I’m not in the US but I get your point. One way you could simplify the switchover for your users would be to change the A/CNAME record of state.vpn.company.com and direct it to the working one.
Redundancy is an apparent requirement, I tried to keep it short, but thanks for the feedback!
AD on Windows, .mobileconfig for iOS/ipadOS and a simple mail with the .conf for Android users. BYOD also just the simple .conf file.
It’s a normal ZTN overlay, but not using any commercial solutions, it’s all free and all open source. Saves you a ton of money, very easy to use for the users, works on any device and is on par in terms of security like any big vendors solution without the headaches of licensing and limits.
You need a service portal to create the configurations for your users, where they can download the config and the apps so they don’t have to rely on a search engine for that, or if its on controlled devices deploy it with the mentioned methods you can use. On the control panel you have your edge VPN Wireguard clusters that are connected to a ZTN overlay network for role based ACL. By default, all roles revoked upon access, the client can connect, get’s its IP and is happy, but not data is being routed or allowed until the challenge is solved. Redirect any web request to the challenge. If challenge is solved grant access with the desired roles. The client can do all of this in their self-service portal too, they see their currently connected devices and they can solve the challenge there too for a new connecting device. Pretty easy for the end user to use, and works with BYOD too, since they can simply download and install the software themselves. This is all custom, but very easy to setup for devops.
Just throw a 403 error instead of redirect with the portal served via the 403 error page. Works on any TLS connection.
We have less than that, though I would assume more instances with fewer users each via the traffic manager would address.
i think the limitation is throughput? for our v50’s ( ESX ) 3200-3500 daily ( full tunnel ) with no issues… Looking at Azure as well for a third ( cloud ) site…
Yeah, we use meraki for our on-site firewalls. We build tunnels back to VMXs (I would recommend nobody use the native azure VPN) and the VPN traffic from the ASAs can pass over that on approved ports to approved IPs.
ZPA doesn’t really provide advanced threat protection services so if you need good lateral protection you’ll have to keep your edge firewalls and make sure you inspect ingress traffic from your ZPA users. Alternatively, you can look at solutions that do provide those protections, e.g. Cato Networks, Palo Alto Networks, etc.
If you are using SaaS services such as Okta and Google to authenticate, I don’t think you’ll find much issue with the cloud-based services for remote access. Most have some sort of resilient option in case of failure.
Prisma Access is not really ZTNA in my view. It’s cloud hosted firewalls, remote access VPN, and private network. The product is okay if that’s what you’re looking for.
Netskope performance is ok. Not as good as Cato Networks, though. Private Access still based on reverse proxy architecture, too. Cato is based on full inline/transparent proxy just like an NGFW…so you get best of both worlds - zero trust access and full enterprise security inspection with Cato Networks.
Same. Had hiccups with a few things like SAML having issues with how many AD groups a user was in, Mac’s not playing nice, and other miscellany. All in all though it was easy enough to administer and they adopted a number of features that we requested directly as well as acknowledged and then resolved a number of bugs we encountered.
How do you know that about AppGate? Maybe they are worth acquiring.
We have > 15k concurrent at peak hours on weekdays. We do it with physical firewalls, so there is no per-user licensing. Size the box, and the subscriptions are priced based on the size. I am not sure of the details of Prisma licensing.
OpenVPN and SoftEther are completely different things
About 60 users, but hundreds of AWS instances and a few dozen on-prem VMs. Like Tailscale, it’s designed as a full mesh p2p overlay, but you can use network gateways as well. Currently evaluating it in an on-prem VM. It’s a dockerfile and a config file to set it up, so it’s easily portable.
EDIT Since the tunnels are p2p and the only central part is the management server, it should scale to thousands of users/devices.
You should check out OpenZiti/CloudZiti too (the former is open source, the latter is Cloud SaaS with a free tier). It has similarities to Zscaler, e.g., outbound only connections, micro-segmented, least privilege, device posture checks, but also many improvements incl:
Because it’s contractually obligated, supported, and audited. This is why most open source vendors have a enterprise side, there is nothing wrong with oss. Ever heard of Red Hat?
It depends largely on which VPN protocol you’ll be using. PPTP is impossible to secure properly but L2TP and SSTP use modern encryption.