This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AP10 NOT behind RED device

Hello,
I need to connect 1-2 AP10 in a remote branch office to our ASG in main office, but I would not buy a RED device. In your opinion can I establish a connection in these conditions? About security: I imagine that the traffic from AP10 to ASG is encrypted, isn't it?

Thank you
eclipse79

This thread was automatically locked due to age.

0 BrucekConvergent over 13 years ago

I'm not sure that the traffic between an AP and the host ASG is actually encrypted... it seems like I remember this being a feature request. I'm pretty sure it's "tunneled", but not encrypted... perhaps someone from Astaro will be along to correct me if I'm wrong.

In any event...

If you are thinking about putting an AP10/30 behind, say, a DSL / Cable / T1 router, and have it route the AP to the public internet, and having it somehow connect to the ASG, no, I don't think this will work. The AP devices try to reach IP 1.2.3.4 ... which the public internet would not route to your ASG device. You will need a VPN tunnel of some sort, with a RED being the easiest option in this case.

CTO, Convergent Information Security Solutions, LLC

https://www.convergesecurity.com

Sophos Platinum Partner

--------------------------------------

Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries. Use the advice given at your own risk.
Cancel
Vote Up 0 Vote Down

Cancel
0 eclipse79oldacct over 13 years ago in reply to BrucekConvergent

You will need a VPN tunnel of some sort, with a RED being the easiest option in this case.

Thank you Brucek,
the problem is that the bandwidth of main office is not high... 4bit in optic fiber. Also remote office has not a high network performance (512k of guaranteed bandwidth). So I would not use it for secure web surfing...

If I decide to buy a RED, can I set it only for wi-fi communications between AP10 and ASG? Can a RED be configured for site-to-site IPSEC VPN?

Thanks
eclipse79
Cancel
Vote Up 0 Vote Down

Cancel
0 BrucekConvergent over 13 years ago in reply to eclipse79oldacct

The RED is a VPN device... it passes traffic at a lower level than your standard IPSEC VPN, and it uses it's own protocol for this. In your scenario, I would deploy a RED to the remote site (the configuration is all done at the head-end ASG Appliance), with an AP10 or AP30 behind it. This is a supported configuration, and it works well. Version 8.*** of the ASG software supports split tunneling, and other configuration options, so one of them is bound to fit your needs.

All you need to enabled RED support is to have an active, valid Network Security subscription on the head-end Astaro Appliance you will be connecting it too.

I've got a site or two using the RED, and so far, I like the little boxes.

CTO, Convergent Information Security Solutions, LLC

https://www.convergesecurity.com

Sophos Platinum Partner

--------------------------------------

Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries. Use the advice given at your own risk.
Cancel
Vote Up 0 Vote Down

Cancel
0 eclipse79oldacct over 13 years ago in reply to BrucekConvergent

The RED is a VPN device... it passes traffic at a lower level than your standard IPSEC VPN, and it uses it's own protocol for this.

I hope that the data transfert rate will be high using this protocol. We experience slowness in SSL vpn, and high speed using IPSEC vpn.

bye
eclipse79
Cancel
Vote Up 0 Vote Down

Cancel
0 BrucekConvergent over 13 years ago in reply to eclipse79oldacct

I've got one site that has a 2Mb/s Cable Up / Down connection that connects to the main site using a RED. Transfer rates go all the way up to 2Mb/s depending on demand, so I'd say that probably won't be a problem in your situation, as long as your main ASG is not loaded down CPU or RAM -wise.

CTO, Convergent Information Security Solutions, LLC

https://www.convergesecurity.com

Sophos Platinum Partner

--------------------------------------

Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries. Use the advice given at your own risk.
Cancel
Vote Up 0 Vote Down

Cancel
0 tom_01 over 13 years ago

@eclipse79: Use a RED in transparent/split mode. In addition to your usual HQ networks, add the IP "1.2.3.4" to the "Split networks".
Cancel
Vote Up 0 Vote Down

Cancel
0 eclipse79oldacct over 13 years ago in reply to BrucekConvergent

I've got one site that has a 2Mb/s Cable Up / Down connection that connects to the main site using a RED. Transfer rates go all the way up to 2Mb/s depending on demand, so I'd say that probably won't be a problem in your situation, as long as your main ASG is not loaded down CPU or RAM -wise.

My ASG cpu usage is high... some months ago was 75%-80%, now I disabled some feature (ie im, some ips rules) and it is decreased to 60%-65%... But I have to see the memory usage after v8 migration [:)]
Cancel
Vote Up 0 Vote Down

Cancel
0 eclipse79oldacct over 13 years ago in reply to tom_01

@eclipse79: Use a RED in transparent/split mode. In addition to your usual HQ networks, add the IP "1.2.3.4" to the "Split networks".

Hi Tom,
my astaro partner said that in this moment it's not possible to use RED only for AP and VPN: all traffic passes through my HQ ASG, even the web surfing traffic... [:O]

so?
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 13 years ago

On the SSL VPN, are you using UDP instead of TCP? UDP is faster. And, yes, the RED connection should be as fast as an IPsec VPN using an AES algorithm.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 Gert Hansen over 13 years ago

The biggest difference between SSL-VPN and IPSec ist the SSL is running completly in userspace and every network packet must be copied from kernel to userspace and back, this is expensive and a explanation for slowness that is sometimes seen with SSL-VPN solution.
IPsec is completly processed at kernel space and is therefore a lot more efficient.

For our RED protocol we merged the best from SSL and IPsec and it also runs the complete encryption in Kernel space are within the RED appliance even with hardware accellerated cryptography.
This is how we get a high througput with nearly no latency increased.

Regards
Gert
Cancel
Vote Up 0 Vote Down

Cancel