Creating a brand new VPN environment

Hello,
I need to create a VPN environment for my company. Employees want to access the network from home. I don't know where to start and what I need for.
Please give me some hints how to do this.
Thanks,
dongocdungAsked:
Who is Participating?
 
pergrConnect With a Mentor Commented:
Then just follow the manual (config guide) and set it up...
0
 
jacobstewartConnect With a Mentor Commented:
What type of firewall do you have for your company?  Will you looking to utilize server vpn or firewall vpn?

For basic client based vpn sonicwall firewalls have the global vpn client or the netextender option which is ssl based.  You can use ldap authentication with them as well.
0
 
JohnConnect With a Mentor Business Consultant (Owner)Commented:
Is this a large or small business? How many users?

I always recommend hardware VPN as it is less hassle in the long run.

I use Juniper Netscreen (very good) and Cisco Linksys (lower cost) for my clients. Juniper Netscreen are very good for small businesses and work reliabily for years.

With any of these and newer Windows 7 64-bit, NCP Secure Entry (ncp-e.com) is an excellent client application. Shrew Soft is free, but has a few limitations. You have choice here.

.... Thinkpads_User
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
dongocdungAuthor Commented:
I will create two different VPN. One for production and one for test environment. The production use Juniper and test environment use ASA 5520. My company is small. It has around 50-60 people.
0
 
pergrConnect With a Mentor Commented:
Juniper has the market leading product for SSL VPN, which is the most flexible type of VPN.

You would be looking at adding the Junos Pulse Gateway base system (MAG2600) which hardware is about $1,000.

Then you need licenses for the number of concurrent users that will be logged in. With about 50 employees, I suspect not more than 10 will be using it at the same time. Total cost about $2,000.

Generally, it is probably a good idea to have the same type of solution for both production and testing... simplifies support, etc.

The solution above will preferably use the Junos Pulse software on the laptops, phone, ipads, etc, that will use the VPN. With that you will be able to deny them access in case their antivirus is not up to date, etc, etc.
0
 
dongocdungAuthor Commented:
Thanks for your input. I have two firewalls. Do I need to create two VPNs on these firewall (Juniper and ASA)
0
 
JohnConnect With a Mentor Business Consultant (Owner)Commented:
You need a tunnel at each firewall if a remote site or client wishes to access that firewall. At one location it is sometimes useful to have just one active firewall.
0
 
dongocdungAuthor Commented:
The firewall we have at the lab is used for developers only and the firewall at production is used for everyone in my office. This is first time, I am doing this. So, I don't have any idea. However, there should be two different VPNs.
0
 
JohnConnect With a Mentor Business Consultant (Owner)Commented:
If you have a separate IP address for the developers, with a separate firewall, that is, all separate from the production end which has a different IP address, then there should be two different VPN's because each IP goes to a different end.

If you want all the traffic coming into one IP and distributed after (LAN segments) then you only need one VPN.

... Thinkpads_User
0
 
pergrConnect With a Mentor Commented:
With your Juniper boxes, the firewall has nothing to do with the SSL VPN itself.

You place the MAG device in a DMZ/zone of the firewall, and create a firewall rule/policy that allows SSL traffic from the Internet to the MAG. Then you have another rule/policy that allows traffic from the "inside" of the MAG to what ever internal zones you want to give each user access to.

If you have an SRX, then you can also implement automatic updates of the firewall rules based on the remote users identity and status (like antivirus status). However, I believe you need to get someone in to set that up - it is a bit complicated.
0
 
pergrCommented:
Without knowing your complete network topology, it is not necessary to have two MAG devices, but you need to connect the two firewalls and do some routing somewhere.
0
 
dongocdungAuthor Commented:
We will replace the Juniper to Cisco ASA 5520. Is it still good idea to have two different VPNs?
0
 
pergrConnect With a Mentor Commented:
If you have two firewall of the same type, it should make sense to create a cluster and get redundancy. You could still make a virtual firewall for the test environment, in case it is necessary to separate more.

For VPN, if you have a single device, you van create policy per user; maybe some should have access to both environm3bts in one connection.

The Cisco cluster can perhaps handle a few ssl connections by itself.
0
 
dongocdungAuthor Commented:
Now, I am setting up the firewall in the test environment first and implement the VPN. What do I need to do first? What are requirements?
Thanks,
0
 
pergrConnect With a Mentor Commented:
First you need to make sure the Cisco has the Anyconnect license.
0
 
dongocdungAuthor Commented:
I just checked it. We have such license.
0
 
dongocdungAuthor Commented:
I found this article for Cisco. Is it useful for me to start?
https://learningnetwork.cisco.com/docs/DOC-8414
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.