Solved

Creating a brand new VPN environment

Posted on 2012-04-09
17
409 Views
Last Modified: 2012-05-01
Hello,
I need to create a VPN environment for my company. Employees want to access the network from home. I don't know where to start and what I need for.
Please give me some hints how to do this.
Thanks,
0
Comment
Question by:dongocdung
  • 7
  • 6
  • 3
  • +1
17 Comments
 
LVL 6

Assisted Solution

by:jacobstewart
jacobstewart earned 56 total points
ID: 37823716
What type of firewall do you have for your company?  Will you looking to utilize server vpn or firewall vpn?

For basic client based vpn sonicwall firewalls have the global vpn client or the netextender option which is ssl based.  You can use ldap authentication with them as well.
0
 
LVL 93

Assisted Solution

by:John Hurst
John Hurst earned 167 total points
ID: 37823827
Is this a large or small business? How many users?

I always recommend hardware VPN as it is less hassle in the long run.

I use Juniper Netscreen (very good) and Cisco Linksys (lower cost) for my clients. Juniper Netscreen are very good for small businesses and work reliabily for years.

With any of these and newer Windows 7 64-bit, NCP Secure Entry (ncp-e.com) is an excellent client application. Shrew Soft is free, but has a few limitations. You have choice here.

.... Thinkpads_User
0
 

Author Comment

by:dongocdung
ID: 37823935
I will create two different VPN. One for production and one for test environment. The production use Juniper and test environment use ASA 5520. My company is small. It has around 50-60 people.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 17

Assisted Solution

by:pergr
pergr earned 277 total points
ID: 37826536
Juniper has the market leading product for SSL VPN, which is the most flexible type of VPN.

You would be looking at adding the Junos Pulse Gateway base system (MAG2600) which hardware is about $1,000.

Then you need licenses for the number of concurrent users that will be logged in. With about 50 employees, I suspect not more than 10 will be using it at the same time. Total cost about $2,000.

Generally, it is probably a good idea to have the same type of solution for both production and testing... simplifies support, etc.

The solution above will preferably use the Junos Pulse software on the laptops, phone, ipads, etc, that will use the VPN. With that you will be able to deny them access in case their antivirus is not up to date, etc, etc.
0
 

Author Comment

by:dongocdung
ID: 37828260
Thanks for your input. I have two firewalls. Do I need to create two VPNs on these firewall (Juniper and ASA)
0
 
LVL 93

Assisted Solution

by:John Hurst
John Hurst earned 167 total points
ID: 37828299
You need a tunnel at each firewall if a remote site or client wishes to access that firewall. At one location it is sometimes useful to have just one active firewall.
0
 

Author Comment

by:dongocdung
ID: 37828609
The firewall we have at the lab is used for developers only and the firewall at production is used for everyone in my office. This is first time, I am doing this. So, I don't have any idea. However, there should be two different VPNs.
0
 
LVL 93

Assisted Solution

by:John Hurst
John Hurst earned 167 total points
ID: 37828625
If you have a separate IP address for the developers, with a separate firewall, that is, all separate from the production end which has a different IP address, then there should be two different VPN's because each IP goes to a different end.

If you want all the traffic coming into one IP and distributed after (LAN segments) then you only need one VPN.

... Thinkpads_User
0
 
LVL 17

Assisted Solution

by:pergr
pergr earned 277 total points
ID: 37828983
With your Juniper boxes, the firewall has nothing to do with the SSL VPN itself.

You place the MAG device in a DMZ/zone of the firewall, and create a firewall rule/policy that allows SSL traffic from the Internet to the MAG. Then you have another rule/policy that allows traffic from the "inside" of the MAG to what ever internal zones you want to give each user access to.

If you have an SRX, then you can also implement automatic updates of the firewall rules based on the remote users identity and status (like antivirus status). However, I believe you need to get someone in to set that up - it is a bit complicated.
0
 
LVL 17

Expert Comment

by:pergr
ID: 37828990
Without knowing your complete network topology, it is not necessary to have two MAG devices, but you need to connect the two firewalls and do some routing somewhere.
0
 

Author Comment

by:dongocdung
ID: 37838031
We will replace the Juniper to Cisco ASA 5520. Is it still good idea to have two different VPNs?
0
 
LVL 17

Assisted Solution

by:pergr
pergr earned 277 total points
ID: 37841248
If you have two firewall of the same type, it should make sense to create a cluster and get redundancy. You could still make a virtual firewall for the test environment, in case it is necessary to separate more.

For VPN, if you have a single device, you van create policy per user; maybe some should have access to both environm3bts in one connection.

The Cisco cluster can perhaps handle a few ssl connections by itself.
0
 

Author Comment

by:dongocdung
ID: 37856104
Now, I am setting up the firewall in the test environment first and implement the VPN. What do I need to do first? What are requirements?
Thanks,
0
 
LVL 17

Assisted Solution

by:pergr
pergr earned 277 total points
ID: 37860143
First you need to make sure the Cisco has the Anyconnect license.
0
 

Author Comment

by:dongocdung
ID: 37867812
I just checked it. We have such license.
0
 
LVL 17

Accepted Solution

by:
pergr earned 277 total points
ID: 37869199
Then just follow the manual (config guide) and set it up...
0
 

Author Comment

by:dongocdung
ID: 37887083
I found this article for Cisco. Is it useful for me to start?
https://learningnetwork.cisco.com/docs/DOC-8414
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Port Forwarding on Cisco 881 14 58
RV042 site to site vpn can ping but not access server via rdp 6 28
Application timeout question 2 37
winscp 000webhost.com 6 54
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question