Ok gentlemen, as the sole IT for a Canadian non profit organization, I’m losing my sanity trying to hash out the pros/cons of this. Looking for some sage wisdom or learned lessons that can be passed along.
We have 90 users across 3 sites with a handful of remote users on top of that. When I started, we had Cisco devices at all 3 remote sites to create the site-to-site VPN, but we had just signed a new 3 year contract for MPLS. I feel that $3500/month for internet at all three sites is insane considering the speeds we are getting (8Mbps at main, 5Mbps at other 2 sites). So I am considering my options.
Requirements:
we have a DFS that syncs to a DC at each site
VoIP server at the main office that is serving all 3 sites
most users RDP to an app server to access a client record system (don’t even get me started on this one…)
That’s pretty much it. Our users and setup are fairly straight forward.
So now, here are the options I am considering:
shop around for more reasonably priced MPLS
get rid of MPLS for lower cost internet and reinstate site-to-site VPN or other tunnelling options
DirectAccess/RRAS to handle the DFS/RDP requirements, and figure something out for the VoIP. DA is something that I am not familiar enough with but I’m fairly certain it can’t route the VoIP traffic.
That’s my sob story in a nutshell. Looking for any stories, advice, tips/tricks, etc., that might help me out.
If you only have a handful of users I think MPLS is not the way to go just because of cost. What are the speeds you could get from the ISP’s available to you?
Are the “handful of remote users” at those 3 sites, or are those in addition to the 3 sites? If in addition, how are they setup?
Are you paying 3500/month total for the 3 sites? If so, that’s not bad for an MPLS connection. The majority of that cost is for the MPLS and not the internet connection
DirectAccess for the 3 sites is probably not a viable solution imo.
How many users total are we talking? How many at each site?
MPLS is generally a more reliable connection with better SLAs from your ISP vs. regular business internet (depending on ISP, of course). It’s often not all that much more expensive than traditional internet either, depending on speed and location.
MPLS gives you QoS capabilities, which could be huge if you ever want to do VoiP or anything along those lines.
MPLS is easier to manage in a lot of cases. My ISP in Canada manages the site router for no extra charge, so I only have to worry about the switches.
I haven’t deployed DirectAccess, for a variety of reasons:
The main draw was ‘always on VPN’, which my new network vendor does with their VPN client (Palo Alto Global Protect). Seems a lot smarter and more configurable.
Very few companies seem to be running DA
It was awfully tricky to setup and diagnose. It seems that if a client doesn’t connect, your only option is a reboot.
I watched a few Microsoft videos that seem to indicate there’s ‘no changes coming’ to DA in 2016/Win10. Rumour seems to have it they might end-of-life DA after 2016.
We have 6 remote sites and use an ISP to provide a point to point layer 2 ethernet handoff to connect them all back to the main site. We have 10-20Mbps to the sites and I think we’re paying only $500-$700 per site. It lets us control the QoS for VOIP and it’s low latency, around 2ms.
VPN would be the cheapest option, but there is no way to guarantee the voice quality, but with all of these hosted VOIP solutions out there it must be a viable option.
What’s the problem with business ISP service and a router at each site with a VPN configuration? I’ve used Cisco, Watchguard, SonicWall, and now I’m with running a OPN20322R… I’ve done database replication over all with more than 3+ sites…
We have 3 sites, and a datacenter, with site to sites from all 3 to the DC using DFS and an app server. All sites have two FTTC connection which cost around £70/m per site and they get around 60/15 on each. I have never seen both go down at once causing a complete outage, and the only downtime I’ve seen is when the site router has died. You could always rack a hot spare and have the EU move the connections if needed. This client is about 70 users and that’s everything but VoIP however we get about 8ms ping so I can’t imagine it’s going to be too big of an issue.
I use Sophia REDS at my small satellite offices. Basically just redirects all the traffic back to my main firewall. Easy way to tie the small offices back to the network (including voip,phones and APs)
The managed services only makes up $500 of the $3500. I got another quote for VPLS and it was $2800/month but it provided 50Mbps with no managed services.
We have 90 users total, and the remote users are in addition to the 3 sites. These are currently handled with a Cisco VPN client.
Can you provide any sources or links about the rumor of DA possibly being dropped? We are starting to evaluate DA a a replacement for Cisco AnyConnect VPN and I haven’t heard anything like that.
Yea… we’re paying approx $900 per site for the same thing, but the latency and speeds are worse than that. I’m honestly surprised that there hasn’t been more issues with the VoIP tbh (knock on wood).
I have a feeling that going back to VPN is going to be my best recourse. I just don’t feel we are getting enough bang for our buck with MPLS.
Problem is QOS for VoIP. Business ISP and VPN you can’t guarantee voice quality when there is a line issue. MPLS will prioritize VoIP and drop data to ensure VoIP is of high quality. The VPN is the data line, if 1 and 0s start dropping nothing you can do and call quality will go crazy. MPLS you can force what little 1 and 0s available to carry voice and ignore everything else to ensure voice quality is high.
Have you looked into SDWAN? I’m in the process of rolling out a test deployment to connect one of my locations. Everything I’ve seen so far looks good.
Can you provide any sources or links about the rumor of DA possibly being dropped?
Sorry, forgot to reply to this!
I’ve heard a few different things from a few youtube/technet videos around in the past year. I was watching a video on the new VPN functionality in Windows 10, which was at some Technet conference a few months back. They were mentioning the new auto-login functionality in Windows 10. Someone from the audience asked what new DA functionality would be in Win10, and the MS guy said “none”. He proceeded to ask if DA would still be supported in Win10, and the MS guy said “it will still be supported, but with no major updates/upgrades”. Some other person in the audience asked if DA was going to be dropped, the a couple MS guys had very dodgy answers (“let’s not talk about that, let’s talk about how cool Windows 10 is!”).
I personally had a huge interest in DA, but there is indeed no new functionality in Win10, plus I’ve heard of no new enhancements in Server 2016.
Combine with the fact it was kind of a dodgy technology to begin with (extremely hard to setup in Win2008R2/Win7, and still not that great in 2012R2/Win10), plus I see virtually no companies running it in production, I just don’t think it has a future, personally. I labbed it up a few times and it didn’t blow my mind. IF it worked it worked well, but that was always a huge IF.
The one big draw is ‘always on VPN’, which as I said other vendors like PAN are now offering. Global Protect now does SCEP-based machine sign-on, which is basically what DA was, minus all the IPv6 nonsense. Plus running your corporate firewall vendors’ VPN client usually brings a bunch of other benefits anyway other than just VPN (NAP, HIP, user-id, etc).
I would say unless you have a really, REALLY strong desire for DA, skip it.