Solved

Remote Access to a Restricted Network through VPN

Posted on 2014-01-09
10
611 Views
Last Modified: 2014-01-27
Our mid-sized organization has an air gapped restricted network. It is not directly connected to the Internet. Right now, there is a kind of urgent requirement for our staff to connect to the organization network (with their company provided laptops) remotely while on business travel. That's why we are thinking to design and implement a VPN solution and  looking for an architectural design for this purpose including the generic hardware types and graphical overview. When I search the web there are thousands of links to be investigated but our schedule is tight. That's why I decided to ask EE experts. Any ideas highly appreciated. Thanks.
0
Comment
Question by:PEITO
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
10 Comments
 
LVL 9

Expert Comment

by:activematx
ID: 39769741
What is your budget?  
How many users will be connecting at a time?  
What type of resources will they be using once connected to the VPN?
How fast is/will be you internet WAN connections uplink?
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 39770440
For most kind of access the best way to do that is to supply a Terminal Server. VPNs might be a solution if they need access to files or multiple machines, but if it for viewing purposes, or filling out forms or such, and in particular if there is a need to run database aware software, Terminal Server will be the way to go.
0
 

Author Comment

by:PEITO
ID: 39772415
All network resources to max extend will be used ( email, web services, data processing, printer etc.) Since the concept is to let users have desktop environment remotely VPN will be the best alternative.
Regarding the budget as long as it is reasonable and affordable there will not be a limitation.
Max 50 concurrent users connect at the same time and our current internet bandwidth is 100 Mbps
0
Is your NGFW recommended by NSS Labs?

Ours is! NSS Labs Next Generation Firewall Test gives the WatchGuard Firebox M4600 a "Recommended" rating! Curious where your NGFW landed on the  Security Value Map? See the map and download the full report today!

 
LVL 70

Accepted Solution

by:
Qlemo earned 500 total points
ID: 39773215
Again, I recommend to use Terminal Server sessions. What you enlist causes a lot of traffic, and that should remain local. That can be combined with a VPN to have the best of both.
Email requires neither Remote Sessions nor a VPN, if you allow remote access (with Exchange there is OWA and Outlook Anywhere available).

With 50 concurrent users you will need something reliable and easy to manage, and it should be effective and performant. You'll need a hardware VPN in the mid-range of business class routers. There are many devices out there which would apply, with different techniques for the client like
SSL based with a Web Login and self-installing Java applet
SSL based with OpenVPN and certificates
IPSec based with a pre-installed client (free like ShrewSoft VPN or licensed like NCP)
and some more. Common brands are SonicWALL, Juniper, CheckPoint, Cisco, and many more, so the choice is overwhelming. It's difficult to give valuable advise here, you might want to find someone at your area analyzing your exact needs. In particular as you seem to have not much experience with that kind of connection.

On the other hand, setting it up with almost any business-class device isn't that difficult, if you have managed to do it once.
You could also consider to start with Windows Server and RRAS, but I can't tell how that will perform with 50 users.
0
 

Author Comment

by:PEITO
ID: 39775829
Dear Qlemo, thank you for your guidance I think it will help me alot. In the meantime if you can provide me a basic architectural schema (diagram) of your solution I will close my question and give the whole points to you.
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 39775989
There isn't much to paint a schematic for, with all those options. A client connects to a server, and is then part of the remote network (with some exceptions).
0
 

Author Comment

by:PEITO
ID: 39798579
I've requested that this question be closed as follows:

Accepted answer: 0 points for PEITO's comment #a39775829

for the following reason:

I was also expecting to get a architectural design graphics to understand it better. But anyhow I have the basic idea about VPN solution that will guide me through my deep search...
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 39798580
You've now tried to accept your own comment thanking me for the input ( http:#a39775829 ). Please try again - you should accept *only* my comment(s). I recommend http:#a39773215 with a grade of "B".
0

Featured Post

Retailers - Is your network secure?

With the prevalence of social media & networking tools, for retailers, reputation is critical. Have you considered the impact your network security could have in your customer's experience? Learn more in our Retail Security Resource Kit Today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question