I'm looking for some thoughts on a particular way of setting up a estate of machines.
We have a requirement to install machines into unmanned, remote locations. These machines will auto login and perform tasks controlled from a central server. In order to manage patching, AV, updates etc I want these machines to be joined to a dedicated domain for this estate.
Some of the locations will only have 3G connectivity (via other hardware), others will be located on customer premises in internal networks.
The central server (of ours) and the Domain Controller will be on a public WAN.
I see two ways of facilitating this.
Install a router at each location and have a site to site VPN between the remove device and the data centre where the servers are location
Have the remote machine dial up and authenticate via a Windows VPN connection to the DC via RAS
Option one is more costly to setup and has a higher operational cost. It also offers better diagnostics if the remote PC goes down.
Option two works well but is solely dependent on the VPN connection been made before any communication can be made to the remote machine.
In a simple test, I can got a Windows 7 machine to dial a VPN prior to authentication to a domain, then automatically login to the machine using domain credentials.
If the VPN connection drops, it redials.
I can also create a timed task to auto connect every hour in case of other issues.
I'd like to know, why (if at all) is operating a remote network of devices which are located in various out of band locations in this way a bad idea?
Consider 300-400 remote machines all at different sites.
I'd rather have 400 VPN connections to a 2008 server than 400 routers, however I'd like to know other opinions on this.
