;
   • Combinations of the above methods (for example, a Star with Meshed Center topology, in which remote branches can exchange information with all members of the central VPN, which has a mesh topology).
2. Number of branches (how many simultaneous VPN connections must be supported by the head office equipment);
3. Number of users in the central office and in each branch;
4. What equipment and/or software is used in each branch (data is necessary to take into account the possibilities for using existing equipment and/or software);
5. Data on connecting branches to the Internet: IP address assignment - dynamic or static, communication channel speed;
6. What approach to information security management (network perimeter protection, anti-virus security) will be applied: centralized management the head office and branches have one security administrator (system administrator), or each branch has its own system administrator.

To minimize the threat of penetration into the central office network, it is necessary to pay due attention to protecting the networks of the organization's branches. Using a VPN does not guarantee reliable protection against intrusion unless branch networks are also securely protected. If an attacker can gain unauthorized access to the branch network, he will also be able to gain access to the head office information system, since the head office and branch networks are combined into a single network via VPN.

How to create a single private network for all mobile employees and remote branches

What is a VPN?

Let's assume that we have two offices in different parts of the city, or in different cities or countries, and each of them is connected to the Internet. For work, say, 1C as a single corporate system we need to integrate them into a single local network. (Despite the fact that we offer solutions for 1C in the form of distributed databases. Sometimes it’s easier to create a single network and connect directly to 1C server as if the server is located in your premises)

You can, of course, buy a personal line between two cities, but this decision it will most likely be super expensive.
The solution using a virtual private network (VPN - Virtual Private Network) invites us to organize this dedicated line by creating an encrypted tunnel over the Internet. The main advantage of a VPN over dedicated communication lines is saving the company money while the channel is completely closed.
From a consumer point of view, VPN is a technology that allows you to organize remote secure access through open Internet channels to servers, databases, and any resources of your corporate network. Let's say an accountant in city A can easily print an invoice on the printer of a secretary in city B to whom the client came. Remote employees by connecting via VPN from their laptops they will also be able to work on the network as if they were in the physical network of their offices.

Very often, clients, faced with *brakes* of cash registers when using Remote Desktop, come to the need to install a VPN. This will allow you to get rid of sending data for the cash register back and forth to the server via virtual COM over the Internet and will allow the installation of a thin client at any point that communicates with the cash register directly, sending only the necessary information to the server over a closed channel. And broadcasting the RDP interface directly to the Internet exposes your company to very great risks.

Connection methods

Methods of organizing a VPN are most appropriate to highlight the following 2 main methods:

• (Client - Network ) Remote access of individual employees to the organization’s corporate network via a modem or public network.
• (Network - Network) Uniting two or more offices into a single secure virtual network via the Internet

Most manuals, especially for Windows, describe the connection according to the first scheme. At the same time, you need to understand that this connection is not a tunnel, but only allows you to connect to a VPN network. To organize these tunnels, we only need 1 white IP and not according to the number of remote offices, as many mistakenly believe.

The figure shows both options for connecting to main office A.

A channel has been established between offices A and B to ensure the integration of the offices into a single network. This ensures transparency of both offices for any devices located in one of them, which solves many problems. For example, organizing a single number capacity within one PBX with IP phones.

All services of office A are available to mobile clients, and if office B is located in a single virtual network, its services are also available.

In this case, the method of connecting mobile clients is usually implemented by the PPTP protocol (Point-to-Point Tunneling Protocol) Point-to-point tunneling protocol, and the second IPsec or OpenVPN

PPTP

(Point-to-Point Tunneling Protocol bumagin-lohg) is a point-to-point tunneling protocol, the brainchild of Microsoft, and is an extension of PPP (Point-to-Point Protocol), therefore, using its authentication, compression and encryption mechanisms. PPTP protocol is built into the client remote access Windows XP. With the standard choice of this protocol, Microsoft suggests using the MPPE (Microsoft Point-to-Point Encryption) encryption method. You can transfer data without encryption to open form. Data encapsulation using the PPTP protocol occurs by adding a GRE (Generic Routing Encapsulation) header and an IP header to the data processed by the PPP protocol.

Due to significant security concerns, there is no reason to choose PPTP over other protocols other than the device's incompatibility with other VPN protocols. If your device supports L2TP/IPsec or OpenVPN, then it is better to choose one of these protocols.

It should be noted that almost all devices, including mobile ones, have a client built into the OS (Windows, iOS, Android) that allows you to instantly set up a connection.

L2TP

(Layer Two Tunneling Protocol) is a more advanced protocol, born from the combination of the PPTP (from Microsoft) and L2F (from Cisco) protocols, incorporating all the best from these two protocols. Provides a more secure connection than the first option; encryption occurs using the IPSec protocol (IP-security). L2TP is also built into the Windows XP remote access client; moreover, when automatically determining the connection type, the client first tries to connect to the server using this protocol, as it is more preferable in terms of security.

At the same time, the IPsec protocol has such a problem as the coordination of the necessary parameters. Given that many manufacturers set their parameters by default without the possibility of configuration, hardware using this protocol will be incompatible.

OpenVPN

An advanced open VPN solution created by OpenVPN technologies, which is now the de facto standard in VPN technologies. The solution uses SSL/TLS encryption protocols. OpenVPN uses the OpenSSL library to provide encryption. OpenSSL supports a large number of various cryptographic algorithms such as 3DES, AES, RC5, Blowfish. As in the case of IPSec, CheapVPN includes an extremely high level of encryption - AES algorithm with a 256-bit key length.
OpenVPN is the only solution that allows you to bypass those providers who cut or charge fees for opening additional protocols other than WEB. This makes it possible to organize channels that, in principle, impossible to track And we have such solutions

Now you have some idea of ​​what a VPN is and how it works. If you are a manager, think about it, maybe this is exactly what you were looking for

An example of setting up an OpenVPN server on the pfSense platform

Creating a server

• Interface: WAN(server network interface connected to the Internet)
• Protocol: UDP
• Local Port: 1194
• Description: pfSenseOVPN(any convenient name)
• Tunnel Network: 10.0.1.0/24
• Redirect Gateway: Turn on(Disable this option if you do not want all of the client's Internet traffic to be redirected through the VPN server.)
• Local Network: Leave it blank(If you want the local network, located behind the pfSense server, was accessible to remote VPN clients, enter the address space of this network here. Let's say 192.168.1.0/24)
• Concurrent Connections: 2 (If you purchased an additional OpenVPN Remote Access Server license, enter the number corresponding to the number of licenses purchased)
• Inter-Client Communications: Turn on(If you don't want VPN clients to see each other, disable this option)
• DNS Server 1 (2, etc.): specify the DNS servers of the pfSense host.(you can find out their addresses in the section System > General Setup > DNS Servers)

Next, we create clients and to simplify the configuration procedures for client programs, pfSense provides additional tool – “OpenVPN Client Export Utility”. This tool automatically prepares installation packages and files for clients, which avoids manual configuration of the OpenVPN client.

VPN connections between offices cover such business security requirements as:

• Possibility of centralized access to information from offices, as well as from the main office
• Unified corporate Information system
• Enterprise databases with a single point of entry
• Business email with single sign-on
• Confidentiality of information transferred between offices

If you have any difficulties setting up or have not yet decided on VPN technology, call us!

home » How to earn » Consolidation of offices into a single VPN network. Consolidation of remote offices. Network Aggregation Devices