Ok, I need to move off Ivanti VPN for obvious reasons. What’s the alternative? I’d love to move away from SSL VPN to ZTNA. Our use case is remote staff accessing on prem file shares and RDP to onsite servers. We have 110 staff.
Things I’m looking at
Tailscale: very useful but I dislike that the nodes are always on and would love to see it integrated with Azure Conditional Access Policies. Also I think everyone can see all the nodes via command prompt even if I hide a lot of the UI on the console
Zscaler: have a meeting with them. Probably be too expensive.
Microsoft Entra Secure: seems promising for us but still in preview .
I replaced our SSLVPN about two years ago with Windows Always On VPN (RRAS using ikev2). Though not all users require VPN at my job, since we have almost everything in the cloud when it comes to web apps/files. It’s one of the few really well made products from Microsoft, it just works and reqiure no manual install on the client or anything. But it requires multiple VMs, CA, DMZ etc. And it’s a bit tricky to get working, especially if you want to use Intune and Group policy at the same time
Hard to say what to do, it depends on the organization. I prefer to keep VPN access to a minimum, when it comes to securing access externally to web apps/admin gui’s I prefer to use a reverse proxy instead. The Entra Application proxy is easy to set up, and you can have Entra login/MFA to all web apps with conditional access etc. I prefer running my own reverse proxy though (traefik)
If it’s onsite, why don’t you consider wireguard or openvpn as an option?
Both are open source, free (openvpn community edition), reliable and don’t depend on third party servers that can be compromised.
I’ve had good time with Twingate. Had about 30 folks as trial for almost past year, when big Ivanti stuff dropped in Feb, we shut off our secure connect on night & had 200 users in Twingate. Using Entra for conditional access/MFA, have various groups with lots of different “resource” controls for access. Have it integrated into our Crowdstrike to identify actual trusted devices. Users have it easy of it just easy connect & reconnect, not have to worry/have as many trouble of SSLVPN disconnect with spotty connections etc. All in all we’ve been pleased
I have heavily used Twingate in our MSP internally as well as for our client base. I really like it in all honesty but have run into a few issues specifically with cached DNS on our work computers. We use Twingate + Conditional Access to only grant access if on twingate. I also really like the fact that twingate doesn’t give a crap what your public IPs.
I have also demoed out Timus and will be working more on it but from the overview I was presented, much more granular control and reporting with Timus. Additionally, they team seem very well inversed in MSPs and receiving their feedback to make the product better.
Azure Global Access is the latest one in my radar. We have tested it with the same scenario as Twingate and seems to be working. The things I like the most about this is that as of right now it is included in AAD P1 and does not require additional hardware/software to run the connector. Also being it is a Microsoft report I expect there will be more documentation and support in the near future.
+1 for Twingate. It’s worked great for us and the support has been solid when we run into any issues.
Tailscale is mostly a homelab product- not sure I’d trust it in production. Has all the weird UI quirks like what you mentioned which is just another indication it wasn’t designed for company use.
Zscaler is like killing an ant with a bazooka. They will make you jump through tons of hoops and expensive AF, but they do offer a lot of features (which we did not need)
Entra took a quick look but very raw and probably needs years of seasoning.
Cato haven’t looked at it for VPN replacement. I think they were primarily SDWAN, so not sure how mature they are for ZTNA.
Cloudflare also ok if you’re already using their DNS service, but found it a bit clunk to get going.
Evaluating Zscaler, Cloudflare and Entra. Zscaler is def on the expensive side, but very established. Entra isn’t ready for production, and from what little I tested, it’s a long way from Zscaler. Still waiting for Cloudflare pricing and further demos, but looks promising.
Zscaler is pretty awesome. Setup a 24 hr auth timeout, and have it tied to our AD. It is much more user friendly than the Fortigate SSLVPN our users were using. You just have to setup a CentOS VM and create all the rules. In the next few months they’re going to be migrating to Red Hat and will provide the VM image. We already were using ZIA for content filtering. I think the ZPA for 50 users was $5k a year. We also got the premium edition to get access to PRA to give our contractors a web portal remote access solution. I think the options are RDP, VNC, and SSH. It’s a real good product.
I’m a big fan of Twingate after having tested basically every “next gen VPN” on the market.
Connections are stupidly fast and the admin experience is very solid. Bonus that everything is manageable via API and Terraform so you can do a lot of sophisticated things like JIT access, version control on admin changes, etc.
I feel like it strikes the right balance of simple to get going, but a ton of advanced features for power users.
Also they now offer DNS filtering as well (using the same agent) so I was able to get rid of cisco umbrella too.
We replaced Ivanti with Palo Alto GlobalProtect some years ago (before all the current security alerts, which I bet someone in our NetSec team is feeling pleased about). It works well. I have no idea how much it costs - we have a lot of Palo Alto gear for other security functions too, so I’m sure this is a big bundle deal.
Having asked at least one product question myself, I find it so odd that they disabled polls for this sub. It seems like a natural feature to have for things just such as this where there are like 157 options to accomplish the same thing.
I’m in the Wireguard/Tailscale camp, but I’ve never seen it used in production. Just us basement 72u crowd.