VPN solutions...

LeaUK · 5th February 2008

Hi all

Looking at a VPN solution to allow access to around 1500 users (200-500 simultaneous) and was wondering whether ISA/W2K3 was upto that many connections, as compared to a dedi VPN end-point?

Any thoughts appreciated.
Lea

Jon-NC · 5th February 2008

Dont use ISA unless your hair will NEVER fall out.

alexcf · 5th February 2008

Is this just for users dialing in? (a.k.a. RAS'ing in)

Provida · 5th February 2008

Hi Lea

We do a useful wires-only VPN product that connects any combination of dial, xDSL and leased line. It runs on a distributed platform, which makes it nicely resilient. Drop me a line if you're interested.

LeaUK · 5th February 2008

Hi all

People always instictively say -don't use MS - but really come on. I understand a hardware solution will handle the connections BUT, why not use MS.

Cost is cut to a minimum and support perhaps increases, but what's the hard line... ISA just can't handle it yet? in terms of what?

Am interested your thoughts on why as opposed to just 'don't do it'.

Cheers all
Lea

Karl · 5th February 2008

If it's encrypted, then you're going to need one hell of a box, or a crypto card - in which case, you might as well go for a hardware device that has the crypto built in.

LeaUK · 5th February 2008

Hi Karl

So what we're saying is there are practical limits to the volume of simultaneous encrypted tunnels - yep I can understand that. But surely all tunels are encrypted, although I understand there are differing levels (one assuming with differening CPU overhead for encyption) and of course security levels.

So, any thoughts on how many concurrent encrypted connections ISA/W2K3 boxes can handle?

Thanks
Lea

Karl · 5th February 2008

No, not all VPN tunnels are encrypted at all, some protocols make it optional (L2TP being a prime example from memory).

Karl · 5th February 2008

(grrr, bloomin' edit buttons won't do anything)

For example, without the crypto card, a Juniper J-4350 is rated to about 30mbit/s of 3DES traffic - That's with a moderately fast P4 CPU. I'd imagine that is under ideal conditions as well, minimal number of tunnels, large packets.

Jon-NC · 5th February 2008

Quote:

Originally Posted by LeaUK2

Hi all

People always instictively say -don't use MS - but really come on. I understand a hardware solution will handle the connections BUT, why not use MS.

I work for a Microsoft Gold partner, we are 98% Microsoft people. We use ISA and for this purpose it wouldn't live.

LeaUK · 7th February 2008

Thanks for the confirmation Jon, what about reduced number, say 100 concurrent?

othellotech · 7th February 2008

Quote:

Originally Posted by LeaUK2

Looking at a VPN solution to allow access to around 1500 users (200-500 simultaneous) and was wondering whether ISA/W2K3 was upto that many connections, as compared to a dedi VPN end-point?

A software company we handle the colo for used ISA successfully for about 20 users during their beta testing all fine to their application, rolled it out live and AFAIUI at sub 150 live users the constant downtime/issues and regular hard reboots went onto a Fortinet400 which at peak times hits 60Mb/s (has never gone past that, but flatlines around 58-60mb/s) so that is either a limit in the VPN unit, or a limit in the systems they have behind it)

I dont know if there's any issues with the Fortinet or their app, but they seem to regluarly post DVD's they want slotted into a machine - presumably its quicker to copy data from than upload over their DSL connection in the office ?

Jon-NC · 8th February 2008

Quote:

Originally Posted by LeaUK2

Thanks for the confirmation Jon, what about reduced number, say 100 concurrent?

I still wouldn't use ISA. ISA is a funny beast and can be a real PITA when it goes wrong. A hardware solution won't require patching every month, antivirus and generally require less maintenance.

What kind of redundancy do you require?

I did consider using ISA for a 300 user external proxy, very glad I didn't. Smoothwall took its place and was excellent.

LeaUK · 9th February 2008

Cheers guys

On your advice I think it's hardware then....

Many thanks
Lea

PeteK · 9th February 2008

Im not quite sure what all the sulking is about ISA TBH. We have a large corporate that uses it, two boxes one with RSA on and the other without. Both are pptp connections, forced 128bit enc, nothing lower allowed, MS-Chap V2. Both run on DL360's, 2.8gig, single proc, two gig in one and three gig of mem in the other (the RSA agent runs away with memory and they've never fixed it).

Currently the none RSA one has 143 users on, has an evening peak of around 300 and has been up since 28 Dec when it was last re-booted for patching. Prior to that is has been up for months and has to my knowledge never crashed. Isa 2004 standard in use, they hide behind ASA's (personal paranoia) and they are also used as outbound web proxies for 1200ish on one and 14-1500 on the other. The none RSA one is currently doing between 10 and 20meg average about 13meg, most of which will be remote users as there are few in the office today. Processor running <10%.

Assuming you have a decent domain security policy (i.e. high strength passwords, changed regularly etc) I would have no hesitation in recommending it for 250 concurrent users..