Connecting New Site to Head Office - RED or Another SG?

Hi Guys,

I have an SG230 at Head Office that I have 'hand crafted' all the rules, NAT, forwarding, SPAM filtering etc over the past few years and is working fine. On my local domain I run a number of vLANs and have about 100 users here and a vmWare server infrastructure etc I run a bunch of Ubiquiti switches but still have a Dell 6248 Layer 3 switch as my 'core' switch - so to speak. Hoping to replacing this with another Ubiquiti ES-48. All vLANs, Trunks, LAGs, routing etc is working fine.

I have one small remote site connection to Head Office with a Red15wi - this is working as intended.

That's the current working environment.

Now, I want to add a Branch Office that will sit about 20 staff, an RODC and 20 VOIP phones that will connect back to our PABX at Head Office. I'll be setting them up as a seperate vLAN as their will be Ubiquiti security cameras setup at that site on their own vLAN as well.

So, my question is - should I be looking at a RED device or another SG Firewall to make the connection between the two sites? 

I don't know much about the XG series and am far more comfortable with the SG's  :) 

Any tips or advice is appreciated :)


  • I'd go with a RED device, unless you're also looking for internet access for the 20 remote staff without back hauling. It'll add up to the resources already in use on the SG.

  • In reply to j0hnV:

    Yeah, ideally we'd only want traffic back to head office going down the pipe, all other internet traffic, Office 365 etc go straight out their connection. 

  • In reply to Dread:

    In that case I'd go for an SG or XG. The latter has by the way my preference nowadays. I have some XG`s running site-to-site tunnels to SG's at head offices, albeit using IPSec. Haven't tried a RED type connection between them, honestly.

  • In reply to j0hnV:

    XG RED to SG RED is also easy to set up (just tried).

  • In reply to j0hnV:

    Cheers John. I might go down the XG path as I s'pose its time I started wrapping my head around 'the Future' of Sophos's Enterprise firewall products ... 

  • In reply to Dread:

    My preferences, in order, for your situation are:

    1. XG 86(i) with a Support subscription.
    2. SG 115(i) with a Network Protection Subscription.
    3. RED 50 with Warranty Extension.

    If you want to use FullGuard at the new remote site, I would choose the XG 106.  The SG 115 should support FullGuard for 20 people unless there's very heavy Internet use.  If that site has a WAN connection over 150 Mbps down, my first choice would be a 25- or 50-IP UTM subscription running on a workstation with a quad-core CPU at 3+GHz and 8GB RAM or more.  Your reseller should give you a recommendation.

    Cheers - Bob

  • In reply to BAlfson:

    Cheers Bob!,

    I have Fullguard on the SG230 here at HO but all of the users at the site are on Office 365 (we currently are running Exchange 2016 Hybrid Mode) so we won't need Fullguard for that Office/Device. I'll be slowly transitioning HO from Exchange to O365 as well over the coming months. Once that's completed I'll likely drop Fullguard on the SG230 as well. 

    I was a little hesitant to go RED - with the issues the RED Devices are having with the Unified firmware of late - a RED 15 of ours was affected.

    So it seems unanimous - XG is the way forward here! 

  • In reply to Dread:

    I can see dropping Mail Protection, but what about Intrusion Protection, Web Protection, Wireless Protection and Webserver Protection?  If you use any three of those, FullGuard is cheaper.

    Cheers - Bob

  • In reply to BAlfson:

    Apologies for the delayed reply - busy as always as 'other' things crop up! I'm back on it today and getting some quotes together.

    The new site (lets call it 'Branch Office') is all Office 365 (and our Hybrid 2016 Exchange Server at Head Office via the SG230 with Fullguard) so I won't need mail protection there and I'll be deploying Ubiquiti inside the network up there for switching/routing (vlans etc) and WIFI - I'm a bit of a fan of Ubiquiti gear internally (and their security cameras). I won't need any Webserver protection or Wireless Protection but Web Protection would be handy so, based on what I am seeing at my supplier, Enterprise Protect is the best fit for our needs.

    Based on that, I am looking at deploying the XG210 with Enterprise Protect at that site ... it's the smallest 1RU device and gives a bit more room for expansion including those 1GBe ports and SFP+ options. I'll drop an RODC onsite and set them up as their own vLAN and connect via the Site to Site IPSEC tunnel between there and Head Office. Copy data from their old servers onto the new RODC and then turn them off. Remove PC's from Old Domain and join the new one, our one ... and then spend hours reconfiguring everyone's desktops, profiles, printing, email etc

    On reflection, the small 4 person office they have nearby that currently has a VPN back to that Branch Office, I was going to put a RED 15 there and connect it to our Head Office as well but I may have to instead connect the RED there to that Branch Offices XG as that is where their data is kept (they have mapped file shares ie W drive etc) ... I totally forgot about that. And I don't want them accessing all of their file shares via Head Office, even with 30mb upload out of Head Office now (HFC 100/40 currently getting about 85/31 ish).

  • In reply to Dread:

    A smaller XG would be fine instead of the 210.  A rackmount kit for the smaller devices only costs US$80.

    Cheers - Bob