Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Geolocation SSL VPN

Posted on 2013-01-18
6
Medium Priority
?
985 Views
Last Modified: 2013-01-21
Hi All,

We have offices in different part of World, like US, France, Malaysia & India and looking for a SSLVPN solution for our traveling users. The details scenario have been given below.

1) If my user is in India than he will get connected to the SSLVPN box of India.
2) If the same user travels to anywhere in Eurpore than he should be automatically getting connected to my France SSLVPN box and the same goes for Asia Pacfic that means if he is in Japan or Singapore than he should be automatically directed to the SSLVPN box of Malaysia.

The whole process should be transparent to the user. Has anyone configured this type of solution

Thanks and Regards
Darshan
0
Comment
Question by:dd2775
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
6 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 38796816
http://dev.maxmind.com/geoip/mod_geoip2

This is a mod to Apache that allows you to do Geo location services.  You could setup an Apache server (if you don't have one), have your users go to some host name that will determine where they are and redirect to where you want them to go.

So you could do a host name of say, sslvpm.yourdomain.yourtld as the URL they initially go to, then if they need to go to the one in France you would redirect them to sslvpnFR.yourdomain.yourtld.

You can search on Free Maxmind geoip and find various links of how to implement.
0
 
LVL 37

Accepted Solution

by:
ArneLovius earned 600 total points
ID: 38796939
Although you could use geo redirection for a http website, for an SSL VPN client such as the Cisco AnyConnect client it will fail, after all, the SSL client is not a browser...

You will need to either run your own geo redirecting DNS servers, or use a geo redirecting DNS service.

The limitation of geo redirecting DNS, is that it doesn't work on the client IP, but on the IP address of the client DNS server, so if for example the client has put the Google or Opendns DNS servers into the network config to bypass the local ISP servers, the Geo redirect won't work...
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38797326
There is of course another solution, Anycast.

Any cast works by "advertisig" (through BGP, the routing protocol of the Internet) the same the same desitination (IP Address) from different locations.

To do this you would need to have PI (Provider Indepandant) IP addresses, and ISPs that will advertise your PI space.

There is however an issue, as you would be using the PI space in multiple RIR (Regional Internet Registry) regions, namely the ones for ARIN, RIPE and APNIC, and with the current exhaustion of IPv4, "proving" your requirement for a /24 (the smallest network most ISPs will advertise for a client) to any of the RIRs might be "interesting" for what they might see as "frivolous".

All of that said, using Anycoast does have some other advantages, if Internet connectivity at office is lost, it would stop being advertised from that location, and new connections would automatically go to one of the other locations.

There is however one overarching issue, having people in geographic regions connect to their "local" VPN is fine for people who work in those regions, how do you cope with the American based worker who is in India for x time period, but needs access to data in America ? Are you replicating data and systems between the sites ?

http://en.wikipedia.org/wiki/BGP
http://en.wikipedia.org/wiki/Provider-independent_address_space
http://en.wikipedia.org/wiki/Anycast
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

 
LVL 37

Expert Comment

by:ArneLovius
ID: 38800604
average ?
0
 

Author Comment

by:dd2775
ID: 38800935
Appreciate for help on the solution, but there are technologies like F5 that give  geo-location  SSLVPN they do it on 2 parameters one is the DNS and second through IP address so incase the person uses open DNS server than we can still track using IP address.
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38802262
fair point, have fun implementing it
0

Featured Post

What’s Wrong with Your Cloud Strategy ?

Even as many CIOs are embracing a cloud-first strategy, the reality is that moving to the cloud is a lengthy process and the end-state is likely to be a blend of multiple clouds—public and private. Learn why multicloud solutions matter in this webinar by Nimble Storage.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question