I'm setting up a new UTM for a branch office, and I need some advice on the best way to configure it to handle not only our PCs but also our shared VOIP Phone system.
Our main office configuration is as follows:
Static IP #1 --> Sophos UTM --> Unmanaged Switches --> Office LAN for PCs
Static IP #2 --> Netgear VPN Router --> Office LAN for VOIP
The remote branch office is configured as follows:
Static IP #3 --> Netgear VPN Router --> Unmanaged Switch --> Office LAN for PCs and VOIP
As you can see, in our main office, the Netgear router is outside our Sophos UTM and they have different static IPs. The phone system and the office LAN are completely separate, with no communication between them (and none required). At the branch office, phones and PCs are intermingled on a single LAN, but again, no communication between phones and PCs is required. The two Netgear VPN Routers maintain a site-to-site VPN connection that carries only the phone traffic. When the remote office PCs need to connect to our main office server, they initiate individual Remote Access (SSL VPN) connections to our UTM.
Our main office UTM is a SG 310. The new branch office UTM is a SG 125.
My job is to configure the SG 125, and make whatever changes are necessary to the SG 310. I have two main goals:
1. Completely eliminate both of the Netgear VPN/Firewalls, by moving the VOIP site-to-site VPN traffic to the UTMs. As part of this, I would like to implement QOS to prioritize the VOIP traffic. With the current implementation, when the branch office PCs use too much of their bandwidth, the phone system starts dropping calls at the branch office, or the connection quality goes way down. (I should note that I have very little experience yet with configuring/using QOS on the UTMs. Thus I'm not sure how some of my configuration options might affect the ability of QOS to prioritize traffic.)
2. Establish a site-to-site VPN connection for the PCs in both offices, which would eliminate the need for the branch office PCs to run individual Remote Access VPN connections.
My questions:
1. With regard to best use of QOS, is it better to (a) get a second static IP for the branch office, and keep the Internet connection for phone traffic at the branch office completely separate (the way we do at the main office), or (b) drop one of the static IPs at the main office, and share the remaining static IP with both the phones and PCs (the way they do at the branch office), or (c) leave the static IPs at both offices the way they are now, or (d) does it really matter?
2. Would it be better to set up two separate LANs at the branch office (one for phones, one for PCs), or combine both into a single LAN at the main office?
3. Should I set up two separate site-to-site VPN connections between the two offices (one for phones and one for PCs), or is it better to combine everything into a single site-to-site VPN connection? Is CPU usage on the UTMs a factor?
4. Is there anything else I need to know to best accomplish this task?
Thanks in advance for any advice you can offer.
This thread was automatically locked due to age.