Main Nav

 

We are in the early stages of evaluating VPN appliances.  At this time, our requirements are as follows (subject to change):

 

Support for Windows, OSX, Android, iOS, Linux

Multi-group (varying privilege) support

IPSec and/or SSL

Ability to map drives (Windows, OSX); “dropbox” type support for all platforms

AD/AD-LDAP authentication

Ability to provide encrypted configuration (ie, either cert or ability to push a PSK rather than tell people what it is)

Decent reporting features

Support for approximately 200 concurrent users

REASONABILY PRICED

 

If there are other features your VPN has that you utilize frequently, adding to my list is welcomed and encouraged!

 

VENDORS:  If you have a product that meets my criteria, feel free to send me a link (no files!) and I’ll take a look.  If you’ll be at the EDUCAUSE Annual Conference in a few weeks, please let me know.  MANUFACTURERS ONLY, NO VAR’S please.

 

Thanks,

Brian

____________________________________
Brian Helman, M.Ed |  Director, ITS/Networking Services | (: 978.542.7272

Salem State University, 352 Lafayette St., Salem Massachusetts 01970

GPS: 42.502129, -70.894779

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Comments

Message from ahockett@warnerpacific.edu

Brian,

 

We’ve been using the MAG 2600 VPN from Juniper for almost a year and half and had no issues with a mixed client base and it’s been a piece cake to deploy.  It meets all of the requirements listed except for concurrent users as you’d have to jump up an appliance level.

 

If you have any questions, feel free to e-mail me off list.

 

-Aaron Hockett

Network Engineer

Warner Pacific College

 

Message from fkass@mtholyoke.edu

We use a Juniper SA4500 which checks all the boxes you list except the last one (IMHO). -Fred
The Juniper SA2500 should be cheaper than the 4500 and still do all that. On Fri, Oct 19, 2012 at 07:07:41PM -0400, Fred Kass wrote: > We use a Juniper SA4500 which checks all the boxes you list except the > last one (IMHO). > > -Fred > >
We're not a Cisco shop but this is one area where I've stuck with Cisco over the years.

Take a look at the pricing on a pair of Cisco ASA 5520 Appliances with AnyConnect & Mobile licenses.  I'm using a 5510 and I just ordered second unit for reduncancy.  You can set them up as an active/passive pair and share one license, or as a load balanced pair, where they both need licenses.

I am using RADIUS authentication with an LDAP backend.  When I first upgraded to the ASA I had trouble with LDAP group authorization, but that may have gotten better over the years.  Otherwise I think it will meet your requirements.

At first glance, I think the pricing with licensing looks better than the Juniper solutions, but I might be missing something.

Best,
Matt

OpenVPN running on a Linux VM in VMware.  It’s been working great; reliable, very low cost, and very low management overhead.

 

Fyi,

Brian

 

