Mobile Staff Using VPN

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Hi All,

Im hoping someone can help me with a little issue i've got here at the moment.

We're in the process of creating a ASP.NET Application that our field staff will need to access through a VPN on their mobile devices. So far i've got the plan of putting the server thats hosting this in a DMZ behind a Watchguard firewall. The problem I have (and its probably a silly one) is that I have very little experience with VPN's. Our field staff are going to be using mobile broadband to connect into the server, but im wondering what options I have when allowing this access through the firewall?

The first thing I thought was a Static IP boardband that is then allowed through the firewall via the VPN, but looking at a few providers that don't seem to be able to supply Static IP mobile broadband. Im sure there is an obvious answer out there that im missing but working 8 til 8 on this application is frying my brain! Help!

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

If i understand correct, they will be using a VPN to get onto the corporate network. From here, they will have an IP Address assigned to them from VPN pool. It will be this address you want to allow through the firewall to the DMZ.

But then if your VPN takes them into the corporate network, it seems silly to me to then put the server they will be accessing in a DMZ (if your only reason for doing so was for VPN users to access it).

 

Depending on the model the watchguard should be configurable for VPN so you wont need a specific vpn server, the next thing is the mobile users will not need a static ip as they can just authenticate against AD. Are these mobiles devices their own or company owned and controlled, vpn access introduces many many many issues in regards to security threats (virus on a home laptop for instance vpn= staight through access to corporate network), VPN settings can be easily replicated onto non company owned devices too even by the most novice of user.

I would look into a citrix xenapp product if I were you then at least you would be reasonably reassured that you internal network is protected (you just have to worry about key loggers then).

 

Thanks for the replies guys, I think there is more to this when I first imagined.

I've had a look at the Watchguard and it does support VPN setup. The idea is that these remote workers will VPN into an Intranet site thats hosted solely on a server. The devices they will be using are company owned and will be locked down as much as possible to stop misuse or security issues.

I thought we would need a DMZ where this server would reside and the remote users could only access this Intranet and nothing else, but in all honestly I havent done anything like this before, I know alot of the theory behind it but without no real world experience im having a hard time being sure im doing it the best/correct way.

 

Here's how we set up our VPN, maybe it will shed some light. Although we don't use many watch-guard firewalls, we do use Juniper as our main firewall for VPN. You will probably want to configure an IP Sec VPN connection to begin with for security. Our firewall/router sits between the DMZ and our LAN. we have trust and untrust ports that are connect to the DMZ and to our local network.

Keep in mind that I do create VPN Policies within the firewall and import the policy into the users workstations.

As for the users, they don't require to have a static connection, just a regular internet connection will do.

 

Out of interest, what Junipers do you use? We just rolled out SRX-650 and SRX-240 as our global WAN routers.

 

We have the 2 x NS25 with an active passive config in the main office and the SSG5 in one or two offices... the rest of the offices are on an MPLS.