Solved

Geolocation SSL VPN

Posted on 2013-01-18
6
846 Views
Last Modified: 2013-01-21
Hi All,

We have offices in different part of World, like US, France, Malaysia & India and looking for a SSLVPN solution for our traveling users. The details scenario have been given below.

1) If my user is in India than he will get connected to the SSLVPN box of India.
2) If the same user travels to anywhere in Eurpore than he should be automatically getting connected to my France SSLVPN box and the same goes for Asia Pacfic that means if he is in Japan or Singapore than he should be automatically directed to the SSLVPN box of Malaysia.

The whole process should be transparent to the user. Has anyone configured this type of solution

Thanks and Regards
Darshan
0
Comment
Question by:dd2775
  • 4
6 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 38796816
http://dev.maxmind.com/geoip/mod_geoip2

This is a mod to Apache that allows you to do Geo location services.  You could setup an Apache server (if you don't have one), have your users go to some host name that will determine where they are and redirect to where you want them to go.

So you could do a host name of say, sslvpm.yourdomain.yourtld as the URL they initially go to, then if they need to go to the one in France you would redirect them to sslvpnFR.yourdomain.yourtld.

You can search on Free Maxmind geoip and find various links of how to implement.
0
 
LVL 36

Accepted Solution

by:
ArneLovius earned 300 total points
ID: 38796939
Although you could use geo redirection for a http website, for an SSL VPN client such as the Cisco AnyConnect client it will fail, after all, the SSL client is not a browser...

You will need to either run your own geo redirecting DNS servers, or use a geo redirecting DNS service.

The limitation of geo redirecting DNS, is that it doesn't work on the client IP, but on the IP address of the client DNS server, so if for example the client has put the Google or Opendns DNS servers into the network config to bypass the local ISP servers, the Geo redirect won't work...
0
 
LVL 36

Expert Comment

by:ArneLovius
ID: 38797326
There is of course another solution, Anycast.

Any cast works by "advertisig" (through BGP, the routing protocol of the Internet) the same the same desitination (IP Address) from different locations.

To do this you would need to have PI (Provider Indepandant) IP addresses, and ISPs that will advertise your PI space.

There is however an issue, as you would be using the PI space in multiple RIR (Regional Internet Registry) regions, namely the ones for ARIN, RIPE and APNIC, and with the current exhaustion of IPv4, "proving" your requirement for a /24 (the smallest network most ISPs will advertise for a client) to any of the RIRs might be "interesting" for what they might see as "frivolous".

All of that said, using Anycoast does have some other advantages, if Internet connectivity at office is lost, it would stop being advertised from that location, and new connections would automatically go to one of the other locations.

There is however one overarching issue, having people in geographic regions connect to their "local" VPN is fine for people who work in those regions, how do you cope with the American based worker who is in India for x time period, but needs access to data in America ? Are you replicating data and systems between the sites ?

http://en.wikipedia.org/wiki/BGP
http://en.wikipedia.org/wiki/Provider-independent_address_space
http://en.wikipedia.org/wiki/Anycast
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 36

Expert Comment

by:ArneLovius
ID: 38800604
average ?
0
 

Author Comment

by:dd2775
ID: 38800935
Appreciate for help on the solution, but there are technologies like F5 that give  geo-location  SSLVPN they do it on 2 parameters one is the DNS and second through IP address so incase the person uses open DNS server than we can still track using IP address.
0
 
LVL 36

Expert Comment

by:ArneLovius
ID: 38802262
fair point, have fun implementing it
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

912 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now