VPN Setup Help

G

Guest

Guest
Archived from groups: comp.dcom.vpn (More info?)

Dear All,

Before we start, i would like to establish that i am very new to VPN.

Your help, advice and direction with the following will be greatly
appreciated.

I work for a small but growing company. We have an increasing number
of remote users (currenlty 5). Our needs have developed so that our
remore users would like to access our LAN at HQ. So i figured a secure
way to do so would be VPN.

Ran the idea by a local IT company and they came back with a
recommendation of Sonicwall + a global VPN client for windows. We were
quoted a cost around $5K.

My question is, what does Sonicwall offer that a much chearper VPN
solution does not. For example running hardware such as the following:
http://www.alloy.com.au/products/IP505DV.htm and using the VPN client
from Microsoft. Please keep in mind that we are not an enterprise but
only a small to medium size company.

Please feel free to suggest other ways which you may think would
better serve our remote users.

Thank you for your time and help

Yehia
 
G

Guest

Guest
Archived from groups: comp.dcom.vpn (More info?)

Yehia Mogharbel wrote:
> Dear All,
>
> Before we start, i would like to establish that i am very new to VPN.
>
> Your help, advice and direction with the following will be greatly
> appreciated.
>
> I work for a small but growing company. We have an increasing number
> of remote users (currenlty 5). Our needs have developed so that our
> remore users would like to access our LAN at HQ. So i figured a secure
> way to do so would be VPN.
>
> Ran the idea by a local IT company and they came back with a
> recommendation of Sonicwall + a global VPN client for windows. We were
> quoted a cost around $5K.
>
> My question is, what does Sonicwall offer that a much chearper VPN
> solution does not. For example running hardware such as the following:
> http://www.alloy.com.au/products/IP505DV.htm and using the VPN client
> from Microsoft. Please keep in mind that we are not an enterprise but
> only a small to medium size company.
>
> Please feel free to suggest other ways which you may think would
> better serve our remote users.
>
> Thank you for your time and help
>
> Yehia

Obviously the local IT company has no idea what your needs are. The
device you referred to seems to be adequate for what you describe.

Personally I have been using Netopia 3386-ENT units for low end VPN
functionality. For something a little more powerful you might want to
look at a Nortel Contivity 1010.

Also remember that a VPN router will not magically make your remote
computer think it is on the office network. Protocols that use
broadcast packets will not work exactly like being on the LAN. For
example, this means that browsing in network neighborhood will not work
exactly the same way. You will require a server running as a domain
controller with WINS enabled to allow windows network browsing over a
VPN link to work properly.



--
WARNING! Email address has been altered for spam resistance.
Please remove the -deletethispart-. section before replying directly.
Mike Drechsler (mike-newsgroup@-deletethispart-.upcraft.com)
 
G

Guest

Guest
Archived from groups: comp.dcom.vpn (More info?)

Mike,

Thank you very much for your reply. It has definetly encouraged me to
look further into a cheaper hardware vpn solution.

We are running a domain, and we do indeed have a domain controller
with Wins enabled.

Will the router have to pass the clients to this server or can i setup
a seperate machine and redirect the port to it from the router.

You referred to the Nortel Contivity 1010 as more powerfull. What
exactly do you mean? what extra benefits does it carry

Once again thank you for your advice.



Mike Drechsler - SPAM PROTECTED EMAIL <mike-newsgroup@-DELETETHISPART-.upcraft.com> wrote in message news:<RFnfd.3940984$6p.657640@news.easynews.com>...
> Yehia Mogharbel wrote:
> > Dear All,
> >
> > Before we start, i would like to establish that i am very new to VPN.
> >
> > Your help, advice and direction with the following will be greatly
> > appreciated.
> >
> > I work for a small but growing company. We have an increasing number
> > of remote users (currenlty 5). Our needs have developed so that our
> > remore users would like to access our LAN at HQ. So i figured a secure
> > way to do so would be VPN.
> >
> > Ran the idea by a local IT company and they came back with a
> > recommendation of Sonicwall + a global VPN client for windows. We were
> > quoted a cost around $5K.
> >
> > My question is, what does Sonicwall offer that a much chearper VPN
> > solution does not. For example running hardware such as the following:
> > http://www.alloy.com.au/products/IP505DV.htm and using the VPN client
> > from Microsoft. Please keep in mind that we are not an enterprise but
> > only a small to medium size company.
> >
> > Please feel free to suggest other ways which you may think would
> > better serve our remote users.
> >
> > Thank you for your time and help
> >
> > Yehia
>
> Obviously the local IT company has no idea what your needs are. The
> device you referred to seems to be adequate for what you describe.
>
> Personally I have been using Netopia 3386-ENT units for low end VPN
> functionality. For something a little more powerful you might want to
> look at a Nortel Contivity 1010.
>
> Also remember that a VPN router will not magically make your remote
> computer think it is on the office network. Protocols that use
> broadcast packets will not work exactly like being on the LAN. For
> example, this means that browsing in network neighborhood will not work
> exactly the same way. You will require a server running as a domain
> controller with WINS enabled to allow windows network browsing over a
> VPN link to work properly.
 
G

Guest

Guest
Archived from groups: comp.dcom.vpn (More info?)

