Best way to implement a remote-access VPN on enterprise network?

I work at a company with a very small IT department, in which I occupy a sort of help desk type role for the most part. I’ve been tasked with researching the best solution to allow our users to remote into our network and access our ERP software from home.

The users currently work from home by connecting via our citrix access gateway, allowing them to launch the apps remotely through Citrix. However, ideally we want them to have pretty much the same experience they have while at work; being able to open everything directly from their laptop after switching to a VPN connection.

One method we have of doing this is with the VPN feature of our hardware firewall. The problem with this is it only includes 5 licenses, so we would need to purchase additional ones. Before doing that though, I’m trying to find out what the best practice for implementing a remote access VPN is. Whether it’s going directly to the firewall, setting up a windows server for remote access, purchasing additional hardware etc. Whatever is the best way to do this is what I want to explore.

Another thing I should mention is that some of the users that will connect remotely are using Macs. I would greatly appreciate any input I could get on this.

Hard to provide suggestions with out knowing your environment.

What’s your current infastructure like?

-Make/model of current firewall?

-Are you currently running a windows active directory?

-What is your ISP? Is it fiber/cable and what speed do you currently have are they dedicated or best effort?

Have you taken a look at your current bandwidth utilization are you spiking or near capacity?

How many users do you expect need this VPN access?

What applications are your remote users going to be using over this vpn?

What kind of bandwidth are you expecting per vpn user to be using?

Whats the budget for this project?

If you have Citrix already, I would put more resources (time) in to making it a more usable platform for your remote users. Ultimately, it will require less support than managing a bunch of VPN clients on a mix of computers. With the CAG (and the more modern Netscaler), you have better control over the information the client accesses and what they can do with that info.

I would test with a group of 5 users. VPN licences aren’t that expensive if you want to scale up. You may be able to get away with 10 for 15 users until there is a snowstorm. Users may find the performance lacking though. It’s not going to be the same as in the office. A Remote Desktop server may be more appropriate but will be hard to justify if you already have the netscaler.

Honestly the easiest thing would be to just buy a 20 user license for the sonicwall VPN. You could use something like pfSense/openvpn for free but if you don’t have anyone on your team with those skill sets you may be playing with fire in my opinion.

If you have a windows server you could also do a RRAS for a basic VPN.

Edit: Also if you have a Netscaler you can use that for VPN assuming it is modern.

Juniper MAG is the best way to go for full vpn access. They can integrate with Citrix as well. Yes the product may have been sold off to pulse secure, but it is seriously the best product out on the market.

You can run OpenVPN and forget about purchasing licenses (at least with community edition). How you want to deploy is up to you. Many options.

You can run firewall level with pfsense or similar that support OpenVPN.

That’ll give you some starter points.

As others have stated. Build on what you have with the Sonicwall or Citrix. There is no need to add another separate system that will need care and feeding. Just investigate what your options are with what you have and go from there.

I work in a largely-Cisco based managed-service provider which is starting to gear down Fortinet as well, so my answer will be very much biased. I hold an FCNSP and am working on my CCNP. Both of these platforms have great VPN solutions in their firewall offerings (ASA for Cisco and Fortigate for Fortinet).

Depending on how many simultaneous users you will be supporting, you may be able to get by with an ASA 5505 with extra licensing or an ASA 5512-X from Cisco (bonus: 5500-X series ASA’s can also function as IPS or Context-aware security including application control and web security–takes extra licensing and an SSD drive). An FG-60 or FG-300 may also support a smaller number of users, but on the plus side the Fortigate is very versatile (has many UTM features) and easy to configure.

I say this, because I despise Sonic Wall. It probably suits your needs very well but I’ve always found them to be difficult to work with, their VPN solution feels clunky, and I’ve always had the impression that they target markets other than enterprise.

Both Cisco and Fortigate have great, lightweight SSL VPN clients that function on a lot of platforms and run over 443. Both are “easily” integrated into a domain for AD-based authentication. (Easily being relative, as you’d still have to configure a server with the NPS role and configure RADIUS). Fortigate’s also have a very easy system for integrating 2FA if you need the added security, and can do it via SMS or Mobile App.

I would advise against using Windows RRAS for VPN. It may be easy to configure and integrate into AD, but I don’t trust RRAS for security, and if the users are on public wi-fi they might not be able to use PPTP due to access rules…but they should be able to use 443 just about anywhere.

