• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 186
  • Last Modified:

Easy but robust VPN office to office solution for less than 25 users

I have a client that we support that just purchased a 10 person office across town and need them to connect to our office.  The 10 users will be connecting to our applications via remote desktop services (RDS server 2012 R2) at the main office.  I am looking for a router / firewall appliance that offers both site to site VPN and Client to site VPN.  My goal is to use a robust solution that offers support that I can easily setup and understand.  Some have recommended Sonicwall and Watchhguard, but their business strategy requires that I go through one of their partners - who may be in direct competition with what we do - provide IT support.  We simply want a solution that is under $1000 per appliance, easy to setup and logical and someone to help should we have questions.  We gave also looked at Barracuda networks as well.  But with any of these appliances, I need specific models to go with.

We will need the VPN for both the branch office we are connecting to as well as allow users from our current office to connect remotely from their homes.  So total # of VPN users could be 20 users.  Any guidance would be appreciated.
Don't get me wrong, I have 20 years IT experience and can configure most routers easily and have used Most in the past.  Just don't know the current offerings with subscription based / more robust VPN solutions.
0
HarleyWilly
Asked:
HarleyWilly
  • 6
  • 5
  • 5
  • +4
7 Solutions
 
Tom CieslikIT EngineerCommented:
SonlicWall is the best solution for you, since you can create 2 separate VPN connections, on site-to-site, second public for users from home.
You don;t need to purchase new equipment with all licenses for spam blocking and antivirus, If you will close network and open only VPN then you can buy use ones let say TZ 215 for $400 a peace.
0
 
HarleyWillyAuthor Commented:
Many thanks for the advice.  I will check it out.
0
 
8046586Commented:
There are various hardware options, but also it depends on your ISP connection. In general, you need 2 modems with VPN ability for minimum 16 channels, ideal 32 channels. The connection between the offices will be LAN-LAN IPSec passive, and then you will need PPTP connections for users dialling from home. The best choice should come from your IT support because everyone has personal choice and opinion. You need something that your IT is familiar with. Routers I know I can configure them in 15 min, and someone else who is even better at networking than me will spend hours or days to find ideal configuration.
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
JohnBusiness Consultant (Owner)Commented:
You can also use Cisco RVxx VPN routers for both site-to-site and client-to-site. Easy to use and I do both. You can set up multiple tunnels in each device.  

Juniper VPN boxes are excellent but a little more pricey and more complicated to set up.
0
 
masnrockCommented:
Sonicwall or Watchguard would work perfectly fine. Of the two, I would go the Sonicwall route. What do you have at the existing office? I noticed you made no mention of that (the hardware doesn't have to be exactly the same, but keeps things simpler for you in terms of maintenance). Even a Netgear would work. The question comes down to whether you have any other requirements. Is it solely the ability for VPNs, or do you want devices that also do some sort of web filtering, etc?
0
 
8046586Commented:
My preference is Draytek 2860AC; it can compete Cisco and Juniper equivalent models in features and reliability. Having it behind proper surge protector or UPS is a lifetime investment. As I mentioned in the previous comment, I stick to this brand because I understand Draytek config in deep.
https://www.amazon.com/Draytek-v2860ac-B-DrayTek-Vigor-2860ac/dp/B00WUD0QZ4/ref=sr_1_1?ie=UTF8&qid=1514415927&sr=8-1&keywords=draytek+2860ac

I am writing again because I forgot to say that best practice for LAN to LAN connection is having the same brand, same model devices on the same firmware version. Do not improvise because I've seen issues even with the same brand, but different models. Whichever brand or model you will decide to buy, give priority to the local support or reliable first contact skilled reseller.
0
 
Myles CapenNetwork AdministratorCommented:
I would take a look at pfSense. They have their Netgate pfSense Security Gateway Appliances which are very simple to use and very robust. You could use the OpenVPN capabilities of the pfSense software.  www.netgate.com
0
 
Blue Street TechLast KnightCommented:
Hi Harley,

I'm curious why the heavy use (relatively speaking) of IPSec client VPNs when you have an RDS implementation? Does RDS not include everything (all apps users need remotely)?

I'd recommend SonicWALL - its the best bang for your buck IMO and has some of the most comprehensive security features on the market. I would need to know more details about each site location before providing specifically accurate models. For example:
• How many total users are located in the HQ. I understand the remote site has 10. You mentioned you will have a total of 20 VPN clients but that assumes all employees at the HQ require VPN access and I don't like making assumptions if I can avoid it.
• What are the WAN configurations for each location, e.g. Static IPs, 100x100 Cable at HQ, etc.
• Are you running in a Windows domain configuration?

