Thanks for the response. I actually have a couple of scenarios to address:
- company employees using company owned laptops that connect via a normal VPN
- offshore development teams that connect via a site to site VPN
For my purposes I think I will focus on the first item now as the second item involves employees from another organization connecting from a non trusted domain. This is an entire different scenario.
Now, with our employees, we have two domains, trusted with one another. They may connect to either domain based on which servers they need to access (they have other needs besides the database servers). It sounds like we should be able to setup these users to use domain authentication regardless of (a) which domain the database server resides on and (b) which domain they connect to. Sounds like the work is on our network guys, sound about right?
If there is a two way trust, you are correct, it should be fine to use Windows authentication to servers in either domain. And therefore the bulk of the work is on the network guys, as well as the AD guys, who will need to add a physical site in AD which comprise the IP address range the VPN is using.
In the second scenario, probably better would be to use a portal such as Citrix or Terminal Services and provide desktops to them. Citrix is normally used to publish specific apps, but in this case, since we're talking development teams, publishing the desktop may be necessary.
K. Brian Kelley