Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


FIrewall - Decision Making

Posted on 2013-12-26
Medium Priority
Last Modified: 2014-02-10
I need opinions please.

I have software base MS TMG 2010 (I know it has been depreciated)

But looking for a Firewall that will be doing NAT'ing for 10 IP's External to Internal and handle MS Exchange Server 2013, MS SharePoint Team Server 2013, Lync Server 2013, Web Server 2012 R2 IIS 8.5 and Outlook Anywhere for clients who need to access exchange remote as if they were in the office.  VPN of course. Cloud volume tasking. VMWare.

Help desk system and support portal is the jest of everything that will be used in this network.

The size ability:  12 users with the company working inhouse to remotely from anywhere.
the rest of the users not online all times may reach up to 100 users (Again not all concurrent active users in the beginning will be about 5 users (Internal Company employees) and the others at about 10 - 20 users connecting in.  

Scenerio buildings (Exchange, Shareteam, Lync 2013 and web intranet for certain clients that will be doing working at remote locastion but acting as if everything is internal)

My choices are as follow and yes bedget to start with growth always on mind:

    Barracuda Networks

Cisco RV220W Wireless Network Security Firewall - 4x 10/100/1000 Mbps LAN ports, 1x 10/100/1000 Mbps WAN port, 802.11 b/g/a/n, PPPoE, 2x dBi gain omni-directional antennae Compare
Item#: C50-2194  |  Model#: RV220W-A-K9-NAstars

Cisco RV110W Wireless-N VPN Firewall - 1 10/100 Mbps Fast Ethernet WAN port, 4x 10/100 Mbps Fast Ethernet LAN ports, 802.11n, 2x Fixed external antennas Compare
Item#: C50-2558  |  Model#: RV110W-A-NA-K9

Barracuda Web Filter 210 with 1yr Energize Updates
Item#: B14-1002  |  Model#: BYF210A1

WatchGuard LH6785 XTM 330 Firewall - 850 Mbps, 2x USB, Serial, 7x 10/100/1000 Interfaces, 3 Year License, LiveSecurity Remote Service Compare
Item#: W120-330003  |  Model#: WG330003

SonicWALL TZ 105 Appliance Only
Item#: YYAR-01-SSC-6942  |  Model#: 01-SSC-6942

Item#: YYT1-10741946  |  Model#: WG017360

Netgear UTM10EW-100NAS ProSecure UTM10 Unified Threat Management Appliance - 4x LAN Ports, 1x WAN Port, 1x USB Port, 2GB, 512MB RAM
Item#: YYD1-UTM10EW100NAS  |  Model#: UTM10EW-100NAS

SonicWALL SonicOS Enhanced for PRO 2040 - Upgrade License and 1 year of 8 x 5 support
Item#: S216-1006  |  Model#: 01-SSC-5705

WatchGuard LH6784 XTM 330 Firewall - 850 Mbps, 2x USB, Serial, 7x 10/100/1000 Interfaces, 1 Year License, LiveSecurity Remote Service
Item#: W120-330001  |  Model#: WG330001

Check Point 1180 Network Security Appliance
Item#: YYT1-11082949  |  Model#: CPAP-SG1180-NGTP
Question by:Clint Jones
LVL 28

Expert Comment

by:Blue Street Tech
ID: 39739838
Hi ClintStephenJones,

I can't say enough good things about SonicWALL, especially NGFWs (Next Generation Firewalls) specifically 5th and 6 gen devices! (TZ 105 is a 5th gen device)

What size is your bandwidth?

Regarding growth...from 12 employes to 100 in what time span?

I tend to feel you may be under-gunned here.

Some things to consider...
With a TZ 105:
If you are ramping ridiculously quickly past 20 employees I'd not recommend a TZ 105 but rather consider an NSA 220 or the like.
For VPN what type of OS are remote users using? If Mac, Linux, etc consider SSL-VPNs and that would require something larger than a TZ105...more like a NSA 220 or the like.
Do they need VPN Access on their smartphones? If so again, consider SSL-VPN
If you are deploying WiFi with SonicWALL, I'd recommend SonicPoints and if you are going to have more than 2 WAPs consider the TZ 215 or NSA 220.
If you need dual band WiFi in the device, again consider a TZ 215 or NSA 220.

Let me know how it goes!
LVL 72

Expert Comment

ID: 39739858
Things to consider are (besides of technical aspects and features) support, support and support. That is, who will be able to configure and mainain the firewall? Is it important to have a broad community helping if issues arise, or do you rely on technical support from the manufacturer?

If looking only for support at EE, Cisco is the winner - but real Cisco, no RV* routers. Otherwise WatchGuard, SonicWALL and Juniper (!) are popular and should be able to fit into your demands.
Since you are asking for a lot of features and in a bigger scale than for SOHO, you'll have to focus on the mid-range devices. Cisco RV* and NetGear aren't in the mix, if you ask me. Can't tell for the other suggestions, but the 10-public-IP requirement is a requirement low-budget devices cannot fulful.
Juniper SSG are definitely able to manage all tasks you ask for, but support IPSec VPN "only".