In the meantime without knowing the details requested I'd generally say: Architecturally, I'd have the HQ firewall handle the client VPNs and route to the S2S tunnel if they were in need of resources in the remote location but this depends on your ISP speeds at each location if that would be feasible or not.

Assumptions
HQ - running Edge services like RDS (assuming 20 users) & assuming 10 users;
Remote Office has 10 users

Recommendation
Considering your budget you could get a SonicWALL TZ300-400 w/AGSS or CGSS (minimum). This will afford you 10-25 client IPsec VPNs and 10-20 S2S VPNs and with full DPI throughput of 100Mbps (750Mbps max). This would retail, which I'm sure you can get cheaper, for $645 for the TZ300, $965 for the TZ300 plus CGSS (1YR), and $1,214 for the TZ300 plus AGSS (1YR).

CGSS (Comprehensive Gateway Security Suite) and AGSS (Advanced Gateway Security Suite) are both security service bundled subscriptions for 1 year and are critical IMO. CGSS is the minimum and AGSS (an upgrade from CGSS) is the best security you can get because it provides advanced security features like CAPTURE, which is a multi-engine sandbox that runs & inspects suspicious files/code in an isolated cloud-based environment. CAPTURE will, single-handedly thwart zero-day attacks, Ransomware and other unknown attacks. Since AGSS is an upgrade from CGSS, it includes all the gateway service that CGSS comes with, which are:
  • Anti-Virus
  • Anti-Spyware
  • Intrusion Prevention Service
  • Application Control
  • Content Filtering Service
  • Botnet Filtering
  • GeoIP Filtering
  • 24x7 Support

Let me know if you have any other questions. I'll wait for your reply.
1
 
HarleyWillyAuthor Commented:
Thanks for the help.  I will try and answer your questions.
• How many total users are located in the HQ. HQ has 15 stations now and 10 are connecting into their desktop PC's using remote desktop (via port forwarding) and a client to site VPN - Cisco RV042G.  We want to remove the Cisco and use the same make / model of VPN router at both the HQ and remote office.  
• What are the WAN configurations for each location, e.g. Static IPs, 100x100 Cable at HQ, etc. Comcast Business 100 at both locations - static IP's.
• Are you running in a Windows domain configuration? Yes

The new remote location has 10 stations that will need to connect to HQ solely (meaning all apps they will be using are at HQ).  Since we don't have desktops for them to connect to (like at HQ), we are going to setup an RDS server for them.  Eventually we will be requiring the 10 users who currently connect to their desktops (at HQ) when out of the office, to connect to the same RDS server as the remote office. Easier management.

Only the HQ will be sharing resources - no need for anybody at HQ or the remote to get to any resources at the remote location - there won't be any apps running there.

We looked into SonicWall, but have heard horror stories of recent support and licensing issues - because of the Dell acquisition of Sonic, then more recently Dell selling Sonic Wall off to another company.  But if that is untrue, we are still open to using them SonicWall.
0
 
JohnBusiness Consultant (Owner)Commented:
Cisco RV345 will work great for you in this situation
0
 
Blue Street TechLast KnightCommented:
Thanks for your reply!

HQ has 15 stations now and 10 are connecting into their desktop PC's using remote desktop (via port forwarding) and a client to site VPN - Cisco RV042G.  We want to remove the Cisco and use the same make / model of VPN router at both the HQ and remote office.
Yes, and with a S2S (Site-to-Site) VPN you can remove the security vulnerabilities of port forwarding RDP, which is a security Bad Practice. With the S2S VPN in place the remote office will just connect via RDP to any workstation within the VPN tunnel. Still not sure why this would be needed but nonetheless its a more secure way of achieving what you have now. I thought you were running an RDS server - far different from RDP as you don't port forward using 3389 but rather encrypted traffic on 443. RDS has multiple servers involved too - as a base setup there are: RDGateway, RDConnection Broker, RD Licensing, and RD Session Host servers. It is the secure way to perform Remote Desktop Services, Virtualized App Sessions, Full Desktops, etc. But from what you described you are not doing this, correct?

EDIT: I answered your first question and realized ultimately after reading past it that you are planning on rolling out RDS as I described! OK we are on the same page!

We looked into SonicWall, but have heard horror stories of recent support and licensing issues - because of the Dell acquisition of Sonic, then more recently Dell selling Sonic Wall off to another company.  But if that is untrue, we are still open to using them SonicWall.
From our perspective that would be untrue. We support a whole fleet of them and have had zero issue with the transition from SonicWALL (privately held) to DELL back to SonicWALL (privately held again). No issues with Support nor with Licensing. If anything they have gotten better with the cash infusions from DELL for further development into newer technologies.

