After more than a year of WFH it’s looking like my 80-person company is going to continue allowing people to work remotely for the foreseeable future, and I’m trying to get a budget approved for upgrading our VPN. Currently we’re using Pritunl (software based VPN server using OpenVPN), which is inexpensive and easy to manage but hasn’t had great performance even with multiple servers.
Currently considering hardware solutions and curious to hear others’ experiences. Options I’ve considered:
• UniFi - We already use a USG Pro 4 for our office network’s gateway, but I haven’t seen anything too positive about them for VPN for a team of our size. Not seriously considering this an option without more positive information.
• Sophos - I haven’t personally used their hardware but the XGS 126 or 136 seems to fit our use case well. We already use them for Endpoint Protection, which is a plus.
• SonicWALL - I’ve used them for site-to-site before but not remote access. Price point for the NSa’s is higher than XGS for the specs, but I’m interested in hearing any real world performance differences.
Any options I’ve missed? I’m really hoping to future-proof as much as possible - the device we choose should ideally support 100 concurrent users - but (of course) I’m also prepared to have to fight for a budget.
If you just wanted a VPN concentrator, and keep your current firewall, and are ok with IPsec only - the very cheap fortigate 40f can do the throuput and support up to 250 users.
The unit would struggle as soon as soon as you did anything but IPsec, but if all you want is a concentrator it’s possible.
Bang for the buck. Meraki… MX-67 or MX-84. Can be had for pretty cheap and the performance is pretty good. MX-67 could be had for about 2500 with licensing for 3 to 5 years…
We used SonicWall in the past and it was…ok. The client wasn’t perfect, but all in all it worked. We have since migrated to Fortinet and it also has it’s share of issues (I suspect that’s gonna be a common thread no matter what you look at.) But all in all once we were able to get it properly configured and up and running, it’s been pretty rock solid. It seems to perform a lot better than the sonicwall, but it’s got a lot more configuration options, so it was a bigger pain to get setup. I would definitely recommend having someone familiar with specifically Fortinet assist in the setup.
First thing you have to decide is if you want a software client, or if you want to have something run through Windows directly. I personally recommend a client. I’ve heard too many issues of windows built in configurations going bad and needing to be constantly maintained.
Second thing, is are you ready for a replacement firewall, or are you really just looking at a VPN to tack on to your current network. If you are just tacking onto your existing setup, make sure you aren’t bottlenecked at the firewall level.
Third thing, is of course budget. Palo Alto’s are fantastic, but super expensive. Sonic Wall is a good middle of the road, where Fortigates are cheaper, but require a lot more configuration.
One other option to look at is Barracuda. I’m not sure how good or bad they are, but we use their Spam Appliance and really love it.
Sophos is easy. You can download their firewall to either a bare metal box or VM and play with it for free (Sophos XG Home). Or, you can pickup a cheap XG106 to try it out. I was running a $50 Dell desktop with an i3 and a 4 port NIC as a lab firewall for a while with no issues.
When COVID-19 first hit, we sent 20 employee’s home with full VPN capabilities. We dropped a guide on each laptop that walked them through initiating a VPN connection via the client (they were responsible for their credentials). No one had an issue with speed or usability.
If you are looking to replace your firewalls the Watchguard Firebox line has some great models at reasonable prices. Their SSL VPN is simple to setup and works well for WFH.