My opinion? A pair of Fortigate’s suitable for your size and a FortiAnalyzer for logging. The Fortigate is a VERY impressive little box and can replace your edge routers (if you have ethernet handoff), firewall, web security, VPN, wireless LAN controllers (with FortiAP’s) and do a damn good job of antivirus and data-leak prevention. It can even do web security platforms based off user-data agent with different profiles for Android, IOS, Windows, Mac, etc, making it like NAC-lite. They are easy to configure, support OSPF and BGP, support HA, etc. And if you have mutliple sites, you can manage all of them in one interface under FortiManager. Awesome product.

Most implementations I’ve seen in smaller environments run VPN from the firewall (in your case, the Sonicwall). Most of those SSL VPNs are quite good, and support multiple platforms. Just cost out how much the licenses are from your vendor.

If you DON’T want to use that (say, the license costs are too much), you can use the Remote Access server role in Windows Server. That creates IPSec tunnels. However, it’s a bit more work to set up, and it’s another server to configure. Could also be too difficult for your Mac users as they’d have to configure an IPSec client. Might be simpler to keep using your firewall, especially since it sounds like you already have it set up.

The biggest ‘gotcha’ you have to watch out for with VPN is bandwidth. You don’t say what you have, but if you’re securing all traffic, then calculate how much you can use.

Say you have a snow day and a whole bunch of people decide to VPN. Most broadband internet connections are at least 10Mb now. Is your WAN link fast enough to handle that amount of traffic if you’re encrypting everything? If you’re only encrypting corporate traffic, figure out how much bandwidth each application uses (e.g.: Exchange, SQL,…). How many users can your WAN connection support?

Anyway, just a starting point…

I prefer to run VPNs on Windows Server’s RRAS role. SonicWall VPN clients suck in my experience. It doesn’t cost anything extra, as is built into server OSes. You don’t want to do it on a DC, but if you have a file server this is perfect. Just forward the ports on your firewall, add the VPN role to the server, and for bonus points deploy the VPN connection to traveling company laptops via Group Policy.

The experience is superiour for the end user when compared to the SonicWall solution, and it doesn’t cost extra.

That being said, I think it is important to consider doing a Remote Desktop setup for remote users. It limits your security exposure significantly, and can protect against data theft and viruses spreading across VPN tunnels. I personally prefer running my remote users this way.

Use and license the SSL VPN feature on the Sonicwalls. It’s platform agnostic, easy to set up and it keeps an airgap between the user’s computer and your network. All the they get are screen scraps in a web browser window.

Hm… I probably should have posted this while at work so I could get you that info.

What I can tell you:
We’re running SonicWall firewalls,
We are using AD,
Probably around 10-15 remote users, not all active at once, and typically accessing remotely during off-hours where network usage would be low anyway,
Mostly low-bandwidth applications: IBM iSeries for ERP, MS Office apps, access to network drives (documents, spreadsheets, reports)

There is no budget at this point. Since our users can currently function remotely via our citrix netscaler, it isn’t a high priority project. This is mostly just research for the optimal VPN implementation from a security/reliability/performance standpoint for when we eventually look at moving to one to improve our user experience.

This is exactly the right approach to this question, not the catch all answer of throwing openvpn/pfsense at the problem

I feel the opposite with my experience with citrix. My current place of work and the 2 places before that. Citrix needs to burn.

You also need to give your end users local admin rights to run the OpenVPN client. Either that or you have to install it as a service and give them permission to stop and start services, that’s uncool.

Sonicwall VPN is fine and the licenses aren’t expensive, that’s probably the safest answer

+1 for the MAG. Best SSL VPN platform there is right now.

Is the MAG only for SSL VPN or will it do IPSec VPN as well?

This probably shouldn’t be the top comment. We need to know more information before giving the right advice. OpenVPN and pfsense are great, but there is no way I would deploy them in a corporate environment where I could be fired due to one of them failing.

You can also tie in NPS and health checks for RRAS, and it’s a requirement for Remote Desktop Gateway. That adds a pretty solid set of security features, like… Haven’t run a virus scan in 7 days? Sorry, come back when you have. Oh, you’re on XP? No VPN for you!

You can tie NPS into other solutions if you’re using RADIUS auth, but it is definitely more involved.

RRAS is pretty great for the SMB crowd, and you can simplify things for end users with rasdial scripting if clicking more than once is beyond their scope of comprehension.