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, Nov 07, 2012 at 12:05:05PM -0500, Kellogg, Brian D. wrote: > OpenVPN running on a Linux VM in VMware. It's been working great; > reliable, very low cost, and very low management overhead. Yes! Officially we have moved to Junipers but we still maintain an OpenVPN instance that authenticates against AD. It works on Windows, Mac OS, every distribution of Linux (even Gentoo and LFS) and I can run it on my FreeBSD-based laptop. No GUI, web browser or Java necessary, it Just Works, there are no licensing issues for number of concurrent users and a single VM can handle as many users as we have licenses for our Junipers. Need to handle a couple hundred more users? Load-balance that IP with a small server running pf or iptables, push out a new VM and away you go. No host checking (but you can do that with OSSEC) and no iPhone/iPad version but I can live with either of those in the right circumstances. kmw -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAlCap4QACgkQsKMTOtQ3fKF/EwCeK5WkrQh/zh/ijizQP7ga8xto 6yMAoMNdK7sLoGrkS0lAMBb7EUe4lNOG =qg3G -----END PGP SIGNATURE----- ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Will OpenVPN provide site-to-site VPN tunnel function? All I am looking for is to build a site-to-site VPN tunnel over WAN and no other requirements. Thanks in advance. On Wed, 2012-11-07 at 13:25 -0500, Kevin Wilcox wrote: > On Wed, Nov 07, 2012 at 12:05:05PM -0500, Kellogg, Brian D. wrote: > > > OpenVPN running on a Linux VM in VMware. It's been working great; > > reliable, very low cost, and very low management overhead. > > Yes! Officially we have moved to Junipers but we still maintain an > OpenVPN instance that authenticates against AD. It works on Windows, Mac > OS, every distribution of Linux (even Gentoo and LFS) and I can run it > on my FreeBSD-based laptop. No GUI, web browser or Java necessary, it > Just Works, there are no licensing issues for number of concurrent users > and a single VM can handle as many users as we have licenses for our > Junipers. Need to handle a couple hundred more users? Load-balance that > IP with a small server running pf or iptables, push out a new VM and > away you go. > > No host checking (but you can do that with OSSEC) and no iPhone/iPad > version but I can live with either of those in the right circumstances. > > kmw > > ********** > Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Yep, I've never used it though. We do our StoS tunnels with pfSense. http://docs.openvpn.net/how-to-tutorialsguides/virtual-platforms/site-to...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, Nov 07, 2012 at 03:19:59PM -0500, Kellogg, Brian D. wrote: > Yep, I've never used it though. We do our StoS tunnels with pfSense. > > http://docs.openvpn.net/how-to-tutorialsguides/virtual-platforms/site-to... A few years ago, at the UNC-CAUSE conference, our folks used a Soekris running OpenVPN to setup a site-to-site, attach a switch and have it automatically configure using our in-house switch registration system in real-time during a demo. That was before they offered their AS (I've never used AS, I still run community edition where I need VPNs). kmw -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAlCazhsACgkQsKMTOtQ3fKG64ACfe1dkhExErFYIPx44YWWzdFJn DT8AnjRHu877096xO/65U1snGO7l6ggY =B0ZN -----END PGP SIGNATURE----- ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Great, thanks. Head for reading.

Leo Song, Senior Analyst & Cluster Lead
Computing and Communication Services - Networking and Security
University of Guelph
(519) 824-4120 x 53181

From: "Brian D. Kellogg" <bkellogg@SBU.EDU>
To: NETMAN@LISTSERV.EDUCAUSE.EDU
Sent: Wednesday, November 7, 2012 3:19:59 PM
Subject: Re: [NETMAN] VPN recommendations

Yep, I've never used it though.  We do our StoS tunnels with pfSense.

http://docs.openvpn.net/how-to-tutorialsguides/virtual-platforms/site-to...


In my previous job we were a Cisco shop and used a pair (Active/Passive) of Cisco ASA 5520's performing RADIUS authentication through Cisco ACS to Active Directory for IPSEC and SSL VPNs.  

It was easy to manage for Cisco firewall knowledgeable personnel and we were able to manage access and ACLs based on AD group membership.  We had no issues with Windows, OSX, iOS or our linux versions (Redhat and CentOs).

We didn't have concurrent user issues because our WAN bandwidth was more of a constraint than the number of users.  (We had a couple hundred users and many S2S connections.)

The firewalls have minimal real time reporting via a GUI.  I think that you would need a third party application for detailed reporting depending on your requirements.

Best Regards,

Antonio Crespo
Director, IT Security
Barnard College
3009 Broadway
New York, NY 10027



Message from mark.duling@biola.edu

For reporting, it might be that Cisco's NSEL (netflow secure event logging - essentially netflow for ASA) might do it for you, though you'd need a collector.  Turning it on is very easy.  I am only beginning to investigate NSEL now for different purposes, but I can see that Cisco is putting a good bit of effort into it.  If memory serves, the release notes to the just released versions the ASA code have added some enhancements to it.  Just food for thought.


Close
Close


EDUCAUSE Connect
View dates and locations

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

EDUCAUSE Institute
Leadership/Management Programs
Explore More

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.