FIrewall - Decision Making

Posted on 2013-12-26
Medium Priority
Last Modified: 2014-02-10
I need opinions please.

I have software base MS TMG 2010 (I know it has been depreciated)

But looking for a Firewall that will be doing NAT'ing for 10 IP's External to Internal and handle MS Exchange Server 2013, MS SharePoint Team Server 2013, Lync Server 2013, Web Server 2012 R2 IIS 8.5 and Outlook Anywhere for clients who need to access exchange remote as if they were in the office.  VPN of course. Cloud volume tasking. VMWare.

Help desk system and support portal is the jest of everything that will be used in this network.

The size ability:  12 users with the company working inhouse to remotely from anywhere.
the rest of the users not online all times may reach up to 100 users (Again not all concurrent active users in the beginning will be about 5 users (Internal Company employees) and the others at about 10 - 20 users connecting in.  

Scenerio buildings (Exchange, Shareteam, Lync 2013 and web intranet for certain clients that will be doing working at remote locastion but acting as if everything is internal)

My choices are as follow and yes bedget to start with growth always on mind:

    Barracuda Networks

Cisco RV220W Wireless Network Security Firewall - 4x 10/100/1000 Mbps LAN ports, 1x 10/100/1000 Mbps WAN port, 802.11 b/g/a/n, PPPoE, 2x dBi gain omni-directional antennae Compare
Item#: C50-2194  |  Model#: RV220W-A-K9-NAstars

Cisco RV110W Wireless-N VPN Firewall - 1 10/100 Mbps Fast Ethernet WAN port, 4x 10/100 Mbps Fast Ethernet LAN ports, 802.11n, 2x Fixed external antennas Compare
Item#: C50-2558  |  Model#: RV110W-A-NA-K9

Barracuda Web Filter 210 with 1yr Energize Updates
Item#: B14-1002  |  Model#: BYF210A1

WatchGuard LH6785 XTM 330 Firewall - 850 Mbps, 2x USB, Serial, 7x 10/100/1000 Interfaces, 3 Year License, LiveSecurity Remote Service Compare
Item#: W120-330003  |  Model#: WG330003

SonicWALL TZ 105 Appliance Only
Item#: YYAR-01-SSC-6942  |  Model#: 01-SSC-6942

Item#: YYT1-10741946  |  Model#: WG017360

Netgear UTM10EW-100NAS ProSecure UTM10 Unified Threat Management Appliance - 4x LAN Ports, 1x WAN Port, 1x USB Port, 2GB, 512MB RAM
Item#: YYD1-UTM10EW100NAS  |  Model#: UTM10EW-100NAS

SonicWALL SonicOS Enhanced for PRO 2040 - Upgrade License and 1 year of 8 x 5 support
Item#: S216-1006  |  Model#: 01-SSC-5705

WatchGuard LH6784 XTM 330 Firewall - 850 Mbps, 2x USB, Serial, 7x 10/100/1000 Interfaces, 1 Year License, LiveSecurity Remote Service
Item#: W120-330001  |  Model#: WG330001

Check Point 1180 Network Security Appliance
Item#: YYT1-11082949  |  Model#: CPAP-SG1180-NGTP
Question by:Clint Jones
LVL 30

Expert Comment

by:Blue Street Tech
ID: 39739838
Hi ClintStephenJones,

I can't say enough good things about SonicWALL, especially NGFWs (Next Generation Firewalls) specifically 5th and 6 gen devices! (TZ 105 is a 5th gen device)

What size is your bandwidth?

Regarding growth...from 12 employes to 100 in what time span?

I tend to feel you may be under-gunned here.

Some things to consider...
With a TZ 105:
If you are ramping ridiculously quickly past 20 employees I'd not recommend a TZ 105 but rather consider an NSA 220 or the like.
For VPN what type of OS are remote users using? If Mac, Linux, etc consider SSL-VPNs and that would require something larger than a TZ105...more like a NSA 220 or the like.
Do they need VPN Access on their smartphones? If so again, consider SSL-VPN
If you are deploying WiFi with SonicWALL, I'd recommend SonicPoints and if you are going to have more than 2 WAPs consider the TZ 215 or NSA 220.
If you need dual band WiFi in the device, again consider a TZ 215 or NSA 220.

Let me know how it goes!
LVL 72

Expert Comment

ID: 39739858
Things to consider are (besides of technical aspects and features) support, support and support. That is, who will be able to configure and mainain the firewall? Is it important to have a broad community helping if issues arise, or do you rely on technical support from the manufacturer?

If looking only for support at EE, Cisco is the winner - but real Cisco, no RV* routers. Otherwise WatchGuard, SonicWALL and Juniper (!) are popular and should be able to fit into your demands.
Since you are asking for a lot of features and in a bigger scale than for SOHO, you'll have to focus on the mid-range devices. Cisco RV* and NetGear aren't in the mix, if you ask me. Can't tell for the other suggestions, but the 10-public-IP requirement is a requirement low-budget devices cannot fulful.
Juniper SSG are definitely able to manage all tasks you ask for, but support IPSec VPN "only".

In regard of the VPN, IPSec is the better one unless you have roadwarrior scenarios - people having to get access from anywhere they are, without installation requirements. SSL-VPNs are clumsy, uncomfortable to use, and cannot be automated (not to mention you cannot use them for full remote login into a domain).

