# Good mid size company router/gateway ideas? VPN solutions (Ssl)? Current choices ...



## markm75 (Jan 26, 2007)

We are researching replacing our existing (and frequently locking up) Symantec Gateway 460 gateway (was a $650 device). Currently it has the firewall and vpn built in (ipsec). This unit requires that end users use proprietary vpn software, rather than just creating a windows vpn connection.. this software doesnt work in x64 Vista (or Vista period). We also have installed pptp vpn on a backend server and use this as an alternate for now.

We have a 15 mbit Comcast cable connection (1mbit upload) and a 3mbit verizon connection (1mbit upload max).. We have about 10 users at the moment (out of 42) who use VPN, usually only about 3-4 at a time though.

I'd really like an all in one solution that was VPN SSL capable (i'm assuming this means the end user wouldnt need proprietary software, just an SSL certificate and a connection in most cases?).. but it seems most are breaking the two apart these days?

Here are my current choices.. any thoughts on these or perhaps others out there i haven't thought of? (perhaps cheaper ones that are just as good)? We need to have dual wan ability in either case though.. 

Gateways:

Sonicwall Pro 2040 Internet Security Appliance: (dual wan able) 01-SSC-5700 $1339.88 (24x7 support option 01-SSC-5707 = $350.97)
**No SSL vpn ability need separate unit, see below (has standard 10 license, ipsec vpn ability); 200mbps on firewall and 50mps on vpn

Juniper SSG-140-SH $2569
** 350mbps on firewall; 100 mbps on vpn



Secondary vpn device:
SonicWall SSL-VPN 2000 01-SSC-5952 $1691 (unlimited users)
*Nice interface via the web, does require a small app installed via the web to directly connect though.


Any thoughts?


----------



## Cellus (Aug 31, 2006)

SonicWALL makes some pretty decent firewalls and VPN products. Considering your current Internet throughput you don't really need the extra throughput capability of the Juniper gateway. It does admittedly come out as more expensive, but you certainly get your money's worth with their bigger 1U appliances. Just note that the documentation can bit slightly lacking at times, so you may need to fish around a bit if something isn't clearly explained in the manual.


----------



## wiccaman (Oct 25, 2007)

markm75 said:


> We are researching replacing our existing (and frequently locking up) Symantec Gateway 460 gateway (was a $650 device). Currently it has the firewall and vpn built in (ipsec). This unit requires that end users use proprietary vpn software, rather than just creating a windows vpn connection.. this software doesnt work in x64 Vista (or Vista period). We also have installed pptp vpn on a backend server and use this as an alternate for now.
> 
> We have a 15 mbit Comcast cable connection (1mbit upload) and a 3mbit verizon connection (1mbit upload max).. We have about 10 users at the moment (out of 42) who use VPN, usually only about 3-4 at a time though.
> 
> ...



Okay - SSL-VPN depending on your company security requirements & or complexity. I would advise against having your Firewall terminate your VPN sessions. instead deploy a SSL-VPN capable appliance. like a entry level F5 Firepass. Why? - hardware seperation will reduce the amount configuration required on your boundry firewall & simplify your rules... i.e bolting on a SSL-VPN service to the side in say a VPN Zone will allow you to create seperation from your Public or private DMZ area's. The will also allow to you to allow Frag IP to that Zone only. (assuming you choose the juniper the screening rules will need to be setup correctly) 

Dependng also on your budget the Juniper looks like the best option, make sure you you get the latest ScreenOS installed.
Please note Juniper's can be tricky to configure & understand.

Indeed SSL-VPN can use HTTPS via Web browser - as well as a VPN Client.


----------



## markm75 (Jan 26, 2007)

wiccaman said:


> Okay - SSL-VPN depending on your company security requirements & or complexity. I would advise against having your Firewall terminate your VPN sessions. instead deploy a SSL-VPN capable appliance. like a entry level F5 Firepass. Why? - hardware seperation will reduce the amount configuration required on your boundry firewall & simplify your rules... i.e bolting on a SSL-VPN service to the side in say a VPN Zone will allow you to create seperation from your Public or private DMZ area's. The will also allow to you to allow Frag IP to that Zone only. (assuming you choose the juniper the screening rules will need to be setup correctly)
> 
> Dependng also on your budget the Juniper looks like the best option, make sure you you get the latest ScreenOS installed.
> Please note Juniper's can be tricky to configure & understand.
> ...



I've been leaning more towards the Sonic wall model for the gateway.. and the 2000 series for VPN.. what do you think of these options? I figure the extra bandwidth of the juniper really doesnt help us much with our existing internet.. the 2000 for vpn makes more sense as it has many more features over the 200, including the netextender and java based rdp..


----------

