I only have one public IP at each site, so having all internal services (and I have a lot of them) communicating over the internet to that single IP (on each side) would get pretty complex with a lot of rules and a lot of interesting port remapping and additional firewall rule complexity. That additional complexity also involves more chances to make mistakes that introduce security problems. So in general, I'm eager to keep things going directly to the proper service internally. Obviously I can work around that when it's necessary, but going outside the VPN is the last option I'm entertaining.
Regards,
Joseph Ward
On 12/20/2017 20:24, Andrew Sullivan wrote:
I guess what I don't understand is why the IP address approach is more attractive to you, and why you think the "public Internet" path is less good.
Best regards,
A