Wondering if anyone is doing "always on VPN" for employees, even when they are in the office? I would need to configure only 'visitor network' in every office and then allow access to DC from VPN subnet. Adding a new office would be easy as the users would terminate to the same subnet from everywhere and managing fw rules would be easier. Might even switch to role based fw rules instead of just using IP subnets.
On the downside I would still need to configure networks for printers etc. In the future we'll probably replace the switches to models that support Aruba's Dynamic Segmentation so in distance future we would have only visitor + dynamic segmentation networks everywhere.
Started wondering this as it seems FortiClient doesn't have any sophisticated way to know if it's in an office network or not, you just need to enter IP networks manually for it to figure out whether it should connect via VPN or not.
So the option is either to get other VPN client software, or just use VPN everywhere. We have FortiGate firewalls in the DC, they have more IPSEC performance than we would ever need for users.
Any thoughts? Thanks!
No comments:
Post a Comment