Appliance based reliable cost-effective VPN solution for small business (up to 30 concurrent connections)

LICOMPGUY
LICOMPGUY used Ask the Experts™
on
Looking for a cost effective appliance based VPN solutions (Preferably clientless), for small business.
Thoughts/ideas/recommendations?

We have a number of small clients that we have been using the Netgear fVS-336s with a lot of success but they are no longer supporting it.
Some users remain on as much as 8-10 hours per day.

Thanks!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Blue Street TechLast Knight
Distinguished Expert 2018

Commented:
Hi LICOMPGUY,

By the phrase "clientless," I'm assuming you are wanting a C2S (Client-to-Site) VPN, correct?

I'd recommend SonicWALL. It is not just about providing good VPNs but also providing great security. The only truly client-less option is an SSL-VPN (clientless version - there are three flavors of SSL-VPNs), though they are limited and are typically done to provide access to an application. If you are worried about management; SSL-VPN clients are easy to deploy in SonicWALL. You can centrally deploy them by Group Policy or even better yet a Virtual Office space (https://<firewall_public_ip>:4433), basically a site hosted on the security appliance where a VPN user logs in and automatically gets the client downloaded - no configuration needed except for the user's credentials, domain, and 2FA if enabled (which I'd recommend).

Now in terms of your requirement of 30 concurrent IPsec tunnels...you could get a SonicWALL TZ300 which would provide the ability to have 50 SSL-VPNs tunnels.

Are you positive on that number (30) because the NETGEAR FVS336s that your customers use maxes out at 25 IPsec tunnels, not to mention those devices are superannuated and impotent to stopping today's current threat landscape. It was running on a 1996 technology (Stateful Packet Inspection), which is why they have discontinued their entire business segment - they can't keep up. A security baseline is to inspect ever packet (unencrypted & encrypted) that comes through the network. NETGEAR can't currently even with their latest products and most other providers can't or either fail open for ones they cannot inspect. SonicWALL is one of the few vendors that can inspect all traffic & is currently the only vendor that is capable of running RTDMI (Real-Time Deep Memory Inspection), which can stop Spectre & Meltdown exploits before reaching the vulnerable hardware in question. Ransomware & Zero-day attacks can also be stopped at the gateway. It is definitely time to upgrade to protect your clients from today's current threats.

Let me know if you have any other questions!

Author

Commented:
Thanks so much for the detailed response.  I was very impressed what we saw with Sonicwall, but was a little concerned since they parted their ways with Dell. But I guess they aren't going anywhere.

Definitely not sufficient protection with the fvs any longer with everything that is going on with ransomware especially.

What more can you tell me about the Virtual Office space set up - it would be awesome if we don't have to deal with client configs.
Is it pretty seamless with Windows 7, 10 even Mac - would you know?

What were doing is the users would establish the tunnel, then execute a login script so they would get their drive mappings and be able to access network shares.  Do you think we can still accomplish this?

Can't thank you enough for your answer.  As for the 30 concurrent, I did go a bit high, just to allow room.

Thanks so much
Last Knight
Distinguished Expert 2018
Commented:
Don't worry about the DELL deal; it was good for both parties. DELL was forced to liquidate most of their previously larger acquisitions in order to form one of the biggest acquisitions in tech history...with EMC.

What more can you tell me about the Virtual Office space set up - it would be awesome if we don't have to deal with client configs.
The Virtual Office portal is the website that users log in to launch NetExtender & bookmarks. It can be customized to match any existing company website or design style and it is also a launching point for other service aka bookmarks. You can run the following in bookmarks:
• RDP (HTML5-RDP)      
• SSHv2 (HTML5-SSHv2)
• TELNET (HTML5-TELNET)
• VNC (HTML5-VNC)

Users are not able to delete or modify bookmarks created by the admin. Bookmarks launch virtualized services from the appliance that connect to servers/workstations on the LAN through the SSL-VPN tunnel (application mode) separate from NetExtender.

Is it pretty seamless with Windows 7, 10 even Mac - would you know?
I'm assuming you are talking about the SSL-VPN and not the Virtual Office but irrespectively both are compatible with Windows, Mac OSX, Android, iOS & Linux.

What were doing is the users would establish the tunnel, then execute a login script so they would get their drive mappings and be able to access network shares.  Do you think we can still accomplish this?
Most definitely! In fact NetExtender has this capabilities built-in called Connection Scripts. It provides the ability to run batch file scripts when NetExtender connects & disconnects. The scripts can be used to map or disconnect network drives & printers, launch applications, or open files or websites. NetExtender Connection Scripts can support any valid batch file commands. This would require touching machines though since the Connection Scripts reside locally on the machine but it is a one-time configuration. If you have Group Policy it would be preferred in terms of centralized management.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
So if you were to implement this, only needing to establish the tunnel (preferably clientless), meaning we don't have to install a client on every user's laptop, or home PC, and once the tunnel is open, they can execute a login batch file to access files on servers in the office. Which way would you go?
Thanks again!
Definitely going to go this route.

Author

Commented:
Thanks so much for your help!
Blue Street TechLast Knight
Distinguished Expert 2018

Commented:
Let me help clarify. Bookmarks through the Virtual Office are clientless. For user-based device access like desktops/laptops, smartphones, etc. they would use a client such as NetExtender and/or Mobile Connect however, both are self-service - no admin management or configuration is required. Here is how it would play out.

If a user requires remote access to the network you'd simple tell them to go to https://firewall_ip:4433 and once they get there they will be prompted to enter their credentials. Once they do NetExtender will automatically download and install onto their machine. Then they connect to your network and access whatever resources you want them to have access to.

Now in terms of login scripts you can handle it a few different ways depending on your resources. If you are in a domain environment and have access to Group Policy I'd map them that way. Otherwise, you would have to touch each client machine once. For example, you would create a batch file that would have to be manually entered into the Connection String within each NetExtender client.
Blue Street TechLast Knight
Distinguished Expert 2018

Commented:
Glad I could help...and thanks for the points!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial