Solved

FIrewall - Decision Making

Posted on 2013-12-26
10
750 Views
Last Modified: 2014-02-10
I need opinions please.

I have software base MS TMG 2010 (I know it has been depreciated)

But looking for a Firewall that will be doing NAT'ing for 10 IP's External to Internal and handle MS Exchange Server 2013, MS SharePoint Team Server 2013, Lync Server 2013, Web Server 2012 R2 IIS 8.5 and Outlook Anywhere for clients who need to access exchange remote as if they were in the office.  VPN of course. Cloud volume tasking. VMWare.

Help desk system and support portal is the jest of everything that will be used in this network.

The size ability:  12 users with the company working inhouse to remotely from anywhere.
the rest of the users not online all times may reach up to 100 users (Again not all concurrent active users in the beginning will be about 5 users (Internal Company employees) and the others at about 10 - 20 users connecting in.  

Scenerio buildings (Exchange, Shareteam, Lync 2013 and web intranet for certain clients that will be doing working at remote locastion but acting as if everything is internal)

My choices are as follow and yes bedget to start with growth always on mind:


    Barracuda Networks
    CHECK POINT SOFTWARE TECH INC
    Cisco
    NetGear
    Sonicwall
    WatchGuard
   


Cisco RV220W Wireless Network Security Firewall - 4x 10/100/1000 Mbps LAN ports, 1x 10/100/1000 Mbps WAN port, 802.11 b/g/a/n, PPPoE, 2x dBi gain omni-directional antennae Compare
Item#: C50-2194  |  Model#: RV220W-A-K9-NAstars


Cisco RV110W Wireless-N VPN Firewall - 1 10/100 Mbps Fast Ethernet WAN port, 4x 10/100 Mbps Fast Ethernet LAN ports, 802.11n, 2x Fixed external antennas Compare
Item#: C50-2558  |  Model#: RV110W-A-NA-K9


Barracuda Web Filter 210 with 1yr Energize Updates
Item#: B14-1002  |  Model#: BYF210A1


WatchGuard LH6785 XTM 330 Firewall - 850 Mbps, 2x USB, Serial, 7x 10/100/1000 Interfaces, 3 Year License, LiveSecurity Remote Service Compare
Item#: W120-330003  |  Model#: WG330003


SonicWALL TZ 105 Appliance Only
Item#: YYAR-01-SSC-6942  |  Model#: 01-SSC-6942


X20E 1YR WEBBLOCKER LIC
Item#: YYT1-10741946  |  Model#: WG017360


Netgear UTM10EW-100NAS ProSecure UTM10 Unified Threat Management Appliance - 4x LAN Ports, 1x WAN Port, 1x USB Port, 2GB, 512MB RAM
Item#: YYD1-UTM10EW100NAS  |  Model#: UTM10EW-100NAS


SonicWALL SonicOS Enhanced for PRO 2040 - Upgrade License and 1 year of 8 x 5 support
Item#: S216-1006  |  Model#: 01-SSC-5705


WatchGuard LH6784 XTM 330 Firewall - 850 Mbps, 2x USB, Serial, 7x 10/100/1000 Interfaces, 1 Year License, LiveSecurity Remote Service
Item#: W120-330001  |  Model#: WG330001


Check Point 1180 Network Security Appliance
Item#: YYT1-11082949  |  Model#: CPAP-SG1180-NGTP
0
Comment
Question by:Clint Jones
10 Comments
 
LVL 24

Expert Comment

by:diverseit
Comment Utility
Hi ClintStephenJones,

I can't say enough good things about SonicWALL, especially NGFWs (Next Generation Firewalls) specifically 5th and 6 gen devices! (TZ 105 is a 5th gen device)

What size is your bandwidth?

Regarding growth...from 12 employes to 100 in what time span?

I tend to feel you may be under-gunned here.

Some things to consider...
With a TZ 105:
If you are ramping ridiculously quickly past 20 employees I'd not recommend a TZ 105 but rather consider an NSA 220 or the like.
For VPN what type of OS are remote users using? If Mac, Linux, etc consider SSL-VPNs and that would require something larger than a TZ105...more like a NSA 220 or the like.
Do they need VPN Access on their smartphones? If so again, consider SSL-VPN
If you are deploying WiFi with SonicWALL, I'd recommend SonicPoints and if you are going to have more than 2 WAPs consider the TZ 215 or NSA 220.
If you need dual band WiFi in the device, again consider a TZ 215 or NSA 220.

Let me know how it goes!
0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
Things to consider are (besides of technical aspects and features) support, support and support. That is, who will be able to configure and mainain the firewall? Is it important to have a broad community helping if issues arise, or do you rely on technical support from the manufacturer?

If looking only for support at EE, Cisco is the winner - but real Cisco, no RV* routers. Otherwise WatchGuard, SonicWALL and Juniper (!) are popular and should be able to fit into your demands.
Since you are asking for a lot of features and in a bigger scale than for SOHO, you'll have to focus on the mid-range devices. Cisco RV* and NetGear aren't in the mix, if you ask me. Can't tell for the other suggestions, but the 10-public-IP requirement is a requirement low-budget devices cannot fulful.
Juniper SSG are definitely able to manage all tasks you ask for, but support IPSec VPN "only".

