This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 50%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EV%3C/text%3E%3C/svg%3E)
Hello,
Due to concerns surrounding client security, I am being asked to provide feedback on how best to implement the following:
• A new “private” network is to be created on which to host servers with client data and virtual machines that select staff would use to work on this data.
• The new network should only be accessible from the LAN on the primary domain and only after logging into a VPN to access it.
• The new network would be accessed by select staff but should require different credentials than that of the primary company domain.
• We already use a VPN application when staff work from home but management doesn’t want the new “private” network accessible directly from the existing VPN application. They want staff to be required to access the regular VPN to access their office PCs first and only then access a separate VPN with different credentials for the private network to access the client data from their virtual machines.
• On the private network we would still need to:
o regularly patch the endpoints
o transfer programming code from the primary domain when necessary to run on a SQL server that contains client data
o perform regular backups
I know I can create a new forest in our existing domain and a new domain controller to create a new security boundary. I understand in this scenario this is no trust by default between the new forest and the forest that contains the primary company domain. However, I am unclear on how to implement the rest of the request and\or if this is the best option.
How would I:
• configure a separate VPN connection using Cisco AnyConnect or similar VPN client to be used to access the new network? Can this be configured in the existing firewall for the separate VPN access or would this require a separate firewall?
• I understand that zones can be used within the firewall and access rules can be used to block or allow access between zones but management is concerned if this path is followed and their PC on the primary domain is compromised and they then access the private network in the new forest that the virtual machine in that forest would also be compromised. This is why management wants staff to have to access a separate VPN with different domain credentials to access the private network.
Does anyone have recommendations for best practices on making this work?
Thanks,
Roger
**5/18/21- I updated the question as it really pertains to creating a private network on the LAN.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 73%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESQ%3C/text%3E%3C/svg%3E)
This is a quick note to let you know that I am currently performing research on this issue and will get back to you as soon as possible. I appreciate your patience.
If you have any updates during this process, please feel free to let me know.
Thank you.
Hello Sunny,
Have you been able to get guidance on best practices on how to do this?
Thank you.