How to make an internal SMB share available outside of the firewall using an intermediate server



  • Windows 2008 Server at Data Center 1 – call it Server A

  • Another Windows 2008 Server at DC 2, call it Server B

  • Fiber link dynamic IP client, connected via VPN to Server B, call it Client A

Client A wants to see shared drives from Server A. Server A can't allow everyone through the firewall, so it is configured for Server B to access it's shared folders, via firewall hole. Idea is to map Server As drives on Server B, then re-share them for Client A.

We know that this is not possible per se. So, I tried junction points, they don't work with shared drives. I tried DFS, and found out that:

When browsing a folder in the namespace, users are not aware that the folder is hosted by multiple servers. When a user opens the folder, the client computer is automatically referred to a server on its site. If no same-site servers are available, you can configure the namespace to refer the client to a server that has the lowest connection cost as defined in AD DS.

Is there any way to get DFS to re-share a network drive?

I am grasping at straws here, and am referring to the last part of above quoted paragraph, how should I configure the DFS mount point so that it doesn't REDIRECT, but RE-SHARE?


Server B can't store complete copy of the data from Server A, since server a is collecting data at a rate of 100GB/day.

Best Answer

In light of your most recent update and comments, I think that your best bet is to allow connections to Server A via VPN access directly. It doesn't make a lot of sense to involve Server B in the mix at all.

There are packages in the Samba 4 release that can potentially do SMB proxing, but I haven't heard of anyone using them with any level of success. You certainly can't do this with any native Windows tool.

In light of your updates, this isn't an answer to your question, but it's still good knowledge nonetheless, so I'll leave it.

There are two different DFS technologies: Namespaces and Replication.


A DFS Namespace allows for multiple file-servers to have the same UNC. For example \\domain\share could be backed by \\server1\share and \\server2\share. The users have no idea, they just connect to \\domain\share and are transparently redirected to one of the backing file servers.

You can define what server users are connected to by a number of ways. One of the most common is by what AD Site they are in. If you want your users to access the share on either server transparently by \\domain\share, then you want to use DFS Namespaces, but this isn't a complete answer to your problem.


DFS-R allows for files to replicated (go figure) across multiple servers. If you had \\server1\share and \\server2\share in a 2-way replication group, then any changes to either share will propagate to the other. If you want your two servers to have the same contents, then you will use this. It can be used independently of a DFS Namespace, but many times it is used in conjunction with it for seamless access to resources based on AD Site or for redundancy/loadbalancing in general.

You're not "resharing" like your question asks how to do, but rather you're keeping an actual copy of everything in both places, including permissions. This is, at a minimum, what you need to accomplish what you're asking.

If you choose to use DFS Namespaces in addition to DFR-R, then that's up to you and is a design decision. It will certainly simplify access from your users, but is not completely necessary.

tl;dr Use DFS-R and maybe DFS Namespaces, but definitely DFS-R.

Edit: Since it seems that my text wasn't understood clearly, here's a nice picture


Related Topic