Appliance based reliable cost-effective VPN solution for small business (up to 30 concurrent connections)

Hi LICOMPGUY,

By the phrase "clientless," I'm assuming you are wanting a C2S (Client-to-Site) VPN, correct?

I'd recommend SonicWALL. It is not just about providing good VPNs but also providing great security. The only truly client-less option is an SSL-VPN (clientless version - there are three flavors of SSL-VPNs), though they are limited and are typically done to provide access to an application. If you are worried about management; SSL-VPN clients are easy to deploy in SonicWALL. You can centrally deploy them by Group Policy or even better yet a Virtual Office space (https://<firewall_public_ip>:4433), basically a site hosted on the security appliance where a VPN user logs in and automatically gets the client downloaded - no configuration needed except for the user's credentials, domain, and 2FA if enabled (which I'd recommend).

Now in terms of your requirement of 30 concurrent IPsec tunnels...you could get a SonicWALL TZ300 which would provide the ability to have 50 SSL-VPNs tunnels.

Are you positive on that number (30) because the NETGEAR FVS336s that your customers use maxes out at 25 IPsec tunnels, not to mention those devices are superannuated and impotent to stopping today's current threat landscape. It was running on a 1996 technology (Stateful Packet Inspection), which is why they have discontinued their entire business segment - they can't keep up. A security baseline is to inspect ever packet (unencrypted & encrypted) that comes through the network. NETGEAR can't currently even with their latest products and most other providers can't or either fail open for ones they cannot inspect. SonicWALL is one of the few vendors that can inspect all traffic & is currently the only vendor that is capable of running RTDMI (Real-Time Deep Memory Inspection), which can stop Spectre & Meltdown exploits before reaching the vulnerable hardware in question. Ransomware & Zero-day attacks can also be stopped at the gateway. It is definitely time to upgrade to protect your clients from today's current threats.

Let me know if you have any other questions!

Thanks so much for the detailed response.  I was very impressed what we saw with Sonicwall, but was a little concerned since they parted their ways with Dell. But I guess they aren't going anywhere.

Definitely not sufficient protection with the fvs any longer with everything that is going on with ransomware especially.

What more can you tell me about the Virtual Office space set up - it would be awesome if we don't have to deal with client configs.
Is it pretty seamless with Windows 7, 10 even Mac - would you know?

What were doing is the users would establish the tunnel, then execute a login script so they would get their drive mappings and be able to access network shares.  Do you think we can still accomplish this?

Can't thank you enough for your answer.  As for the 30 concurrent, I did go a bit high, just to allow room.

Thanks so much

So if you were to implement this, only needing to establish the tunnel (preferably clientless), meaning we don't have to install a client on every user's laptop, or home PC, and once the tunnel is open, they can execute a login batch file to access files on servers in the office. Which way would you go?
Thanks again!
Definitely going to go this route.

Thanks so much for your help!

Let me help clarify. Bookmarks through the Virtual Office are clientless. For user-based device access like desktops/laptops, smartphones, etc. they would use a client such as NetExtender and/or Mobile Connect however, both are self-service - no admin management or configuration is required. Here is how it would play out.

If a user requires remote access to the network you'd simple tell them to go to https://firewall_ip:4433 and once they get there they will be prompted to enter their credentials. Once they do NetExtender will automatically download and install onto their machine. Then they connect to your network and access whatever resources you want them to have access to.

Now in terms of login scripts you can handle it a few different ways depending on your resources. If you are in a domain environment and have access to Group Policy I'd map them that way. Otherwise, you would have to touch each client machine once. For example, you would create a batch file that would have to be manually entered into the Connection String within each NetExtender client.

Glad I could help...and thanks for the points!