RED-60 Branch to SG230 Head Office Deployment

Question

Hi Guys,

Setting up a new Branch Office location that will sit about 25 Staff. I have about 100 Staff at Head Office and have an SG230 onsite for a number of years. I have a couple of smaller remote offices with 2-4 staff with a couple of RED 15's deployed - all working fine. Head Office runs a number of vLANS internally, all routing through the Layer 3 switch onsite - everyone is happy.

Server vLAN: 10.0.10.x VOIP vLAN 10.0.30.x Managment vLAN 10.0.100.x (plus a couple more internal ones that aren't relevant to the discussion)

New Site office will have a DC deployed out there due to the number of Staff onsite and I'll have a local file share out there, and all the regular stuff AD DC's have ie DNS, DHCP, Group Policy etc. I have already setup the new subnet 10.0.60.x, new Site in AD Sites (NewSitename) and associated that subnet to that site as per normal and given the new server the IP address of 10.0.60.10 and done the DC Promo. DNS and DHCP replication all setup and I setup a new 10.0.60.0/24 DHCP scope in DHCP. I have bound vLAN 60 to the subnet on the switch going out onsite, trunk ports setup to pass vlans 10, 60, 100 on Port 1, and configured some Untagged vLAN 60 ports on the site switch, site switch is also setup as 10.0.60.253

So far, so good.

My stumbling block here is - best way to setup this Red 60 device to provide the link between site and Head Office which will provide or allow for:

DC at Remote Site to do DNS and DHCP for local network - but connect to Head Office DC's for AD Replication etc via RED
Pass traffic to Head Office Servers on vLAN 10 (10.0.10.x network) via RED
Pass traffic to VOIP PABX on vLAN 30 (10.0.30.x network) via RED
Pass traffic to Management vLAN 100 (10.0.100.x network) via RED
Allow vLAN 60 on remote (site) network to get to Servers at Head Office via RED
All Remote Site Internet traffic to go out local Internet

I've setup more than a few Unified and also Split networks with no dramas - but I'm looking at Transparent here for what I want to do and I'm having a bit of trouble wrapping my head around it.

The guides I am finding online aren't showing the setup I am looking for and are more standard type setups without a remote DC in the mix doing DHCP and DNS or AD Replication. Does anyone have some hints/tips/advice or pointers to a good primer for a setup like this? I've done plenty of Site-to-Site VPN's before with other brand hardware but I was hoping to keep this all SOPHOS and that the RED60 will work for what I am trying to do

Cheers!

This thread was automatically locked due to age.

PhilippRusch · Answer

Hello Dread, 
 I do have setups at customers sites like this, but they use the older RED-boxes. Did not have a SD-RED yet. 
 But from the setup menu possibilities in UTM RED-Helper dialogue, I guess the SD-RED behave very similar. 
 Now to your topology: there ist nothing special about having an AD-Controller in a subsidiary site. 
 The RED-Box simply has to be told, which network(s) have to be contacted through the tunnel, and which not. 
 So the magic is outside the RED-configuration: your DHCP-Server at that site has to supply the "right" configuration to your clients. 
 That is, the AD-Controller at this site is the primary DNS and forwards its DNS-requests to the ISP. Then, the Sophos should be the default gateway for all clients AND the AD controller, so that the RED box can decide, which IP packets have to be sent through the tunnel and which not. 
 And all the VLAN decisions / routes are done at the main site, so the remote RED has nothing to do wtih this. You simply define the "local networks". Transparent mode adds the ability to have the IPs assigned by the remote DHCP-Server. Either you make the RED box the default gateway, or you have to use a routing table, that points your hosts to the networks of the main site. 
 Maybe this is not that complicated as you think. 
 If you have further questions, pleas ask again. Or come back with your findings.