In regard of the VPN, IPSec is the better one unless you have roadwarrior scenarios - people having to get access from anywhere they are, without installation requirements. SSL-VPNs are clumsy, uncomfortable to use, and cannot be automated (not to mention you cannot use them for full remote login into a domain).

Maybe it is better to plan to use more than one device. That way you get the best out of two worlds, e.g. a very good firewall plus a VPN device capable of IPSec and/or SSL VPNs.
LVL 25

Expert Comment

by:Mohammed Khawaja
ID: 39739936
I suggest you stick to Microsoft UAG (replacement for TMG).  You could purchase an appliance from a vendor such as Celestix.
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.


Author Comment

by:Clint Jones
ID: 39740642
This is a small company. I do know some of this myself. I would rather play "Say it to me like I am a 3rd grader so I do forget to ask something you know immediately" - I need smarter than me second opinions.

Also it is imperative that it work with Sharepoint Team Server and can publish sites accordingly and work with OWA (Exchange).

We wont be going thru super rapid growth. If we did we would have to upgrade.

Cost is a large part so we need protection and functionality but not at cost that is not doable.  Connection is Comcast Business class with 10 static IP Addresses.

So you know everything is Microsoft. People in the internal network to outside the network. Permanent in house people will be about 6.

However, We have a few people who will be accessing the Share Point Team System, Will be using not only the IMAP and SMTP of the exchange server but some will be using Exchange Anytime Direct Access and Lync is more for in house use than outside of the network use and of course web site access for help desk and informational sites.

Answering  the questions to everyone.  Getting yours answered:

diverseit and  Qlemo   sending answers to yours next...  Thank you to everyone for helping.

To mnkhawaja - We already have purchased and have MS TMG 2010 and do not want to upgrade because of the cost involved,

Thanks, Clint
LVL 28

Expert Comment

by:Blue Street Tech
ID: 39740737
A SonicWALL TZ 105 would do everything that you are requiring. Keep in mind that it will give you multiple ways to connect via VPN: SSL-VPN, Site-to-Site VPN & GVC clients but with each it maxes out at 5 simultaneous VPN licenses/method.

Let me know if you have any more questions!

Author Comment

by:Clint Jones
ID: 39740771
I need the ability of but I really wont be using VPN that often.  I am worried if 10 people are on share team, checking email and working on documents in share team at the same time it can handle the stress etc... Again were small to medium size... How many users will it take before it slows to the point where it is a problem.  Speed of course is big deal and want it not to become the bottle neck.

At some point will get another carrier for dual WAN's and do load balancing but we are not there yet....  

Microsoft and all its different protocols and ports that it requires wanting insure the sonic wall can handle it.  Reading about it as we speak... Thank you for being patient with me.

LVL 28

Accepted Solution

Blue Street Tech earned 2000 total points
ID: 39740966
I am worried if 10 people are on share team, checking email and working on documents in share team at the same time it can handle the stress etc... Again were small to medium size... How many users will it take before it slows to the point where it is a problem.
This is more of a question for SharePoint and I know it's not an issue for them. I say that because a TZ 105 has a max of 8,000 connections with 200 Mbps of Stateful Inspection throughput and 25 Mbps of UTM throughput. That also means it's not going to be a bottleneck unless you are approaching ISP speed of 25 Mbps or more, in which case I'd recommend the TZ 215 (500 Mbps Stateful/60 Mbps UTM) so you will have room to grow.

At some point will get another carrier for dual WAN's and do load balancing but we are not there yet....
Every UTM device SonicWALL makes now comes with multi-WAN load balancing & fail-over, etc.

Microsoft and all its different protocols and ports that it requires wanting insure the sonic wall can handle it.
We do this all day long...no issues whatsoever! All SonicWALLs now come standard with the Enhanced SonicOS firmware allowing you to do practically anything you want...define customer services...multiple custom NAT policies, etc.

You can read more here: http://www.sonicwall.com/us/en/products/TZ-105.html

Additionally, I'd also recommend purchasing CGSS (Comprehensive Gateway Security Suite) with any SonicWALL device - it gives your 24/7 support plus all the Gateway security that is required in today's threat landscape.

Thank you for being patient with me.
That is why we're here!

Any other questions?
LVL 24

Expert Comment

by:Mohammed Hamada
ID: 39760330
TMG doesn't support static NATTing (1:1) which will not work well for you for the Lync Edge server and specifally for the RTP port range (Application sharing and Voice calls).

for Sharepoint and Exchange I think it's ok, I have tried it with Exchange and know it works well.

For Lync you can use a different Firewall e.g. (Untangled, Pfsense) or any other firewall that supports Static NAT.

Author Closing Comment

by:Clint Jones
ID: 39848003
Thank You
LVL 28

Expert Comment

by:Blue Street Tech
ID: 39848251
You're welcome! Thanks for the points.

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting to know the threat landscape in which DDoS has evolved, and making the right choice to get ourselves geared up to defend against  DDoS attacks effectively. Get the necessary preparation works done and focus on Doing the First Things Right.
What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

576 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question