1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Mobile Staff Using VPN

Discussion in 'Networks' started by nXPLOSi, Jan 19, 2011.

  1. nXPLOSi

    nXPLOSi Terabyte Poster

    2,874
    30
    151
    Hi All,

    Im hoping someone can help me with a little issue i've got here at the moment.

    We're in the process of creating a ASP.NET Application that our field staff will need to access through a VPN on their mobile devices. So far i've got the plan of putting the server thats hosting this in a DMZ behind a Watchguard firewall. The problem I have (and its probably a silly one) is that I have very little experience with VPN's. Our field staff are going to be using mobile broadband to connect into the server, but im wondering what options I have when allowing this access through the firewall?

    The first thing I thought was a Static IP boardband that is then allowed through the firewall via the VPN, but looking at a few providers that don't seem to be able to supply Static IP mobile broadband. Im sure there is an obvious answer out there that im missing but working 8 til 8 on this application is frying my brain! Help! :blink
     
    Certifications: A+, Network+, Security+, MCSA 2003 (270, 290, 291), MCTS (640, 642), MCSA 2008
    WIP: MCSA 2012
  2. danielno8

    danielno8 Gigabyte Poster

    1,305
    48
    92
    If i understand correct, they will be using a VPN to get onto the corporate network. From here, they will have an IP Address assigned to them from VPN pool. It will be this address you want to allow through the firewall to the DMZ.

    But then if your VPN takes them into the corporate network, it seems silly to me to then put the server they will be accessing in a DMZ (if your only reason for doing so was for VPN users to access it).
     
    Certifications: CCENT, CCNA
    WIP: CCNP
  3. dales

    dales Gigabyte Poster

    1,998
    46
    97
    Depending on the model the watchguard should be configurable for VPN so you wont need a specific vpn server, the next thing is the mobile users will not need a static ip as they can just authenticate against AD. Are these mobiles devices their own or company owned and controlled, vpn access introduces many many many issues in regards to security threats (virus on a home laptop for instance vpn= staight through access to corporate network), VPN settings can be easily replicated onto non company owned devices too even by the most novice of user.

    I would look into a citrix xenapp product if I were you then at least you would be reasonably reassured that you internal network is protected (you just have to worry about key loggers then).
     
    Certifications: vExpert 2014+2015+2016,VCP-DT,CCE-V, CCE-AD, CCP-AD, CCEE, CCAA XenApp, CCA Netscaler, XenApp 6.5, XenDesktop 5 & Xenserver 6,VCP3+5,VTSP,MCSA MCDST MCP A+ ITIL F
    WIP: Nothing
  4. nXPLOSi

    nXPLOSi Terabyte Poster

    2,874
    30
    151
    Thanks for the replies guys, I think there is more to this when I first imagined.

    I've had a look at the Watchguard and it does support VPN setup. The idea is that these remote workers will VPN into an Intranet site thats hosted solely on a server. The devices they will be using are company owned and will be locked down as much as possible to stop misuse or security issues.

    I thought we would need a DMZ where this server would reside and the remote users could only access this Intranet and nothing else, but in all honestly I havent done anything like this before, I know alot of the theory behind it but without no real world experience im having a hard time being sure im doing it the best/correct way. :(
     
    Certifications: A+, Network+, Security+, MCSA 2003 (270, 290, 291), MCTS (640, 642), MCSA 2008
    WIP: MCSA 2012
  5. Theprof

    Theprof Petabyte Poster Forum Leader

    4,570
    68
    196
    Here's how we set up our VPN, maybe it will shed some light. Although we don't use many watch-guard firewalls, we do use Juniper as our main firewall for VPN. You will probably want to configure an IP Sec VPN connection to begin with for security. Our firewall/router sits between the DMZ and our LAN. we have trust and untrust ports that are connect to the DMZ and to our local network.

    Keep in mind that I do create VPN Policies within the firewall and import the policy into the users workstations.

    As for the users, they don't require to have a static connection, just a regular internet connection will do.
     
    Last edited: Jan 20, 2011
    Certifications: A+ | CCA | CCAA | Network+ | MCDST | MCSA | MCP (270, 271, 272, 290, 291) | MCTS (70-662, 70-663) | MCITP:EMA | VCA-DCV/Cloud/WM | VTSP | VCP5-DT | VCP5-DCV
    WIP: VCAP5-DCA/DCD | EMCCA
  6. danielno8

    danielno8 Gigabyte Poster

    1,305
    48
    92
    Out of interest, what Junipers do you use? We just rolled out SRX-650 and SRX-240 as our global WAN routers.
     
    Certifications: CCENT, CCNA
    WIP: CCNP
  7. Theprof

    Theprof Petabyte Poster Forum Leader

    4,570
    68
    196
    We have the 2 x NS25 with an active passive config in the main office and the SSG5 in one or two offices... the rest of the offices are on an MPLS.
     
    Certifications: A+ | CCA | CCAA | Network+ | MCDST | MCSA | MCP (270, 271, 272, 290, 291) | MCTS (70-662, 70-663) | MCITP:EMA | VCA-DCV/Cloud/WM | VTSP | VCP5-DT | VCP5-DCV
    WIP: VCAP5-DCA/DCD | EMCCA

Share This Page

Loading...