Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 864 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Remote VPN access - SSL L2TP or L2TP IPsec ? Best Practice for increase number remote staff access HQ network shares and services

Frederick Mar

Good Morning,

A newbie question - in these days of increase remote access to HQ, what is the best VPN service (or combination of) protocol to for staff remote access back to the office from their business laptops. Appreciate it's very much a 'it depends question' but I'm trying to understand whether SSL L2TP or L2TP IPsec or what is a better combination than their current SSL L2TP. Or is this the best/most efficient?

I've been experimenting with different combination and believe the Sophos IPsec client seems to present the most user friendly endpoint solution for (staff) connecting back to HQ (using macOS10.15 and 10.15 ; Windows 10 Pro).

In total, there are now about 30 staff currently connecting back to HQ via SSL L2TP using their PCs built-in VPN client. The XG firewall is running V18 MR3. There is a mix of VPN demands - designer mainly access large 3D cad files or RDP to their desktops and working with large 30 cad files (about 5-30GB); managers are accessing excel spreadsheets; accountant access MYOB on server; management is accessing mainly documents and customer database stuff. There are no web base portal services hosted within the environment; all web present solutions are cloud hosted. The business has 100/100 internet service. All staff are on O365 accounts.

With my investigation, I believe it is possible to have split tunnel so only RDP or SMB or similar traffic is directed into HQ and everything else (including cloud services like dropbox, SAP, etc) gets directed by Sophos IPSec client straight out via (individual) home internet connections. Is this a good idea or does it add too much overhead? Has anyone undertaken similar investigations and found a magic combination of security, performance, etc (and yes, there is always a compromise)

I've got a few conflicting opinions on this topic - and very little clarity because 'it depends' - and would appreciate additional comment (from a more specialised community) for a better understanding of where to go.

Thank you - in advance for your insight.

Have a great day,

Fred



This thread was automatically locked due to age.
Parents
  • 0

    I think it is a good approach to do split VPN - so only tunnel what is needed to access in the company LAN and rout internet traffic out to the internet at the home office sites.

    You fancy with IPSec - which is usually faster than SSL VPN and has also less impact on the performance of the firewall. Unfortunately, IPSec requires ports open on the end users firewalls (if thex exist) or when thex are in other networks like hotel or trade fair. IPSec also has some issues with some DS-Lite Internet connections on the remote users site.

    Your CAD developers need RDP connections to machines in your HQ - it will not work to access such large files remotely. Also you may have some database dependent application which need RDP machines in the company because with databases you have often very much small packets that suffer from the delay of a WAN connection (<1ms in LAN, 15-30ms in WAN, so about approx 30 times slower).

  • 0 in reply to LHerzog

    Morning LHerzog,

     Thank you for insight. I appreciate the time taken to address my scenario. I had been seconded to another project and am only just returning to this task. The customer has advised to delay with any changes to their VPN services until Jan as the business can not have remote outages at this time of the year (busiest period before Xmas).

    I see now why IPSec is used for site-to-site connectivity - having control over both sites ensure all the correct ports are opened with associated firewall rules in place. Because of the nature of remote working (with no control over the remote location), it looks like I have to return to L2TP but possibly deploy Sophos connect client to all (required) users. Currently, the business uses the native Windows/mac client and there are usually a few remote access complains every week - likely due to staff messing around with their computers and undertaking DIY IT support; perhaps the Connect Client might alleviate this problem?

    With Split tunnel, I'd like to split personal home network traffic away from corporate network traffic. Currently the XG firewall weekly report flags staff who may be viewing netflix, porn sites, gambling, alcohol, social media, you tube, etc, etc - in my view a false positive. If staff are at home, using their personal home network for work, there is no need for reporting on their personal internet choices. I'm looking for a way a better - and more efficient approach - to have only work related traffic traverse back to HQ. This may helpful with controlling bandwidth on the corporate firewall but will also help with more accurate reporting so there is a better understanding on the network demands; I am hoping split tunnel might address the problem?

    Thoughts ?

    Thank you,
    Fred

Reply
  • 0 in reply to LHerzog

    Morning LHerzog,

     Thank you for insight. I appreciate the time taken to address my scenario. I had been seconded to another project and am only just returning to this task. The customer has advised to delay with any changes to their VPN services until Jan as the business can not have remote outages at this time of the year (busiest period before Xmas).

    I see now why IPSec is used for site-to-site connectivity - having control over both sites ensure all the correct ports are opened with associated firewall rules in place. Because of the nature of remote working (with no control over the remote location), it looks like I have to return to L2TP but possibly deploy Sophos connect client to all (required) users. Currently, the business uses the native Windows/mac client and there are usually a few remote access complains every week - likely due to staff messing around with their computers and undertaking DIY IT support; perhaps the Connect Client might alleviate this problem?

    With Split tunnel, I'd like to split personal home network traffic away from corporate network traffic. Currently the XG firewall weekly report flags staff who may be viewing netflix, porn sites, gambling, alcohol, social media, you tube, etc, etc - in my view a false positive. If staff are at home, using their personal home network for work, there is no need for reporting on their personal internet choices. I'm looking for a way a better - and more efficient approach - to have only work related traffic traverse back to HQ. This may helpful with controlling bandwidth on the corporate firewall but will also help with more accurate reporting so there is a better understanding on the network demands; I am hoping split tunnel might address the problem?

    Thoughts ?

    Thank you,
    Fred

Children
No Data