Mid-size company, 100-150 employees with VPN access spread across two sites.
VPN mostly used by road warriors to access files stored on network shares, as well as our Oracle ERP system.
Our company seems to like “Appliances” for things like this.
We currently have a Barracuda SSLVPN 480 appliance in each site. Barracuda has EOL’d this product and their support blows chunks. It is also extremely unreliable and relies a lot on Java and ancient drivers.
What are your suggestions for replacement? Ideally, we’d like to make things as easy as possible on our users, so anything with complicated client config can be ruled out. We’d also like something with a proper support channel that can be relied on, ruling out an OpenVPN solution. Finally, a Cisco solution is highly likely to be out of the budget.
You have two options based on what you stated. Cisco AnyConnect on an ASA, or OpenVPN. One is with the support of thousands around the world and tons of support sites. The other is going to cost you an employees yearly salary. Decide from there.
We’re a fortinet shop but I’m lucky enough to have no clue what they cost at this point. Might be worth looking into the cost because the feature set is great.
Pulse Secure’s Connect Secure is the best dedicated VPN solution on the market, and hits the “appliance” model. Problem is, it’s also the most expensive solution, but if you have a desire for the best, this is the best.
After this, I would be looking at AnyConnect on an ASA, which can be extremely affordable if you just need the basic VPN connection and no endpoint inspection or other advanced features. This allows you to get a very cheap AnyConnect Plus license, available as perpetual or subscription. If you need more advanced features, you need Apex which is subscription only, but it’s actually pretty darn affordable. These licenses are not tied to a piece of hardware so if you get new hardware in the future, than the licenses are portable. There’s also a VPN only license that is locked to an ASA but the lower cost of all 3 options.
Outside of these two options for appliances, there is SonicWALL SRA (blech) or another firewall used for VPN only. Palo Alto with Global Protect is the next best option after Pulse Secure or AnyConnect on an ASA IMO. Some people think it’s better but AnyConnect still offers more features (with Apex license) if those are needed.
If none of these will fit your budget, then I’d be looking at an appropriately sized Fortigate to meet your concurrent user count needs. There is no "VPN license’ for these, just cost of the firewall itself. Their SSL VPN client is pretty good, but has had it’s issues.
Then you’ve got the OpenVPN route as mentioned by many. No physical appliance you can buy, but there is support available. Gets the basic job done and pretty foolproof as well.
Lastly, if this is only for Windows devices you could just do it all via Windows VPN client and RRAS for very basic deloyment, or use DirectAccess/Always On VPN (Always on VPN is W10 only and works with Pro, DirectAccess for Windows 7 but requires Enterprise)
We’re a Palo Alto shop, and GlobalProtect has been great. They released a Linux client recently so we’ve got feature parity for Mac, Windows and Linux clients, which is awesome.
If the PA cost gives you conniptions (quite understandable), Pulse Secure is a decent “appliancey” option. Virtual or physical options, configuration isn’t too difficult, plenty of support for 2FA and security things you should be configuring these days.
Also has a reasonably functional SSL reverse proxy so you can have web apps hosted without deploying a full VPN for everyone, if that fits your model.
Do you have any existing appliances that have VPN server capability that just isn’t turned on? We were already using Citrix Netscaler VPX for our external access/content switching for everything else, so I turned on a seperate SSL VPN as well. Very expensive so likely out of your budget here, but otherwise as others have already suggested, if you want decent security you’ll have to use something like Cisco Meraki, Juniper, etc. You don’t wanna skimp on a server that gives external access to your business network.
I had a tech recently setup an OpenVPN box and it has been working flawlessly. I was sceptical at first because i haven’t ever used OpenVPN. I have to say though… seems great.
i think i would go with fortinet. For two admins we use a SSH server with sshuttle for remoteworking which is super slick because no other tools then sshuttle are needed but there are obviously security considerartions. i am thinking about how to setup ssh server just for this scenario though reducing the risk the ssh server can be taken over in any way. server should be in a DMZ with a firewall in front of it and in between the intranet.