Question : Bypass VPN on Demand-dial tunnel

Hello,

I have a small issue with a site to site tunnel using Microsoft demand-dial on Windows 2008. My company has now three sites with an Exchange server in one site (Site A). To establish a unexpensive VPN infrastructure, two tunnels persistent were established from Site B to Site A and from Site C to Site A (no direct communication is necessary between Site B and Site C at this point) using the Routing and Remote Access Demand-dial function. To leanr more about that tunnel, just look at:

http://blogs.technet.com/networking/archive/2008/11/07/unable-to-ping-the-tunnel-address-of-a-demand-dial-connection-on-windows-server-2008-rras.aspx

All is working well except for one thing: every PC on site B and Site C will use the Internet gateway on site A by default for browsing and this slows down browsing a lot (since the tunnels are built with DSL lines). As of now, all PCs are configured to have their default gateway to the Windows RAS server in each site.

To have the PCs connecting directly to the Internet from the local site, I would have to set their gateway at the local routers. However, this causes other problems like accessing servers in the main site (unless a static persistent route is created in each PC).

Is there a native way of fixing http and ftp browsing to the default Internet connection rather than from Site A? I am thinking as a proxy server type solution at this point but I have no clue if I can fix this with no other tool than Windows. Can someone recommend a good and inexpensive solution?

Thanks.

Answer : Bypass VPN on Demand-dial tunnel

Windows is a very poor router, and an even worse VPN solution. Dropping it is the best thing that you can do. To use Windows 2008 you would have to route all traffic through that server, so that the server sorts out what goes over the VPN and what goes straight out the door, That would mean changing all of the default gateways. I have seen it done and it has always sucked. I now always buy routers for clients that can also do VPN so that if/when they grow to multiple sites, the technology is already there.

Simon.