Yehia Mogharbel wrote:
> Mike,
>
> Thank you very much for your reply. It has definetly encouraged me to
> look further into a cheaper hardware vpn solution.
>
> We are running a domain, and we do indeed have a domain controller
> with Wins enabled.
>
> Will the router have to pass the clients to this server or can i setup
> a seperate machine and redirect the port to it from the router.
>
> You referred to the Nortel Contivity 1010 as more powerfull. What
> exactly do you mean? what extra benefits does it carry
>
> Once again thank you for your advice.
>
>
>
> Mike Drechsler - SPAM PROTECTED EMAIL <mike-newsgroup@-DELETETHISPART-.upcraft.com> wrote in message news:<RFnfd.3940984$6p.657640@news.easynews.com>...
>
>>Yehia Mogharbel wrote:
>>
>>>Dear All,
>>>
>>>Before we start, i would like to establish that i am very new to VPN.
>>>
>>>Your help, advice and direction with the following will be greatly
>>>appreciated.
>>>
>>>I work for a small but growing company. We have an increasing number
>>>of remote users (currenlty 5). Our needs have developed so that our
>>>remore users would like to access our LAN at HQ. So i figured a secure
>>>way to do so would be VPN.
>>>
>>>Ran the idea by a local IT company and they came back with a
>>>recommendation of Sonicwall + a global VPN client for windows. We were
>>>quoted a cost around $5K.
>>>
>>>My question is, what does Sonicwall offer that a much chearper VPN
>>>solution does not. For example running hardware such as the following:
>>>http://www.alloy.com.au/products/IP505DV.htm and using the VPN client
>>>from Microsoft. Please keep in mind that we are not an enterprise but
>>>only a small to medium size company.
>>>
>>>Please feel free to suggest other ways which you may think would
>>>better serve our remote users.
>>>
>>>Thank you for your time and help
>>>
>>>Yehia
>>
>>Obviously the local IT company has no idea what your needs are. The
>>device you referred to seems to be adequate for what you describe.
>>
>>Personally I have been using Netopia 3386-ENT units for low end VPN
>>functionality. For something a little more powerful you might want to
>>look at a Nortel Contivity 1010.
>>
>>Also remember that a VPN router will not magically make your remote
>>computer think it is on the office network. Protocols that use
>>broadcast packets will not work exactly like being on the LAN. For
>>example, this means that browsing in network neighborhood will not work
>>exactly the same way. You will require a server running as a domain
>>controller with WINS enabled to allow windows network browsing over a
>>VPN link to work properly.

The WINS server address will be passed to the client when they connect.
A WINS server alone will not build the required domain master browse
table, it requires an active domain controller. (It's a Microsoft
thing). Your clients do not actually need to connect to the domain
controller in any way. They just need to connect to the WINS server,
the WINS server will interact with the domain controller to keep the
domain browse table up to date. The domain controller must be using the
same WINS server as the VPN clients for this to work efficiently. If
the domain controller is using another WINS server that is replicated to
the WINS server that the VPN clients use then the transmission of a
browse list to the client will take longer and it already takes longer
than you would expect. After connecting to the VPN do not expect to be
able to view any resources in network neighbourhood immediately after
connecting, even when all the voodoo magic of WINS and domain
controllers are setup properly. And voodoo magic is the correct term
for getting network browsing working over a VPN link. (It's equally
hard to do over a WAN link but at least the WAN links on a typical
network don't come up and go down frequently so they are more stable)
Check this page for some good info on these issues:
http://unknownegg.org/tech/

As for why a Contivity 1010 is more powerful the answer is pretty
simple. It has a faster CPU than the Netopia 3386 example I gave. The
maximum throughput of an encrypted connection will be limited by the
available bandwidth of your internet connections and the CPU speed of
the routers. If your router cannot do the encryption faster than the
maximum throughput of your internet connections then your VPN link will
be slower than you would expect. The predecessor to the Netopia 3386
was the R910. The R910 cannot do 3DES encryption much faster than
10KB/s. Most of the routers on the market will advertise their
performance as a measurement of throughput of a 3DES encrypted tunnel.
So if you have an internet connection that maxes out at 10Mbit you
should get a router that can do more than 10Mbit/s 3DES encrypted
tunnels. (A good rule of thumb is to get about 1.5x your internet
connection throughput in encryption performance to account for some
extra overhead you would experience in a real world situation as
compared to their test environment) So if you were using the example of
a 10Mbit/s internet connection you should get a router that can do at
least 15Mbit/s encrypted. Of course performance is just a single
criteria to use when choosing a router.

The Contivity can also be considered more powerful in features compared
to the Netopia product. It supports about every common VPN protocol in
use. It has a strong web configuration interface. It has a strong
command line configuration interface. It can connect to external
directories for user authentication. It can be configured with digital
certificates for authentication. It can manage user settings in groups
for easier management. It can work with a custom Nortel VPN client or
common standard clients like the built in Microsoft PPTP client in
windows. Overall the Nortel Contivity can be described as packed with
features. But not everyone needs these things. There definitely seems
to be two tiers of VPN hardware product that I deal with. On the low
end are items like the Netopia, Netgear, and Linksys products. On the
higher end you have the Nortel Contivity, Watchguard, and Sonicwall type
of products. The low end devices have basic functionality, low prices
and low to medium performance. The high end devices have sophisticated
features, mid to high prices, and medium to high performance. For
Nortel the 1010 is their smallest Contivity product, their high end
products scale up to thousands of concurrent VPN links and gigabit speeds.



--
WARNING! Email address has been altered for spam resistance.
Please remove the -deletethispart-. section before replying directly.
Mike Drechsler (mike-newsgroup@-deletethispart-.upcraft.com)