What to do when your customer’s WAN is actually firewall to firewall VPN’s

Recently I began planning for a centralized deployment of OCS that would sit in one of 6 offices for a client we’ll call Acme Accounts.  Acme will start out using OCS for IM, P2P audio/video and Live Meeting; eventually OCS will grow into a full blown enterprise voice solution.  The first big hurdle for us when designing Acme’s OCS implementation was their “WAN”, instead of typical MPLS or point to point connections, Acme uses its internet connections and ASA firewalls in each location to create VPNs that allow traffic to route between sites.  The latency created by this solution has never been an issue, but voice and video were never running over this connection either.  Here’s a look at a diagram of the environment:

To make things a little more complicated, the internal domain name (acmeaccounts.com) matched the external name and all DNS in each site is active directory integrated (ADI) as it should be.  With ADI zones, all DNS servers share the same zones, so we can’t have different records in each site to use public IP’s for OCS instead of private IPs to bypass the VPN.

Since the VPN between sites introduces extra latency we wanted to route the traffic for OCS straight through the internet and not through the site to site tunnels.  This would mean users in each office would have the same experience as users on the internet.  Not a perfect scenario, but with 10 to 20 mb connections in each location and not a ton of use, this is the best solution until the WAN is put in place.

On to the details… Since the edge server sits out in a DMZ that has a 100 MB connection to the HQ ASA (but isn’t behind it) I felt comfortable that letting the HQ users connect through the firewall to the edge, instead of straight to the front end was an acceptable solution.  The big benefit here is that all 5 other sites (most with as many or more users than HQ) can now use the public IP to connect and not have their traffic enter the VPN.

Here’s a look at the original DNS records:

Pool FQDD = Pool.acmeaccounts.com > 192.168.1.100
Autoconfig-SRV = _sipinternaltls._tcp.acmeaccounts.com > Pool.acmeaccounts.com

Here’s a look at how I configured the DNS records to send all the traffic to public IPs instead of private:

Audio/Video = av.acmeaccounts.com > 1.2.3.136

Access Edge = sip. acmeaccounts.com > 1.2.3.137

Meeting = meet. acmeaccounts.com > 1.2.3.138

Public Farm FQDN = abs. acmeaccounts.com > 1.2.3.139

Autoconfig-SRV = _sip._tls. acmeaccounts.com > sip.acmeaccounts.com
Here’s a diagram of what the environment looks like with OCS, now the clients in HQ actually go out the main firewall and over to the edge to get to the Front End server (follow the arrows from the MOC symbol to the OCSEdge):

Although it’s not a perfect solution it allows the client to have better performance for Live Meetings/conferences.   Peer to Peer traffic may still make its way over the VPNs depending on the connectivity checks, but from our testing, usually it didn’t. Once the WAN is in place and we’re ready to start rolling out voice, we’ll shift the records back to going straight to the front end server.

 

Advertisements

About Kevin Peters

My name is Kevin Peters.
This entry was posted in Uncategorized and tagged , , , , , . Bookmark the permalink.

2 Responses to What to do when your customer’s WAN is actually firewall to firewall VPN’s

  1. Steven Ryerse says:

    Just wondering if you in real life have actually tried to run across a WAN which is really two ASA’s with a Site to Site VPN between them. While there would be some overhead, I’m guessing the communication Line between them would be the bottleneck and not the ASA’s. Since you bypassed the VPN between the ASA’s for this organization you saved whatever overhead they might interject – but of course the communication line speed would still have been the same. (If the communication line is slow – then it is slow.)

    I ask this because site to site VPN’s using ASA’s are multiplying like rabbits, and I will face this exact scenario very soon. I have one customer with 25 remote sites – all with site to site VPN’s to a single Large ASA in a data center – and they want to run Lync soon. They want the Lync & Edge server to reside in the same data center. Of course of of the communication lines they use are relatively slow.

    Your blogs have helped me a great deal and I really appreciate your time putting them together!! 🙂
    P.S. I didn’t see an index of all of your aticles on the web site. Maybe I missed it. I did figure out if you add the year after your domain name you can get to some.

    • Kevin Peters says:

      Hi Steven,

      This article was written about an actual customer scenario I worked on. We deployed exactly as descripbed in the article (other than changing names and IPs for privacy). We found the solution to be much more acceptable than having the audio for the conferences going through the tunnel. In some cases peer to peer audio/video would still go direct via a VPN tunnel (because the other IPs in the candidate list were reachable as well), but it was less impactful than conferences going through the VPN. This was a stop gap measure until the actual WAN was put in place which was done early this year. The client does have a better experience now that they are using a WAN with QoS instead of internet, but the internet connections were pretty well sized so they never created a bottleneck. If you do this you definitely have to make sure the internet connections are strong enough.
      The main take away from the article should be, encrypting real time traffic with a VPN is usually a worse idea than just letting it go over the internet (since it is all ready secured anyway).

      I’ll check into the listing of articles, I think you can view an auther page which will show all the articles by clicking on my name at the top of the article.

      Hope this helps!
      -kp

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s