Maybe it is better to plan to use more than one device. That way you get the best out of two worlds, e.g. a very good firewall plus a VPN device capable of IPSec and/or SSL VPNs.
LVL 25

Expert Comment

by:Mohammed Khawaja
ID: 39739936
I suggest you stick to Microsoft UAG (replacement for TMG).  You could purchase an appliance from a vendor such as Celestix.
Turn Raw Data into a Real Career

There’s a growing demand for qualified analysts who can make sense of Big Data. With an MS in Data Analytics, you can become the data mining, management, mapping, and munging expert that today’s leading corporations desperately need.


Author Comment

by:Clint Jones
ID: 39740642
This is a small company. I do know some of this myself. I would rather play "Say it to me like I am a 3rd grader so I do forget to ask something you know immediately" - I need smarter than me second opinions.

Also it is imperative that it work with Sharepoint Team Server and can publish sites accordingly and work with OWA (Exchange).

We wont be going thru super rapid growth. If we did we would have to upgrade.

Cost is a large part so we need protection and functionality but not at cost that is not doable.  Connection is Comcast Business class with 10 static IP Addresses.

So you know everything is Microsoft. People in the internal network to outside the network. Permanent in house people will be about 6.

However, We have a few people who will be accessing the Share Point Team System, Will be using not only the IMAP and SMTP of the exchange server but some will be using Exchange Anytime Direct Access and Lync is more for in house use than outside of the network use and of course web site access for help desk and informational sites.

Answering  the questions to everyone.  Getting yours answered:

diverseit and  Qlemo   sending answers to yours next...  Thank you to everyone for helping.

To mnkhawaja - We already have purchased and have MS TMG 2010 and do not want to upgrade because of the cost involved,

Thanks, Clint
LVL 30

Expert Comment

by:Blue Street Tech
ID: 39740737
A SonicWALL TZ 105 would do everything that you are requiring. Keep in mind that it will give you multiple ways to connect via VPN: SSL-VPN, Site-to-Site VPN & GVC clients but with each it maxes out at 5 simultaneous VPN licenses/method.

Let me know if you have any more questions!

Author Comment

by:Clint Jones
ID: 39740771
I need the ability of but I really wont be using VPN that often.  I am worried if 10 people are on share team, checking email and working on documents in share team at the same time it can handle the stress etc... Again were small to medium size... How many users will it take before it slows to the point where it is a problem.  Speed of course is big deal and want it not to become the bottle neck.

At some point will get another carrier for dual WAN's and do load balancing but we are not there yet....  

Microsoft and all its different protocols and ports that it requires wanting insure the sonic wall can handle it.  Reading about it as we speak... Thank you for being patient with me.

LVL 30

Accepted Solution

Blue Street Tech earned 2000 total points
ID: 39740966
I am worried if 10 people are on share team, checking email and working on documents in share team at the same time it can handle the stress etc... Again were small to medium size... How many users will it take before it slows to the point where it is a problem.
This is more of a question for SharePoint and I know it's not an issue for them. I say that because a TZ 105 has a max of 8,000 connections with 200 Mbps of Stateful Inspection throughput and 25 Mbps of UTM throughput. That also means it's not going to be a bottleneck unless you are approaching ISP speed of 25 Mbps or more, in which case I'd recommend the TZ 215 (500 Mbps Stateful/60 Mbps UTM) so you will have room to grow.

At some point will get another carrier for dual WAN's and do load balancing but we are not there yet....
Every UTM device SonicWALL makes now comes with multi-WAN load balancing & fail-over, etc.

Microsoft and all its different protocols and ports that it requires wanting insure the sonic wall can handle it.
We do this all day long...no issues whatsoever! All SonicWALLs now come standard with the Enhanced SonicOS firmware allowing you to do practically anything you want...define customer services...multiple custom NAT policies, etc.

You can read more here: http://www.sonicwall.com/us/en/products/TZ-105.html

Additionally, I'd also recommend purchasing CGSS (Comprehensive Gateway Security Suite) with any SonicWALL device - it gives your 24/7 support plus all the Gateway security that is required in today's threat landscape.

Thank you for being patient with me.
That is why we're here!

Any other questions?
LVL 24

Expert Comment

by:Mohammed Hamada
ID: 39760330
TMG doesn't support static NATTing (1:1) which will not work well for you for the Lync Edge server and specifally for the RTP port range (Application sharing and Voice calls).

for Sharepoint and Exchange I think it's ok, I have tried it with Exchange and know it works well.

For Lync you can use a different Firewall e.g. (Untangled, Pfsense) or any other firewall that supports Static NAT.

Author Closing Comment

by:Clint Jones
ID: 39848003
Thank You
LVL 30

Expert Comment

by:Blue Street Tech
ID: 39848251
You're welcome! Thanks for the points.

Featured Post

Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

A while back, I ran into a situation where I was trying to use the calculated columns feature in SharePoint 2013 to do some simple math using values in two lists. Between certain data types not being accessible, and also with trying to make a one to…
I tried to use the SharePoint app to Import a Spreadsheet and import an Excel sheet into a Team site made in SharePoint 2016. But that just resulted in getting an error message 'Unknown Error'...
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question