• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 416
  • Last Modified:

Creating a brand new VPN environment

Hello,
I need to create a VPN environment for my company. Employees want to access the network from home. I don't know where to start and what I need for.
Please give me some hints how to do this.
Thanks,
0
dongocdung
Asked:
dongocdung
  • 7
  • 6
  • 3
  • +1
9 Solutions
 
jacobstewartCommented:
What type of firewall do you have for your company?  Will you looking to utilize server vpn or firewall vpn?

For basic client based vpn sonicwall firewalls have the global vpn client or the netextender option which is ssl based.  You can use ldap authentication with them as well.
0
 
John HurstBusiness Consultant (Owner)Commented:
Is this a large or small business? How many users?

I always recommend hardware VPN as it is less hassle in the long run.

I use Juniper Netscreen (very good) and Cisco Linksys (lower cost) for my clients. Juniper Netscreen are very good for small businesses and work reliabily for years.

With any of these and newer Windows 7 64-bit, NCP Secure Entry (ncp-e.com) is an excellent client application. Shrew Soft is free, but has a few limitations. You have choice here.

.... Thinkpads_User
0
 
dongocdungAuthor Commented:
I will create two different VPN. One for production and one for test environment. The production use Juniper and test environment use ASA 5520. My company is small. It has around 50-60 people.
0
Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

 
pergrCommented:
Juniper has the market leading product for SSL VPN, which is the most flexible type of VPN.

You would be looking at adding the Junos Pulse Gateway base system (MAG2600) which hardware is about $1,000.

Then you need licenses for the number of concurrent users that will be logged in. With about 50 employees, I suspect not more than 10 will be using it at the same time. Total cost about $2,000.

Generally, it is probably a good idea to have the same type of solution for both production and testing... simplifies support, etc.

The solution above will preferably use the Junos Pulse software on the laptops, phone, ipads, etc, that will use the VPN. With that you will be able to deny them access in case their antivirus is not up to date, etc, etc.
0
 
dongocdungAuthor Commented:
Thanks for your input. I have two firewalls. Do I need to create two VPNs on these firewall (Juniper and ASA)
0
 
John HurstBusiness Consultant (Owner)Commented:
You need a tunnel at each firewall if a remote site or client wishes to access that firewall. At one location it is sometimes useful to have just one active firewall.
0
 
dongocdungAuthor Commented:
The firewall we have at the lab is used for developers only and the firewall at production is used for everyone in my office. This is first time, I am doing this. So, I don't have any idea. However, there should be two different VPNs.
0
 
John HurstBusiness Consultant (Owner)Commented:
If you have a separate IP address for the developers, with a separate firewall, that is, all separate from the production end which has a different IP address, then there should be two different VPN's because each IP goes to a different end.

If you want all the traffic coming into one IP and distributed after (LAN segments) then you only need one VPN.

... Thinkpads_User
0
 
pergrCommented:
With your Juniper boxes, the firewall has nothing to do with the SSL VPN itself.

You place the MAG device in a DMZ/zone of the firewall, and create a firewall rule/policy that allows SSL traffic from the Internet to the MAG. Then you have another rule/policy that allows traffic from the "inside" of the MAG to what ever internal zones you want to give each user access to.

If you have an SRX, then you can also implement automatic updates of the firewall rules based on the remote users identity and status (like antivirus status). However, I believe you need to get someone in to set that up - it is a bit complicated.
0
 
pergrCommented:
Without knowing your complete network topology, it is not necessary to have two MAG devices, but you need to connect the two firewalls and do some routing somewhere.
0
 
dongocdungAuthor Commented:
We will replace the Juniper to Cisco ASA 5520. Is it still good idea to have two different VPNs?
0
 
pergrCommented:
If you have two firewall of the same type, it should make sense to create a cluster and get redundancy. You could still make a virtual firewall for the test environment, in case it is necessary to separate more.

For VPN, if you have a single device, you van create policy per user; maybe some should have access to both environm3bts in one connection.

The Cisco cluster can perhaps handle a few ssl connections by itself.
0
 
dongocdungAuthor Commented:
Now, I am setting up the firewall in the test environment first and implement the VPN. What do I need to do first? What are requirements?
Thanks,
0
 
pergrCommented:
First you need to make sure the Cisco has the Anyconnect license.
0
 
dongocdungAuthor Commented:
I just checked it. We have such license.
0
 
pergrCommented:
Then just follow the manual (config guide) and set it up...
0
 
dongocdungAuthor Commented:
I found this article for Cisco. Is it useful for me to start?
https://learningnetwork.cisco.com/docs/DOC-8414
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 7
  • 6
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now