I seem to be hitting a hurdle with Sophos & Microsoft with regards VPN so looking for some suggestions.
Requirement are:
1. Easy to deploy eg to 200 clients
2. Transparent to the end user ie no manually connecting. It has to be auto.
Now straight away, we would go Microsoft DirectAccess (DA) That worked until M$ broke it with Windows 10 build 1903. It's also end of life and has been replace with Always on VPN (AOVPN)
So, lets replace DA with AOVPN which uses a more traditional VPN (IPSec IKEv2) and allows it to be used with a third party firewalls etc.
Issues we encountered:
1. We can't have DNAT'd Microsoft AOVPN servers behind the UTM due to the UTM already using IPSec. There's no way to use additional IP's here.
2. I know.... let's use the UTM as the IPSec endpoint. Uh uh.... UTM doesn't support IKEv2
3. OpenVPN? Would be ideal but it doesn't deal with trusted networks and doesn't auto start if outside of a corporate network (unless somebody knows how?)
4. 3rd Party VPN client? Sophos IPsec client, NCP Entry client will work but look expensive. Cisco AnyConnect looks good too but there are licensing implications too.
5. L2TP/IPSec with Radius on the UTM and M$ built in client (with powershell) will work but I can't seem to get Computer authentication to work with it which leaves it open to potential abuse. User certs are a bit of a step too far for our IT Department. Be great if the M$ client could pass the computer name etc but it doesn't seem to do this.
So... looking for any ideas or suggestions here. Cheers.
This thread was automatically locked due to age.
