Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 4 subscribers
  • Views 1341 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Remote VPN access - best Practice for increase number remote staff access HQ network shares and services

Frederick Mar

Good Morning,

A newbie question - in these days of increase remote access to HQ, what is the best VPN service (or combination of) protocol to for staff remote access back to the office from their business laptops. Appreciate it's very much a 'it depends question' but I'm trying to understand whether SSL L2TP or L2TP IPsec or what is a better combination than their current SSL L2TP. Or is this the best/most efficient?

I've been experimenting with different combination and believe the Sophos IPsec client seems to present the most user friendly endpoint solution for (staff) connecting back to HQ (using macOS10.15 and 10.15 ; Windows 10 Pro).

In total, there are now about 30 staff currently connecting back to HQ via SSL L2TP using their PCs built-in VPN client. The XG firewall is running V18 MR3. There is a mix of VPN demands - designer mainly access large 3D cad files or RDP to their desktops and working with large 30 cad files (about 5-30GB); managers are accessing excel spreadsheets; accountant access MYOB on server; management is accessing mainly documents and customer database stuff. There are no web base portal services hosted within the environment; all web present solutions are cloud hosted. The business has 100/100 internet service. All staff are on O365 accounts.

With my investigation, I believe it is possible to have split tunnel so only RDP or SMB or similar traffic is directed into HQ and everything else (including cloud services like dropbox, SAP, etc) gets directed by Sophos IPSec client straight out via (individual) home internet connections. Is this a good idea or does it add too much overhead? Has anyone undertaken similar investigations and found a magic combination of security, performance, etc (and yes, there is always a compromise)

I've got a few conflicting opinions on this topic - and very little clarity because 'it depends' - and would appreciate additional comment (from a more specialised community) for a better understanding of where to go.

Thank you - in advance for your insight.

Have a great day,

Fred



This thread was automatically locked due to age.
  • 0

    Hello

    We use the SophosConnect Client from the XG with the option "TunnelAll".

    We don't allow traffic direct to the locally Internet.

    It's a security point by us.

    Regards

    Roland

  • 0 in reply to roland diener

    HI Roland,

    Yes, I understand the security posture. This is what is currently set up but as this new 'remote-working-from-home' becomes  'the-new-standard-of-working', I can see a business requirement to support more staff on the VPN service. All business project files are hosted on an onPrem server and staff will need remote connections to HQ to access these files. If so, one option may be to split traffic with only onPrem services presented via the VPN service and all other cloud or internet service (O365, iCloud, dropbox, SAP, etc) available direct from internet. Each cloud services presents it own authentication and authorisation process - which is fine. Although sending all the traffic through the firewall is likely to be more secure (plus allow reporting, monitoring, etc) I am taking this opportunity to investigate whether there are other option around what traffic is traversing the firewall. My view is services like iCloud, messaging, perhaps facebook, etc doesn't really need to be reported on. Or do they?

    Thank you.

  • +1 in reply to Frederick Mar

    Hi Frederick and welcome to the UTM Community!

    Yes - UTM.  You will want to post your questions in the XG Firewall community.

    I agree with Roland that the Sophos Connect client with "Tunnel All" is to be preferred, but 100Mbps isn't adequate for 30 simultaneous connections.  If you can't get a 1G/1G connection for a reasonable price, you may want to consider adding one or two more 100/100 connections.

    In any case, those home users might want to replace the antivirus on their personally-owned machines with the free-for-home-use AV from Sophos.  For company-owned computers, you will want to purchase Sophos Central Intercept X.  Once those computers are in the office behind the XG, you will benefit from Synchronized Security.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Very good. Yes, definitely a newbie error. I'll close this posting and re-open on the XG Firewall community.

    Thank you.

Unfiltered HTML