We currently use a TMG server for controlled access to the Internet, and want to replace it. There are no direct openings towards internet with a few exceptions.
Basicly, it has 2 roles -
1. is as an authenticating web proxy. Different Windows groups has different Internet access.
2. With the firewall client, redirects all non-LAN traffic to the TMG, which then, based on credentials, makes decisions to block or allow the traffic. Approx 5000 clients.
Squid can easily handle the web proxy role.
But what can replace the firewall client functionality ? I can not see one single component doing so. I could imagine running lots of split tunnel VPNs, with default route thru the tunnel, and split tunnel to LAN networks. But how would I determine what access the users would get ?
I could likely do something with creating 10 access rule sets, and have each client hit one of those sets. But then I would have to map our existing set of additive groups access to access rule sets, giving some people more access than they have today.
TMG is running on a 4 server cluster, with failover. We would like failover as well (Short lived DNS records and DNS round robin could do as a poor mans failover). Can we run 1500 VPN servers on servers without any issues ? How does VPN solutions scale ? We do not see more than 500Mbit/s bandwidth total among the 5000 clients (after eliminating forbidden traffic).
We also want always-on VPN from home, more or less same functionality. That one gets more difficult. Layering VPN channels is theoretical possible but too complicated. So 2 different always-on VPNs if possible ? Route LAN through one, Internet through another ? or a 3rd solution ?
No comments:
Post a Comment