Solved

Geolocation SSL VPN

Posted on 2013-01-18
6
898 Views
Last Modified: 2013-01-21
Hi All,

We have offices in different part of World, like US, France, Malaysia & India and looking for a SSLVPN solution for our traveling users. The details scenario have been given below.

1) If my user is in India than he will get connected to the SSLVPN box of India.
2) If the same user travels to anywhere in Eurpore than he should be automatically getting connected to my France SSLVPN box and the same goes for Asia Pacfic that means if he is in Japan or Singapore than he should be automatically directed to the SSLVPN box of Malaysia.

The whole process should be transparent to the user. Has anyone configured this type of solution

Thanks and Regards
Darshan
0
Comment
Question by:dd2775
  • 4
6 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 38796816
http://dev.maxmind.com/geoip/mod_geoip2

This is a mod to Apache that allows you to do Geo location services.  You could setup an Apache server (if you don't have one), have your users go to some host name that will determine where they are and redirect to where you want them to go.

So you could do a host name of say, sslvpm.yourdomain.yourtld as the URL they initially go to, then if they need to go to the one in France you would redirect them to sslvpnFR.yourdomain.yourtld.

You can search on Free Maxmind geoip and find various links of how to implement.
0
 
LVL 37

Accepted Solution

by:
ArneLovius earned 300 total points
ID: 38796939
Although you could use geo redirection for a http website, for an SSL VPN client such as the Cisco AnyConnect client it will fail, after all, the SSL client is not a browser...

You will need to either run your own geo redirecting DNS servers, or use a geo redirecting DNS service.

The limitation of geo redirecting DNS, is that it doesn't work on the client IP, but on the IP address of the client DNS server, so if for example the client has put the Google or Opendns DNS servers into the network config to bypass the local ISP servers, the Geo redirect won't work...
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38797326
There is of course another solution, Anycast.

Any cast works by "advertisig" (through BGP, the routing protocol of the Internet) the same the same desitination (IP Address) from different locations.

To do this you would need to have PI (Provider Indepandant) IP addresses, and ISPs that will advertise your PI space.

There is however an issue, as you would be using the PI space in multiple RIR (Regional Internet Registry) regions, namely the ones for ARIN, RIPE and APNIC, and with the current exhaustion of IPv4, "proving" your requirement for a /24 (the smallest network most ISPs will advertise for a client) to any of the RIRs might be "interesting" for what they might see as "frivolous".

All of that said, using Anycoast does have some other advantages, if Internet connectivity at office is lost, it would stop being advertised from that location, and new connections would automatically go to one of the other locations.

There is however one overarching issue, having people in geographic regions connect to their "local" VPN is fine for people who work in those regions, how do you cope with the American based worker who is in India for x time period, but needs access to data in America ? Are you replicating data and systems between the sites ?

http://en.wikipedia.org/wiki/BGP
http://en.wikipedia.org/wiki/Provider-independent_address_space
http://en.wikipedia.org/wiki/Anycast
0
Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

 
LVL 37

Expert Comment

by:ArneLovius
ID: 38800604
average ?
0
 

Author Comment

by:dd2775
ID: 38800935
Appreciate for help on the solution, but there are technologies like F5 that give  geo-location  SSLVPN they do it on 2 parameters one is the DNS and second through IP address so incase the person uses open DNS server than we can still track using IP address.
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38802262
fair point, have fun implementing it
0

Featured Post

Register Today - IoT Current and Future Threats

Are you prepared to protect your organization from current and future IoT Threats?  Join our Wi-Fi expert in episode three of our webinar series for a look at the current state of Wi-Fi IoT and what may lie ahead. Register for our live webinar on April 20th at 9 am PDT!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question