Hi @Nifty -
Welcome and thanks for posting! Glad to hear you are enjoying the community so far. I'm afraid I don't have a technical answer for you, I just wanted to say hello and welcome you to the community. If you have any questions or feedback, please don't hesitate to reach out to me via PM.
Typically you configure the DHCP DNS servers for the remote branch to point to your AD controllers at DC/HQ. Then clients can use AD as normal, logging in, accessing shares, etc.
Thank you for the reply.
We have a remote branch with 3 staff they have no internal DNS servers. Think Home Office with ISP supplied Router with external DNS provided. As I mentioned normally I would configure internal DNS (a DC) on site however this is a tiny operation and I'm seeking a solution within the MX appliances over the established VPN.
I'm surprised that the MX devices does not offer a simple rule sets to overcome this like: Windows File Shares = Send traffic over VPN. Http requests send out via local internet breakout.
There must be huge requirements like this where SOHO's need to connect to HQ for SMB File sharing but not the internet.
oke and what if you would run a intranet webportal at hq, it would never be reachable. ?
you can ofc use split tunnel, if your want some kind of private name resolving you need something additional.
i think lots of people using cloud file scharing/drives like dropbox of onedrive nowadays.
You may find it helpful to investigate what can be done with JumpCloud, which provides Active Directory as a Service. It is right at the top of my list as Azure makes too many assumptions about what hardware branch offices may have. There is information about using JumpCloud with Meraki.
I'm still struggling to understand why this isn't achievable with Auto-VPN between the MX's in split tunnel mode? Proxy all DHCP to your DHCP server at HQ and DNS requests to your DNS servers. All internet traffic will breakout via the local internet at the site.
The way we've set it up on our remote sites is that all MPLS traffic is on one VLAN and Breakout on another.
If your request is(resolved) to an MPLS IP, it's routed to there. If it resolved to a Public IP, it's routed to the breakout.
Thank you for your reply and suggestion, we do not have the luxury of an MPLS, it is not cost effective enough for us to have a dedicated connection to such a small site hence the reason for 2 x MX's and the set up of a VPN.
This sounds like a positive solution to our problem, I will change some settings on the MX devices to match your suggestion and feedback the result.