Solved

Geolocation SSL VPN

Posted on 2013-01-18
6
835 Views
Last Modified: 2013-01-21
Hi All,

We have offices in different part of World, like US, France, Malaysia & India and looking for a SSLVPN solution for our traveling users. The details scenario have been given below.

1) If my user is in India than he will get connected to the SSLVPN box of India.
2) If the same user travels to anywhere in Eurpore than he should be automatically getting connected to my France SSLVPN box and the same goes for Asia Pacfic that means if he is in Japan or Singapore than he should be automatically directed to the SSLVPN box of Malaysia.

The whole process should be transparent to the user. Has anyone configured this type of solution

Thanks and Regards
Darshan
0
Comment
Question by:dd2775
  • 4
6 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 38796816
http://dev.maxmind.com/geoip/mod_geoip2

This is a mod to Apache that allows you to do Geo location services.  You could setup an Apache server (if you don't have one), have your users go to some host name that will determine where they are and redirect to where you want them to go.

So you could do a host name of say, sslvpm.yourdomain.yourtld as the URL they initially go to, then if they need to go to the one in France you would redirect them to sslvpnFR.yourdomain.yourtld.

You can search on Free Maxmind geoip and find various links of how to implement.
0
 
LVL 36

Accepted Solution

by:
ArneLovius earned 300 total points
ID: 38796939
Although you could use geo redirection for a http website, for an SSL VPN client such as the Cisco AnyConnect client it will fail, after all, the SSL client is not a browser...

You will need to either run your own geo redirecting DNS servers, or use a geo redirecting DNS service.

The limitation of geo redirecting DNS, is that it doesn't work on the client IP, but on the IP address of the client DNS server, so if for example the client has put the Google or Opendns DNS servers into the network config to bypass the local ISP servers, the Geo redirect won't work...
0
 
LVL 36

Expert Comment

by:ArneLovius
ID: 38797326
There is of course another solution, Anycast.

Any cast works by "advertisig" (through BGP, the routing protocol of the Internet) the same the same desitination (IP Address) from different locations.

To do this you would need to have PI (Provider Indepandant) IP addresses, and ISPs that will advertise your PI space.

There is however an issue, as you would be using the PI space in multiple RIR (Regional Internet Registry) regions, namely the ones for ARIN, RIPE and APNIC, and with the current exhaustion of IPv4, "proving" your requirement for a /24 (the smallest network most ISPs will advertise for a client) to any of the RIRs might be "interesting" for what they might see as "frivolous".

All of that said, using Anycoast does have some other advantages, if Internet connectivity at office is lost, it would stop being advertised from that location, and new connections would automatically go to one of the other locations.

There is however one overarching issue, having people in geographic regions connect to their "local" VPN is fine for people who work in those regions, how do you cope with the American based worker who is in India for x time period, but needs access to data in America ? Are you replicating data and systems between the sites ?

http://en.wikipedia.org/wiki/BGP
http://en.wikipedia.org/wiki/Provider-independent_address_space
http://en.wikipedia.org/wiki/Anycast
0
Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

 
LVL 36

Expert Comment

by:ArneLovius
ID: 38800604
average ?
0
 

Author Comment

by:dd2775
ID: 38800935
Appreciate for help on the solution, but there are technologies like F5 that give  geo-location  SSLVPN they do it on 2 parameters one is the DNS and second through IP address so incase the person uses open DNS server than we can still track using IP address.
0
 
LVL 36

Expert Comment

by:ArneLovius
ID: 38802262
fair point, have fun implementing it
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Let’s list some of the technologies that enable smooth teleworking. 
As companies replace their old PBX phone systems with Unified IP Communications, many are finding out that legacy applications such as fax do not work well with VoIP. Fortunately, Cloud Faxing provides a cost-effective alternative that works over an…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now