Dude is out of their depth. Probably kept after the rest of their team was laid off
We use Palo Alto GlobalProtect and use both computer (pre-login) and user (post-login) certs to authenticate the VPN. Certs are autoenrolled, GlobalProtect portal host is pushed in a GPO, and GlobalProtect is installed by our software deployment tool to all portable automatically.
It was some effort getting it all configured and working, but now it’s almost zero effort, it’s great.
That’s not what our QSA told us we could get away with- about a half dozen VPN tunnels gated to various environments, some of which have to drop routes for UCM apps out of security concerns…
It can be as simple as you say, but it can also get really, really complex once you start throwing regulatory compliance into the mix.
The past few years have shown traditional SSL VPN like a Fortigate is not an easy way to secure remote access to a network, given the number of vulnerabilities that continually arise in edge-facing devices like them.
Identity-aware proxies for cloud along with ZTNA services are picking up steam precisely because of the exploitation against traditional VPN, coupled with demands for remote work which put a strain on network bandwidth with full-tunnel VPN.
Yeah many companies, even including ours, indeed implement controls for limited access to specific IPs and protocols. We’re just looking to further narrow down access points to reduce any potential risks if possible.
Also, VPNs grant users access to the entire network,
I wish someone had told me that before we implemented our Palo Alto this month, would have saved me hours of work setting it up. 
I’m not sure how do you manage
Not necessary, our users only have access to local ip/protocol they need. And every company do the same
For example we have pjsip app that requires to open a huge number of Udp ports (by design of protocol) , and in firewall/vpn you need to create rules to distinguish sip traffic from rest of the traffic and IPs is not static - a bit of a challenge
It was the standard now smart companies are moving to zero trust networking like twingate, tailscale, etc
This. I really don’t understand the whole mentality of ztna mindset and VPNs being mutually exclusive. Design your policies properly, it really doesn’t take much effort.
Thanks mate. I’ll dig into AVD and see if it aligns with our budget.
Hair pinning is one of the arguments against using vpns with cloud environments. Microsoft doesn’t recommend:
Yeah the user role switch seems like a good practice.
I haven’t used ZTNA before, so I am intrigued by what you just said. Specifically, how does a server inside my network with an agent installed know about a user on a laptop in some random coffee shop that needs a secure connection?
How?
SD-WAN is traffic shaping and routing… Not auth and access.
And usually outbound…
This is a fine solution if OP wants to be a beta tester for a relatively unproven MS product. Other better, more established solutions out there who are doing far more with SSE (including SSL inspection for internet-bound traffic) albeit at a very different price point.
Yet another argument for a solid RBAC framework.
We have our VPN profiles assigned by RBAC and tied to the appropriate address pool/VLANs with ACLs to control the segmentation of traffic.
Access to the “entire network” indeed… Not on my watch.
the use of certs is another step in the right direction.
but we better not stress the guy with certs who already has a hard time setting up basic VPN access. hehe
Do the users do any interactive login or MFA at all? I can see a case where they don’t need to, if you have good endpoint management practices why not really 100% on the certificates.
We have 5 tunnels with other offices around the country and 4 tunnels with clients
I implement everything (our side). Every tunnel/resource limited. I can’t say was complex
edit: Well except perhaps one of our client that i must configure access to more than 10 networks and monitor some app/port usage to open ports because they haven’t idea, it was a bit annoying.
As someone who used to sell all major NGFW vendors, you can absolutely lock your VPN down but most companies weren’t.