Thanks, good input! Cisco is not a likely contender with so many other vendors with a better (recent) track record. I’ll definitely look into the others!
I deployed Appgate and would highly recommend it. The flexibility and granularity is truly awesome.
F5 with Cisco Firepower is our setup.
Seems to work well.
Check App Gate’s financials before you buy. They likely need to be acquired to continue operating. They pushed out their debt repayment but have had exceptions from their debt owners the last two quarters to not have a default event.
We also use Palo Alto Virtual firewalls on VMware with GlobaProtect clients. Rock solid vpn connections and no buggy client issues like we had with Fortinet and Cisco before.
We have the Palo Alto authenticating clients with certificates from our CA and Biometrics on their devices.
On iOS devices, the vpn on demand feature works seamlessly with our home grown apps.
Open source is not on the “wish list”, but an option to evaluate, just as commercial solutions are. The goal is to choose the overall most cost effective solution that gives us good security and an easy and good enough user experience. I’m leaning towards a commercial solution, but also want to understand costs, benefits and drawbacks for “free” solutions.
Do you have 15-20k simultaneous users or is that a total number of potential users? PA has a licensing that is less favourable where your user count is the number of users that have connected anytime for a given 30-day(?) period. If all your users connect once a month, they will all count, isn’t that right? Prisma access is a very nice solution indeed, so it is on the “short list” already 
Dunno, I wouldn’t do THOUSANDS of users on OpenVPN.
To add to this, OpenVPN uses SoftEther as it’s backend.
SoftEther is also Open Source, was made by the university of tskubo in Japan
squeeze existence smile agonizing kiss trees humor chunky spark overconfident
This post was mass deleted and anonymized with Redact
This looks interesting. How big is your user base, how are you hosting, and what are your client types?
Impressive. We’re hiring people with deep knowledge of ZTA architecture and development.
That’s an interesting approach! I’ll read up on it and see if it fits our needs.
The requirement (well, sort of) is to not load the firewalls with more stuff. Other boxes from the same vendor as the FW have been used for client VPN but that proved unsuccessful (not sure about the exact details). The current firewalls will be replaced as the manufacturer cannot keep up with firmware, bud fixes and functionality at a decent pace. As those will be replaced and the consensus is to have a separate client VPN solution in place before they can be replaced, we’re looking for a separate solution.
In general, your advice is good and makes sense, just not for this customer and where they are and possibly because of the scale of it all.
Yes, the bug issue is one thing to consider with open source. On the other hand, sometimes(!), the open source community is quicker to understand and fix issues.
Ivanti/Pulse is something I’ve worked with in the past so it fails from previous experience. Really! It is amazingly competent but also wildly infuriating to configure. The purchase and licensing cost along with the consultancy fees to keep it going is most likely prohibitive! It is a contender still, but I fail to see that it will be a finalist.
You can also be built on open source while having a support contract or even SaaS product.
But with OSS at least if a bug is found, it can’t really be buried and ignored. Why would a proprietary system not have a critical bug, in that case it’s more likely they’d ignore reports to save face in the interim (or even try to silence the bug reporter!). With OSS it’s not going to get a grey hat into legal hot water just for reporting, it’s already out in the open, and you can bet a GitHub issue will be raised withing minutes after a vuln goes into the wild.
Apache and nginX are both OSS and people depend on them for more than a few thousand connections per-site/service. Not many people running IIS these days…
I tried to read up on RRAS but I can’t seem to find any specs in terms of cryptos and such. Being launched for NT 4.0, the development team would have to have refreshed the code many times over in order to meet today’s security standards.
I found one article stating the the default in RRAS for client connections is DH2/SHA-1/3DES… Needless to say, if this is the level RRAS is on, it is not an option for us (shouldn’t be for anyone), especially considering the past security reputation Microsoft has.
Those “great firewalls” may be concern for some of the staff travelling, but not in a significant way. Those users could probably be handled separately if needed.
I think few users have DS-lite here, but that may be a thing for some staff and travellers. thanks for the tip!
Do you have experience with this scale in Fortinet products? Been there, tried that…
Add OpenZiti/CloudZiti to that list of zero trust overlays.