Hi
We are running a 50 employee company and want a VPN solution for travel, allowing for better security on public and hotel wifis.
- Computers: all Win10 22H2, soon starting W11 upgrade
- On-prem: A office network only, that is barely used (employees are rarly working from office)
- No datacenter or servers
- Microsoft 365 with email, sharepoint, onedrive and the usual
- Some other cloud services too, such as invoicing and time tracking
Is configuring a point-to-site VPN i Azure might be overkill and more expensive than necessary?
If possible, I’d like to avoid purchasing 50 [insert (shady) VENDORNAME] VPN solution licences and deploying those manually.
Right now, we are instructing our employees to use 4/5G mobile data, and not connect to those public and hotel Wifi networks. This works fine in Europe, but for travels outside the EU, the economics breaks the solution.
Since you don’t have a corporate vpn to the office already set up, I have to ask…
What “better security” do you think you’re going to get from a VPN that standard https connection (99% of user traffic) doesn’t already provide?
Rather than a VPN you may find a CASB/SWG style solution to work a bit better for you. This way you can consume it as a service and not necessarily worry about maintaining infrastructure.
Some players in this space that I would look at are Skyhigh Security, Netskope, Cloudflare, and Microsoft has a brand new offering Entra but it’s likely a bit rough on the edges.
Don’t do a VPN. Doesn’t make sense for your use case. Look into a CASB like others have said.
Either look at Zscaler ZPA or Axis SSE. I agree with others you need CASB or a SASE offering
I’d focus on Identity first security measures and then check out Cloudflare Zero Trust (formely know as teams). Duo is pretty good too.
Prisma Access or similar service is likely what you want.
Why not just make it a corp VPN? At some point they might need access to internal resources
Just use a self-hosted OpenVPN instance on something like a dedicated Ubuntu server, or preferably a pfSense box. Note: pfSense wouldn’t need to replace your primary firewall in this case.
It can be configured to sync with Active Directory via RADIUS or LDAP, and even supports TOTP if needed.
Microsoft Entra Public / Private access might be worth looking into. Its due to go GA in October and looks really good and will allow you to protect your connectivity into o365 better (conditional access, posture check) also give other options for user access that could make other options obsolete for customers that are heavily in the azure / o365 ecosystem
Fortinet ZTNA might be an option to look at not sure how well it works for this scale but I think it can do everything you require without the need for the VPN.
Right and I think Zscaler is one companies doing it for long time. OP just be aware like in my other comments, there are often two offers, internet filtering and private access, internet filtering works more like utm/ips/ids and private access can be substitute for vpn.
Why ZPA? If they have everything in cloud why use ZPA (unless OP wants to restrict access), ZIA should be enough for now (let’s say for OP it works kinda like could firewall/utm so you can filter traffic, block categories (porn, gambling etc).
Just be aware this works like proxy so without your own hardware you are limited to countries in which Zscaler or other vendor got their gateways. I had some issues when users in middle east or israel had problem with their domestic website because their traffic was coming from Europe gateway. You can make expections that some internet traffic doesn’t go through it (whitelist) but then you lose protection features.
ZTNA from Axis is very good value. Client VPNs are on the way out, I would not invest in one
Possibly, but then we’d have to purchase the server and start putting physical assets in our office. Currently, we only have wifi, a switch and our ISP router. It could be done, but I’d prefer a cloud based VPN termination point instead.