?
Solved

Geolocation SSL VPN

Posted on 2013-01-18
6
Medium Priority
?
958 Views
Last Modified: 2013-01-21
Hi All,

We have offices in different part of World, like US, France, Malaysia & India and looking for a SSLVPN solution for our traveling users. The details scenario have been given below.

1) If my user is in India than he will get connected to the SSLVPN box of India.
2) If the same user travels to anywhere in Eurpore than he should be automatically getting connected to my France SSLVPN box and the same goes for Asia Pacfic that means if he is in Japan or Singapore than he should be automatically directed to the SSLVPN box of Malaysia.

The whole process should be transparent to the user. Has anyone configured this type of solution

Thanks and Regards
Darshan
0
Comment
Question by:dd2775
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
6 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 38796816
http://dev.maxmind.com/geoip/mod_geoip2

This is a mod to Apache that allows you to do Geo location services.  You could setup an Apache server (if you don't have one), have your users go to some host name that will determine where they are and redirect to where you want them to go.

So you could do a host name of say, sslvpm.yourdomain.yourtld as the URL they initially go to, then if they need to go to the one in France you would redirect them to sslvpnFR.yourdomain.yourtld.

You can search on Free Maxmind geoip and find various links of how to implement.
0
 
LVL 37

Accepted Solution

by:
ArneLovius earned 600 total points
ID: 38796939
Although you could use geo redirection for a http website, for an SSL VPN client such as the Cisco AnyConnect client it will fail, after all, the SSL client is not a browser...

You will need to either run your own geo redirecting DNS servers, or use a geo redirecting DNS service.

The limitation of geo redirecting DNS, is that it doesn't work on the client IP, but on the IP address of the client DNS server, so if for example the client has put the Google or Opendns DNS servers into the network config to bypass the local ISP servers, the Geo redirect won't work...
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38797326
There is of course another solution, Anycast.

Any cast works by "advertisig" (through BGP, the routing protocol of the Internet) the same the same desitination (IP Address) from different locations.

To do this you would need to have PI (Provider Indepandant) IP addresses, and ISPs that will advertise your PI space.

There is however an issue, as you would be using the PI space in multiple RIR (Regional Internet Registry) regions, namely the ones for ARIN, RIPE and APNIC, and with the current exhaustion of IPv4, "proving" your requirement for a /24 (the smallest network most ISPs will advertise for a client) to any of the RIRs might be "interesting" for what they might see as "frivolous".

All of that said, using Anycoast does have some other advantages, if Internet connectivity at office is lost, it would stop being advertised from that location, and new connections would automatically go to one of the other locations.

There is however one overarching issue, having people in geographic regions connect to their "local" VPN is fine for people who work in those regions, how do you cope with the American based worker who is in India for x time period, but needs access to data in America ? Are you replicating data and systems between the sites ?

http://en.wikipedia.org/wiki/BGP
http://en.wikipedia.org/wiki/Provider-independent_address_space
http://en.wikipedia.org/wiki/Anycast
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
LVL 37

Expert Comment

by:ArneLovius
ID: 38800604
average ?
0
 

Author Comment

by:dd2775
ID: 38800935
Appreciate for help on the solution, but there are technologies like F5 that give  geo-location  SSLVPN they do it on 2 parameters one is the DNS and second through IP address so incase the person uses open DNS server than we can still track using IP address.
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38802262
fair point, have fun implementing it
0

Featured Post

Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question