Creating a brand new VPN environment

I need to create a VPN environment for my company. Employees want to access the network from home. I don't know where to start and what I need for.
Please give me some hints how to do this.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

What type of firewall do you have for your company?  Will you looking to utilize server vpn or firewall vpn?

For basic client based vpn sonicwall firewalls have the global vpn client or the netextender option which is ssl based.  You can use ldap authentication with them as well.
JohnBusiness Consultant (Owner)Commented:
Is this a large or small business? How many users?

I always recommend hardware VPN as it is less hassle in the long run.

I use Juniper Netscreen (very good) and Cisco Linksys (lower cost) for my clients. Juniper Netscreen are very good for small businesses and work reliabily for years.

With any of these and newer Windows 7 64-bit, NCP Secure Entry ( is an excellent client application. Shrew Soft is free, but has a few limitations. You have choice here.

.... Thinkpads_User
dongocdungAuthor Commented:
I will create two different VPN. One for production and one for test environment. The production use Juniper and test environment use ASA 5520. My company is small. It has around 50-60 people.
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Juniper has the market leading product for SSL VPN, which is the most flexible type of VPN.

You would be looking at adding the Junos Pulse Gateway base system (MAG2600) which hardware is about $1,000.

Then you need licenses for the number of concurrent users that will be logged in. With about 50 employees, I suspect not more than 10 will be using it at the same time. Total cost about $2,000.

Generally, it is probably a good idea to have the same type of solution for both production and testing... simplifies support, etc.

The solution above will preferably use the Junos Pulse software on the laptops, phone, ipads, etc, that will use the VPN. With that you will be able to deny them access in case their antivirus is not up to date, etc, etc.
dongocdungAuthor Commented:
Thanks for your input. I have two firewalls. Do I need to create two VPNs on these firewall (Juniper and ASA)
JohnBusiness Consultant (Owner)Commented:
You need a tunnel at each firewall if a remote site or client wishes to access that firewall. At one location it is sometimes useful to have just one active firewall.
dongocdungAuthor Commented:
The firewall we have at the lab is used for developers only and the firewall at production is used for everyone in my office. This is first time, I am doing this. So, I don't have any idea. However, there should be two different VPNs.
JohnBusiness Consultant (Owner)Commented:
If you have a separate IP address for the developers, with a separate firewall, that is, all separate from the production end which has a different IP address, then there should be two different VPN's because each IP goes to a different end.

If you want all the traffic coming into one IP and distributed after (LAN segments) then you only need one VPN.

... Thinkpads_User
With your Juniper boxes, the firewall has nothing to do with the SSL VPN itself.

You place the MAG device in a DMZ/zone of the firewall, and create a firewall rule/policy that allows SSL traffic from the Internet to the MAG. Then you have another rule/policy that allows traffic from the "inside" of the MAG to what ever internal zones you want to give each user access to.

If you have an SRX, then you can also implement automatic updates of the firewall rules based on the remote users identity and status (like antivirus status). However, I believe you need to get someone in to set that up - it is a bit complicated.
Without knowing your complete network topology, it is not necessary to have two MAG devices, but you need to connect the two firewalls and do some routing somewhere.
dongocdungAuthor Commented:
We will replace the Juniper to Cisco ASA 5520. Is it still good idea to have two different VPNs?
If you have two firewall of the same type, it should make sense to create a cluster and get redundancy. You could still make a virtual firewall for the test environment, in case it is necessary to separate more.

For VPN, if you have a single device, you van create policy per user; maybe some should have access to both environm3bts in one connection.

The Cisco cluster can perhaps handle a few ssl connections by itself.
dongocdungAuthor Commented:
Now, I am setting up the firewall in the test environment first and implement the VPN. What do I need to do first? What are requirements?
First you need to make sure the Cisco has the Anyconnect license.
dongocdungAuthor Commented:
I just checked it. We have such license.
Then just follow the manual (config guide) and set it up...

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dongocdungAuthor Commented:
I found this article for Cisco. Is it useful for me to start?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.