In regard of the VPN, IPSec is the better one unless you have roadwarrior scenarios - people having to get access from anywhere they are, without installation requirements. SSL-VPNs are clumsy, uncomfortable to use, and cannot be automated (not to mention you cannot use them for full remote login into a domain).

Maybe it is better to plan to use more than one device. That way you get the best out of two worlds, e.g. a very good firewall plus a VPN device capable of IPSec and/or SSL VPNs.
0
 
LVL 24

Expert Comment

by:Mohammed Khawaja
Comment Utility
I suggest you stick to Microsoft UAG (replacement for TMG).  You could purchase an appliance from a vendor such as Celestix.
0
 

Author Comment

by:Clint Jones
Comment Utility
This is a small company. I do know some of this myself. I would rather play "Say it to me like I am a 3rd grader so I do forget to ask something you know immediately" - I need smarter than me second opinions.

Also it is imperative that it work with Sharepoint Team Server and can publish sites accordingly and work with OWA (Exchange).

We wont be going thru super rapid growth. If we did we would have to upgrade.

Cost is a large part so we need protection and functionality but not at cost that is not doable.  Connection is Comcast Business class with 10 static IP Addresses.

So you know everything is Microsoft. People in the internal network to outside the network. Permanent in house people will be about 6.

However, We have a few people who will be accessing the Share Point Team System, Will be using not only the IMAP and SMTP of the exchange server but some will be using Exchange Anytime Direct Access and Lync is more for in house use than outside of the network use and of course web site access for help desk and informational sites.

Answering  the questions to everyone.  Getting yours answered:

diverseit and  Qlemo   sending answers to yours next...  Thank you to everyone for helping.

To mnkhawaja - We already have purchased and have MS TMG 2010 and do not want to upgrade because of the cost involved,

Thanks, Clint
0
 
LVL 24

Expert Comment

by:diverseit
Comment Utility
A SonicWALL TZ 105 would do everything that you are requiring. Keep in mind that it will give you multiple ways to connect via VPN: SSL-VPN, Site-to-Site VPN & GVC clients but with each it maxes out at 5 simultaneous VPN licenses/method.

Let me know if you have any more questions!
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:Clint Jones
Comment Utility
I need the ability of but I really wont be using VPN that often.  I am worried if 10 people are on share team, checking email and working on documents in share team at the same time it can handle the stress etc... Again were small to medium size... How many users will it take before it slows to the point where it is a problem.  Speed of course is big deal and want it not to become the bottle neck.

At some point will get another carrier for dual WAN's and do load balancing but we are not there yet....  

Microsoft and all its different protocols and ports that it requires wanting insure the sonic wall can handle it.  Reading about it as we speak... Thank you for being patient with me.

Clint
0
 
LVL 24

Accepted Solution

by:
diverseit earned 500 total points
Comment Utility
I am worried if 10 people are on share team, checking email and working on documents in share team at the same time it can handle the stress etc... Again were small to medium size... How many users will it take before it slows to the point where it is a problem.
This is more of a question for SharePoint and I know it's not an issue for them. I say that because a TZ 105 has a max of 8,000 connections with 200 Mbps of Stateful Inspection throughput and 25 Mbps of UTM throughput. That also means it's not going to be a bottleneck unless you are approaching ISP speed of 25 Mbps or more, in which case I'd recommend the TZ 215 (500 Mbps Stateful/60 Mbps UTM) so you will have room to grow.

At some point will get another carrier for dual WAN's and do load balancing but we are not there yet....
Every UTM device SonicWALL makes now comes with multi-WAN load balancing & fail-over, etc.


Microsoft and all its different protocols and ports that it requires wanting insure the sonic wall can handle it.
We do this all day long...no issues whatsoever! All SonicWALLs now come standard with the Enhanced SonicOS firmware allowing you to do practically anything you want...define customer services...multiple custom NAT policies, etc.

You can read more here: http://www.sonicwall.com/us/en/products/TZ-105.html

Additionally, I'd also recommend purchasing CGSS (Comprehensive Gateway Security Suite) with any SonicWALL device - it gives your 24/7 support plus all the Gateway security that is required in today's threat landscape.

Thank you for being patient with me.
That is why we're here!

Any other questions?
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
Comment Utility
TMG doesn't support static NATTing (1:1) which will not work well for you for the Lync Edge server and specifally for the RTP port range (Application sharing and Voice calls).

for Sharepoint and Exchange I think it's ok, I have tried it with Exchange and know it works well.

For Lync you can use a different Firewall e.g. (Untangled, Pfsense) or any other firewall that supports Static NAT.
0
 

Author Closing Comment

by:Clint Jones
Comment Utility
Thank You
0
 
LVL 24

Expert Comment

by:diverseit
Comment Utility
You're welcome! Thanks for the points.
0

Featured Post

Network it in WD Red

There's an industry-leading WD Red drive for every compatible NAS system to help fulfill your data storage needs. With drives up to 8TB, WD Red offers a wide array of solutions for customers looking to build the biggest, best-performing NAS storage solution.  

Join & Write a Comment

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now