pseudocyber
asked on
Alternatives to VPN?
I was just tasked with this project - provide alternatives to VPN. I asked what this meant and it could be either different platforms than what we use now or totally different technologies.
We have about 1500 employees, 500 of which are field based/remote. Of the rest, about 500 connect at night, weekends, holidays, etc. Max online usage has been around 250 at a time with peaks during the day around 50. We're using IPSEC with 3DES to connect now. We're running Nortel Contivity's - 2600 at the main site, 1600 at another site, and 1010 at a Branch Office. Version is 4.86_160 and 4.65 client.
What's driving this whacky request is the business units suffering intermittent drops in their tunnel. It's primarily the broadband users and I suspect it's various issues with IPSEC/ISAKMP keepalives not getting through or MTU issues for DSL users.
I would appreciate hearing how you're set up and what issues you have with your VPN and what you would recommend for me. I also am open to other technologies such as RAS and SSL VPN.
I will split points between pertinent contributors.
Thanks
We have about 1500 employees, 500 of which are field based/remote. Of the rest, about 500 connect at night, weekends, holidays, etc. Max online usage has been around 250 at a time with peaks during the day around 50. We're using IPSEC with 3DES to connect now. We're running Nortel Contivity's - 2600 at the main site, 1600 at another site, and 1010 at a Branch Office. Version is 4.86_160 and 4.65 client.
What's driving this whacky request is the business units suffering intermittent drops in their tunnel. It's primarily the broadband users and I suspect it's various issues with IPSEC/ISAKMP keepalives not getting through or MTU issues for DSL users.
I would appreciate hearing how you're set up and what issues you have with your VPN and what you would recommend for me. I also am open to other technologies such as RAS and SSL VPN.
I will split points between pertinent contributors.
Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
pseudocyber,
I forgot to ask the basic question - what type of traffic do your users have to/from the network?
I forgot to ask the basic question - what type of traffic do your users have to/from the network?
ASKER
We're looking at MPLS for our WAN (migrating from ATM with a Frame backup). How does MPLS offer a VPN connection to remote based employees - either dialup or broadband connected?
Traffic is mostly checking email with outlook & exchange with some Windows based file access to file servers. Some users are more technical and will be using lower traffic based apps such as SSH to servers, telnet, etc.
PS - very nice to have, almost requirement - need to login to Windows network (currently NT login but AD implementation to be completed shortly) and run login scripts and most importantly GET PASSWORD EXPIRATION NOTIFICATION.
Traffic is mostly checking email with outlook & exchange with some Windows based file access to file servers. Some users are more technical and will be using lower traffic based apps such as SSH to servers, telnet, etc.
PS - very nice to have, almost requirement - need to login to Windows network (currently NT login but AD implementation to be completed shortly) and run login scripts and most importantly GET PASSWORD EXPIRATION NOTIFICATION.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Sorry, I didn't see "GET PASSWORD EXPIRATION NOTIFICATION" - probably caps blindness :-)
As above, when the machine logs into the domain it will behave as it would do on the LAN. Any group policies that you have defined will apply to the PC. You need to test these things as you could accidentally stop them dialling in :)
However, if you mean that the password that they use to dial in with needs to expire, that get's much more complicated.
In the MPLS solution, this depends on how the ISP provides the service. They might be able to offer authentication based on a RADIUS server on your site. This could be integrated with your domain. That might be a bit optimistic though.
As above, when the machine logs into the domain it will behave as it would do on the LAN. Any group policies that you have defined will apply to the PC. You need to test these things as you could accidentally stop them dialling in :)
However, if you mean that the password that they use to dial in with needs to expire, that get's much more complicated.
In the MPLS solution, this depends on how the ISP provides the service. They might be able to offer authentication based on a RADIUS server on your site. This could be integrated with your domain. That might be a bit optimistic though.
ASKER
We're using two Internet feeds from two large nationwide providers in our city. We're peering BGP with them. One of the connections is Ethernet and the other is a partial DS3. There are no plans to move our Internet connection to MPLS - just our WAN connection.
I don't have a lot of knowledge about MPLS - so remote users could access the MPLS network somewhere out in the cloud, get authenticated, and join the network?
The remote users are using all kinds of different DSL and Cable Internet providers. The dial up users use an international company which resells local dial up ISP access (iPass). We could go with a RAS and modem bank, but we prefer not to, at this point unless it would represent a significant cost savings (reduce dial in costs below $20K/mo).
The password expiration notification needs to come the domain - this is the domain password and when it expires and the user connects there's a conflict between the cached password and the domain password and the users wind up getting locked out of their laptops.
Yes, all laptops are distributed from Corporate office and need to adhere to corporate image from desktop support team.
I don't have a lot of knowledge about MPLS - so remote users could access the MPLS network somewhere out in the cloud, get authenticated, and join the network?
The remote users are using all kinds of different DSL and Cable Internet providers. The dial up users use an international company which resells local dial up ISP access (iPass). We could go with a RAS and modem bank, but we prefer not to, at this point unless it would represent a significant cost savings (reduce dial in costs below $20K/mo).
The password expiration notification needs to come the domain - this is the domain password and when it expires and the user connects there's a conflict between the cached password and the domain password and the users wind up getting locked out of their laptops.
Yes, all laptops are distributed from Corporate office and need to adhere to corporate image from desktop support team.
Right - you don't need to move your Internet connection to MPLS in order to use it for your remote users.
Your remote users will essentially be part of your WAN. They won't have direct Internet connectivity themselves under this route.
This is actually a good thing as it means they can't become infected with viruses/spyware from the Internet and then bring it on to your network.
The MPLS plan would work if your home users were being provided their network connections by the MPLS-capable ISP. It sounds like they're not as they've got a load of different operators. I've never encountered an inter-ISP MPLS network.
I didn't realise that you had a lot of International users. That complicates matters further, and perhaps MPLS isn't the solution for you.
The domain login and password expiration stuff stands - as long as the machine is part of the network before the user logs on.
Your remote users will essentially be part of your WAN. They won't have direct Internet connectivity themselves under this route.
This is actually a good thing as it means they can't become infected with viruses/spyware from the Internet and then bring it on to your network.
The MPLS plan would work if your home users were being provided their network connections by the MPLS-capable ISP. It sounds like they're not as they've got a load of different operators. I've never encountered an inter-ISP MPLS network.
I didn't realise that you had a lot of International users. That complicates matters further, and perhaps MPLS isn't the solution for you.
The domain login and password expiration stuff stands - as long as the machine is part of the network before the user logs on.
ASKER
We don't have international users - we have an dial up provider who is international - so wherever one goes, one should expect to find a local dial in number instead of long distance/toll free.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Ah - that makes sense then.
I'm not greatly familiar with the telecoms setup in the US, so I'm not going to get into a detailed discussion about it :)
I still suggest that you speak to whoever is doing your MPLS migration and see if they can suggest a solution for you.
I'm not greatly familiar with the telecoms setup in the US, so I'm not going to get into a detailed discussion about it :)
I still suggest that you speak to whoever is doing your MPLS migration and see if they can suggest a solution for you.
ASKER
What about SSL based VPN - anyone using it?
What about Cisco & IPSEC encapsulated in TCP?
What about Cisco & IPSEC encapsulated in TCP?
ASKER
Thanks for your comments.
Glad I could help :-)
You might want to consider MPLS.
This is essentially a private network, provided within an ISPs infrastructure.
The network setup can include different access methods, such as DSL or dial-in.
This basically means that you don't have to use a VPN at all, and users connect directly into your network as if they were dialling into a bank of modems at your site.
Speak to your ISP - they might be able to offer this service.
Does this help?