Saturday, May 25, 2019

[Advice] Best VPN Appliance for Small Business with AD Login & 2FA Support

Hi all,

I do IT work for a small business in London, UK and we have a really terrible 8-ish year old Draytek router. I made another post in another sub a while back about trying to get 2FA working via TOTP with it, and honestly the amount of faff I have been through to get a Duo solution that works for a few days at a time then just cuts out (on the router's part) means that it is time for it to go.

I have been looking at the SSL VPNs on the market. We want something that has good bang for the buck and shouldn't need too much looking after (aside from regular security patching, etc.) since I only work with the company ad hoc and I'm not there full time to look after it 24/7.

Our types of users are very mixed:

  • BYOD workers (e.g. myself as an admin, and a couple of other employees that have their own laptops). They should have VPN access on demand, ideally via Duo since it works well for us and they are not very technical so Duo provides the easiest bang-for-buck security I've found for VPNs.
  • MSP: we have an MSP that can't use Duo due to their company policies. I currently generate them time-limited one time access codes via the Duo control panel as and when access to the network is needed. TOTP with a HW token would be ideal for them though for long-term access when needed.
  • Company provisioned machines: we have a number of machines on AD (a couple of desktops in the office permanently connected to the corp network, and a couple of laptops so far that should be useable from home) that are fully under Group Policy. The laptops at the moment connect to the dodgy VPN we have via a rasphone profile that allows logging in from the login screen. It's a nasty setup, and I'd much rather provision those machines with access certificates (they are encrypted) to get as far as the corp network from the Windows login screen, and then use standard PIN/Password/Windows Hello as if the workers were in the office. This should allow any password resets to be reflected across the Internet immediately, so long as the laptops have Internet access. The VPN should be disabled, however, if the users are in the office as the corporate network will be available via Wi-Fi and Ethernet.

All users who are out of the office use split tunnelling.

It looks like Cisco ASA, Fortinet and Palo Alto networks all have good support for most of these options, but I'm not sure about the following:

  • Pricing: do we need to pay annually for licensing all the various components, or are licences just for updates? Who tends to have the lowest annual fees?
  • Multiple profiles: is it possible to have one VPN appliance and endpoint but with certificate-based and 2FA credential-based logins? Bonus points if we can assign policies to users based on AD groups, and if the certs can be managed by our pre-existing AD CA.
  • Compatibility with Windows 10 Always-on VPN: it looks like VPN providers with UWP apps are compatible with this, but we don't want to have to provision an MDM to generate these profiles. Ideally I'd like to just be able to deploy cert-based VPN to laptops based on an AD group.
  • Ease of configuration: I should be able to quickly administer the appliance remotely. I work for the company on a freelance basis often on evenings/weekends so I don't want to need to keep calling up vendors to get custom patches and custom licences to make things work. Once procured, I want to be able to monitor and look after it with as few office visits as possible.

We have no real affiliation with any particular vendor. We use Windows Server 2016 on-prem, and currently have a Dell sales rep available but I've not heard great things about SonicWalls so we're ignoring those for now...

It's a pretty small company with a relatively flat network comprising of around ten machines including a server. We also have a site-to-site setup in place to connect two offices together but the amount of traffic going over that site-to-site setup is very low. I want to future proof this with support for at least 10 parallel VPN connections open at once with reasonable throughput.

Thanks so much in advance for any tips or pointers anyone can provide!

Chris



No comments:

Post a Comment