Have I told you about my VPN problems? No? Well, sit down a spell and have a listen.
When it comes to my company, we've got two types of VPNs, really. There are the site-to-site VPNs, which connect, well, sites. My office's router (a cluster of Juniper Netscreen 5GTs) have VPNs set up to each of the other sites. It's sort of a mesh configuration, since every site has every other site connected via VPN policy, but with only a few locations, this isn't too unbearable. I'd rather have an MPLS network, but hey, I take what I can get.
The real problem becomes user VPNs. See, we've got a primary site and a secondary site, and something like 15 users who each need to be able to connect to both locations. This means that I've got to maintain 30 accounts on the firewalls, AND 15 user machines which connect up. Neither is fun, but the user machines are the worst part.
We use Juniper Netscreens for the VPNs, and our Mac users typically use VPN Tracker or IPSecuritas. VPN Tracker is easy to set up , and commercial. IPSecuritas is free, but much harder to configure. Both do work, however, which makes them better off than our Windows users. Our Windows users are burdened with Netscreen Remote, and an old version, at that. It's just generally bad. It gets confused a lot, and requires reboots to clear the IP configuration so that traffic actually reaches the VPN. Sometimes it will die a slow death; the other day I had a user who could connect to most of the resources on the VPN...then they could only connect to a couple. By the end, the only thing they could reach was the jabber server, over which they were talking to me. A reboot fixed the problem, of course. Lots of times, we'll have people who can get email, can ping everything, but can't SSH into anything.
To fix these strange, strange issues, I'm trying another solution: an SSL vpn.
You might know that IPSec operates over UDP port 500, and requires installed software to be configured beforehand. Basically, an SSL vpn differs from an IPSec VPN by transmitting the traffic over encrypted web-traffic, to port 443 on the VPN device. This allows the client to connect to the VPN merely by visiting a webpage and authenticating themselves. At that point, a java or activeX program is downloaded and installed which acts as a pre-configured VPN client which transmits internal-destined traffic over the SSL tunnel. Anyone who tells you this is a "clientless" operation is lying. The client is just downloaded on the fly.
Anyway, the device I'm going to be using is the Netgear Dual Wan Gigabit SSL VPN. I honestly have no idea if it will work or not, but I'll be sure to let you know.
I'll probably be testing it later this week, so the update on it should come next week.
skip to main |
skip to sidebar
A blog for IT Admins who do everything by an IT Admin who does everything
Blogs I frequently don't have time to read
Posts
Blog Archive
-
▼
2008
(184)
-
▼
August
(33)
- A look at undersea cables
- Password retention and storage
- When is a sysadmin not a sysadmin?
- Dedicated ESXi: Server or something else?
- BGP Security issue
- New Sysadmin Podcast Series
- NetworkWorld features one of us
- 10 professional skills that no IT administrator sh...
- Discussion of SSL Web Certs
- Display System DNS on OSX
- 5 Ways to improve your network without breaking th...
- Update on the VPN Issue
- VPN Woes
- Burnout and the toll it takes
- Really bad cabling jobs!
- Creative Community Hacking Forum
- Project Management Software
- Wireless Security (of lack thereof)
- Introduction to RAID levels
- OpenOffice trick to auto-increment IP addresses
- Most sought after skills in IT
- Remote Management and its Limits
- Recycling your e-waste
- Email to the position, not the person
- Simple and obvious first
- Disk Quotas
- Sources of wisdom and experience
- Linux authentication against Active Directory
- Just because it's strange
- Desktop Workspaces
- Flash Drives: Archival Media?
- Couple of interesting links for your Sunday Enjoyment
- HOWTO: Punch down blocks for in-building wiring
-
▼
August
(33)
People following this blog
Other affiliations / blog groups
I have a monthly column at
My blog is a part of
I'm a member of
My blog is a part of
I'm a member of
Calling all guest bloggers
Do you have an idea for a blog entry that you want to write? Do you have a blog entry that you've already written, but don't have a place to publish it? I'm definitely interested!
As I don't make any money on this site, I can't offer to pay you for it, but I will happily link to whatever web presence you'd like. My current subscriber count is right around 500 people, so your article would be viewed by a lot of people.
To get in touch, email me at
standalone.sysadmin@gmail.com
As I don't make any money on this site, I can't offer to pay you for it, but I will happily link to whatever web presence you'd like. My current subscriber count is right around 500 people, so your article would be viewed by a lot of people.
To get in touch, email me at
Twitter / standaloneSA
Automatically Generated Amazon Ads
Labels
- security (14)
- networking (13)
- storage (12)
- vacation (9)
- administrivia (8)
- advice (7)
- guest blog (7)
- server room (6)
- virtualization (6)
- backup (5)
- learning (5)
- monitoring (4)
- nagios (4)
- whining (4)
- asking questions (3)
- blog (3)
- cat5 (3)
- fail (3)
- fiber (3)
- physical infrastructure (3)
- remote management (3)
- troubleshooting (3)
- windows (3)
- CLI (2)
- LVM (2)
- archive (2)
- colocation (2)
- debian (2)
- debugging (2)
- dns (2)
- esxi (2)
- giveaway (2)
- hardware (2)
- howto (2)
- laptop (2)
- lisa (2)
- policy (2)
- preblog (2)
- racks (2)
- redundancy (2)
- tech support (2)
- telecom (2)
- training (2)
- vmware (2)
- vpn (2)
- AoE (1)
- IPv6 (1)
- Level3 (1)
- Linux (1)
- NAS (1)
- QA (1)
- QC (1)
- T1 (1)
- active directory (1)
- article (1)
- automation (1)
- bandwidth (1)
- benchmark (1)
- bgp (1)
- blackberry (1)
- blogiversary (1)
- books (1)
- burnout (1)
- business (1)
- centos redhat ldap bugzilla (1)
- checklists (1)
- cisco (1)
- clusters (1)
- competition (1)
- conference (1)
- convention (1)
- cooling (1)
- database (1)
- documentation (1)
- education (1)
- encryption (1)
- ethernet (1)
- ethics (1)
- fibre channel (1)
- filesystems (1)
- fire (1)
- freebies (1)
- heroics (1)
- high availability (1)
- imaging (1)
- incident response (1)
- installation (1)
- international (1)
- iscsi (1)
- kvm (1)
- ldap (1)
- leasing (1)
- licenses (1)
- link (1)
- load balancing (1)
- marketing (1)
- mobile (1)
- money (1)
- openbsd (1)
- oracle (1)
- osx (1)
- passwords (1)
- patching (1)
- project management (1)
- rack unit (1)
- raid (1)
- recycling (1)
- remote desktop (1)
- resources (1)
- routing (1)
- rss (1)
- safari (1)
- sage (1)
- san (1)
- shortcuts (1)
- slashdot (1)
- small infrastructure (1)
- social networking (1)
- soho (1)
- ssl (1)
- stress (1)
- switches (1)
- systems administration (1)
- technology (1)
- terminal server (1)
- time management (1)
- top list (1)
- toplist (1)
- twitter (1)
- uptime (1)
- usenix (1)
- wireless (1)
- xen (1)