Need help setting up a VPN solution for small office

[HKSturboKID]

My friend and I just took on a small project.

The office consist of less then 10 people. Majority of them is on road salesmen. I will need to setup a server for Customer info and the salesmen use laptop to VPN into the mail office where they can check mail, upload and download files, use applications, etc... I was thinking about the Citrix solution but think it might be kind of expensive. Of course Linux is free but the people at the office is only familiar with Windows and don't want to change. Can you guys might any sugguestions? I believe WinXp Pro have VPN built in, correct? Please let me know what are my choices that is out in the market.

Thanks.

 

[HKSturboKID]

Bump for the Monday Crew.

 

[kevnich2]

If you have a Windows XP Pro machine, that can be setup very easily for VPN, but you do have to add the users to the computer that you want to connect, and try to make the machine as secure as possible.

 

[Night201]

OpenVPN

You might also want to take a look at ClarkConnect

 

[Boscoh]

Check out the SSL "VPN" solutions from Netscreen (Juniper).

Sounds like what you're looking for...and VERY easy for even an idiot to use.

http://juniper.net/products/ssl/

 

[Garion]

Before you can really go too far with this discussion, you REALLY need to understand the behavior of your applications and what your users want. Unfortunately, there isn't a single perfect solution.


If you have big, fat applications that need to transfer a huge amount of data, VPN isn't the whole solution - Most of these kind of apps just don't work well on VPN's.

Remote control apps (Citrix, Windows Term Server) work well, but are expensive (Citrix) or don't offer good encryption (Windows term server). Plus, they don't give the user access to the application when they aren't connected (like at a customer site).

In some cases, you can combine things - Run a VPN connection for encryption, then use Windows Terminal Services for remote control to the fat, bandwidth intensive applications. Work with the others as you can, to find a way to synchronize data (i.e. Outlook offline mode, etc.) so users can have something on the their desktop. Look at read-only data pushes to their laptops, then force them to make any updates via the VPN/Term server combo.

(In case you can't guess, I did several consulting gigs a few years ago to design and deploy this solution. We ended up using Citrix for most of it, before security was such a big deal).

- G

 

[Boscoh]

We use our SSL proxy for a couple different things. Through it we allow read-only access to network shares. What the user sees is controlled via their login which is authenticated against AD. Whatever shares they have per AD get passed down through the SSL proxy. Browsing NTFS shares through our Netscreen SSL device is incredibly fast, even faster than browsing a share through Windows Explorer.

Network and server admins use it to allow access to their remote management apps.

Anyone that needs to do anything besides read-only browsing can connect to their desktop at work via Windows Remote Desktop, which we've tunneled through the SSL proxy. Eventually that'll go away to Citrix. Running Citrix Web Access (formerly nFuse) over the SSL proxy is a very easy and secure way of doing things. We're pushing it out as soon as we get the funding for TS licenses.

Like Garion said, I wouldn't use VPN to push bandwidth-intensive apps. Use Citrix, or even Remote Desktop or VNC over the SSL proxy if you want to do that stuff. That way all you're seeing on your screen is a "screenshot" of the remote machine, you're not actually pushing/pulling all that data from the app.

All of this can be accomplished using an IPSec VPN as well, but from a user standpoint we've found that an SSL proxy is much easier for the user to use.

 

[HKSturboKID]

Thank you for everyone's suggestions.

I'll will be meeting with the company this weekend and to see what they really need.

From the brief discussion, it seems that they will have the apps resides on their laptops and they want a server that they can access their email, share files and home directories. I am thinking about win2k3 providing that it has a build in mail server. Also since the server have critical data, it will need to be behind a firewall and pretty much lock down. As for VPN, do I use the build in VPN server from the win2k3 os or should I recommend an VPN appliance? Since they won't have any desktops at work, and only the server, I don't know if VNC, Rdesktop, pcanywhere will work at all.

Lastly, if I do setup the builtin VPN and once they connect and authenicate to the server, do they get their home directories mapping thru login script?

Thanks again?

 

[cmetz]

HKSturboKID, consider using a Cisco PIX 501 and the Cisco Windows VPN client. It'll run you ca. $500, but is easy to manage, secure, and the Windows client is well done.