Maybe a TZ400 at your HQ then for further growth/expansion.
0
 
Blue Street TechLast KnightCommented:
Furthermore, it is a good idea to remove your existing Cisco RV042G...its only a SPI (Stateful Packet Inspector) this is a very deprecated technology that won't protect your network from today's highly sophisticated threats. SPI is a product of 1994 and has since been vulnerable to adversaries actually being able to take control over the firewall. You need a NGFW (Next Generation Firewall), which all should have DPI (Deep Packet Inspection). SonicWALL provides you with a RFDPI (Reassembly-Free Deep Packet Inspection) technology with all their security appliances including SSL-DPI so you can actually inspect encrypted traffic (where the majority of today's traffic is trending).
0
 
JohnBusiness Consultant (Owner)Commented:
RV345 has newer technology than the 042 (old machine) and is very comparable to SonicWALL.
0
 
HarleyWillyAuthor Commented:
Thanks for the information.  On the port forwarding for RDP, we don't use 3389 and block it.  We use custom port #'s for each workstation inside the VPN client to site session.

We will look into SonicWall.  But specifically - are you recommending the S2S at both locations?  And how do I purchase without going to a vendor that also provides IT services that may compete with us.  
-------
On the Cisco 325 - we looked at those.  I have Cisco routers at several of my clients.  I just have had some quality issues with some of them and the steps required to do some more advanced things can be cumbersome.  Trying to find help is a bit challenging.  But we will give them another look.  Thanks for the info.
0
 
JohnBusiness Consultant (Owner)Commented:
I have both 325 / 345 and find the quality to be fine and both to be durable in service. By all means pick what you think best. We are just offering our experiences here and they will differ from one another.
0
 
Blue Street TechLast KnightCommented:
Actually, the Cisco RV345 is not even close to comparable...maybe to a 2001 SonicWALL Gen2 (they are currently on Gen6 pushing into 7). It is still an SPI firewall; moreover not a UTM (Unified Threat Management) security device. No manufacturer can put out a decent UTM with all the basics: DPI, and SSL-DPI let alone Intrusion Prevention Services, multi-engine, real-time sand-boxing for so cheap...its like residential grade pricing...$179.00. You get what you pay.

That is like saying my saying a Ford Pinto is the same as a Ferrari...they both have four tires and can drive down the street and turn a corner!
0
 
JohnBusiness Consultant (Owner)Commented:
Bye All
0
 
HarleyWillyAuthor Commented:
well that is just it - I am welcoming your input.  Thanks for all your insights and I welcome ideas.  Sometimes I fear using Experts Exchange because I often get 'trashed' on not using something others feel are stupid practices.  So I have to be careful on how I ask my questions :).  I own a small IT company (15 clients) and they all are very small businesses that don't have the big budgets.  So protecting them can be a challenge.  We often get trapped in our own bubble and when we have to venture out to a more advanced situation, it can be a challenge finding solutions.
0
 
Blue Street TechLast KnightCommented:
On the port forwarding for RDP, we don't use 3389 and block it.  We use custom port #'s for each workstation inside the VPN client to site session.
OK, great! The VPN is key. Port obfuscation or obfuscation for that matter is not security. An adversary can run a port scan and find anything listening/open. So even if someone thinks they are more secure by opening up RDP on port say 33848...it makes no difference it will be found!

We will look into SonicWall.  But specifically - are you recommending the S2S at both locations?
S2S VPN makes the most sense that way the users in the physical remote office now have access to any or all resources that the users sitting in the HQ do without interruption or having to connect/disconnect. Then for any users traveling or at home they can just use RDS or client VPN via GVC (Global VPN Client) or SSL-VPN, whichever you prefer. Does that makes sense?
0
 
HarleyWillyAuthor Commented:
Yes - thanks.  For the people connecting from home or from a hotel - how does it handle this?  Can we use a client app and/or is there a way to easily deploy via a website to a remote client (like what was demonstrated to us last week by a Barracuda) sales rep?
Also do you recommend a particular SonicWall vendor?
0
 
Blue Street TechLast KnightCommented:
For the people connecting from home or from a hotel - how does it handle this?
I added it as a late modification to my post above. Then for any users traveling or at home they can just use RDS or client VPN via GVC (Global VPN Client) or SSL-VPN, whichever you prefer.

Can we use a client app and/or is there a way to easily deploy via a website to a remote client (like what was demonstrated to us last week by a Barracuda) sales rep?
Yes, the easiest management for client VPN is going to be SSL-VPN. The user goes to their website, e.g. https://connnect.domain.com or whatever you want and there they enter their username/password; once accepted, it automatically downloads the client. All management is run from the SonicWALL appliance. There is no remoting in to setup access, etc.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 6
  • 5
  • 5
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now