I want to try installing a VPN router to VPN router connection from our office to my home. What brand (or model) of router is best and easiest for this connection? I never tried this type of connection before so I will be winging it. I will be trying to connect a Nortel BCM ip phone through this connection. Any input will be appreciated! :shrug:
Visit Atcom to get started with your new business VoIP phone system ASAP
Turn up is quick, painless, and can often be done same day.
Let us show you how to do VoIP right, resulting in crystal clear call quality and easy-to-use features that make everyone happy!
Proudly serving Canada from coast to coast.
Great question... I am interested in this exact topic too!
Will be waiting for an answer
- Tony Ohio Data LLC Phone systems, data networks, firewalls and servers in Central Ohio. Some people aren't used to an environment where excellence is expected.
Presumably no at your home. If this is the case zyxel makes some pretty cheap ones that will allow you to build a vpn route between a static and non-static address. When the non-static address changes form the ISP, the remote location will report back to the static adress router, which will then rebuild/reconfigure the tunnel.
I will be using static addresses and maybe 1 non-static. Does the Zyxel have a wizard for installing the VPN? What model of Zyzel do you use? Has anyone used the Linksys router rvs4000? Thanks for the answers!
Please bear with me, since I have not done any VPN-ing at all.
So... if I am understanding this correctly I can have Zyxel box A at the office, on a static IP and at each customers site I can install Zyxel box B, which will be DHCP and find Zyxel box A every time it is re-booted and or gets new IP?
I can then be on my network at the office and connect through the Zyxel VPN and Administrate our phone system, is this correct?
If so that would be way cool, as we have some sites that we can never connect to via dial-up any more.
- Tony Ohio Data LLC Phone systems, data networks, firewalls and servers in Central Ohio. Some people aren't used to an environment where excellence is expected.
The only problem you might run into if you are wanting to install them at customer sights(other than the CG) is most of the lower end vpn devices have a limit on the amount of active tunnels...usually 5-10 tunnels.
Okay, so it would work as I inquired, but I couldn't have 50 installed at once and working.
So maybe for every 10 sites, I would have to add another "Box A" at the office in theory?
If so that's cool and it's a start. Thanks!
----
Any ideas on a product that could support 100+ "Box B"'s connecting to the Office "Box A"?
- Tony Ohio Data LLC Phone systems, data networks, firewalls and servers in Central Ohio. Some people aren't used to an environment where excellence is expected.
If you plan on having that many sites connected, then a higher end vpn endpoint would be a better solution. If you are buying new, it'll cost ya, but there are plenty of Cisco Pix 506E's floating around ebay most of the time with unlimited tunnel licenses.
Another thing to consider if you actually plan on setting up that many VPN's, you might not want to put "box A" on your normal office network since that would allow that many sites to have access to your computers etc at the office.
I picked up a lot from "Networking for Dummies" and I bought it at Border's Books. Not bad reading and it will enlighten you on a lot of what you need to know. I wouldn't count on it for everything though.
Originally posted by MacOSX: Okay, so it would work as I inquired, but I couldn't have 50 installed at once and working.
So maybe for every 10 sites, I would have to add another "Box A" at the office in theory?
If so that's cool and it's a start. Thanks!
Think of each VPN tunnel as an unsecured port on a switch located in a building where you are not in control of access. Maybe you wouldn't want them all on at the same time?
We use RDC a lot and VPNs to a lesser extent but they're only on when in use and the security is as tight as is reasonable.
The best way to learn this stuff is to do it, but a lot of the time the purpose-built equipment is prohibitively expensive. Fortunately, the linux world has come up with a lot of creative solutions and most of them are free for non-commercial use. I would suggest rounding up a pair of old PCs (any Pentium with 64MB of RAM and a 1GB HD will suffice), loading them up with a pair of NICs each, burning a CD of the Smoothwall installation and getting some hands-on experience.
Don't read the manuals, just hook up a kb, mouse & monitor and boot off the install CD. Once the box is set up, you won't need any of 'em (you can even yank the CD-ROM). Once it's running, you can configure it via web browser and set up your VPNs and all that good stuff. If you have dynamic IPs, you can configure it to automatically log in to services like DynDNS for easy access. I've recycled dozens of PCs for friends to use as a robust broadband firewalls with lots of features you don't normally get off the store shelf. Plus they can be tossed in just about any closet and forgotten about - just remember to turn off KB errors in the BIOS and they'll run for years unattended. My parents have one that's over a half-dozen years old and still doing the job.
Or read a book. =)
"There is one thing and only one thing in which it is granted to you to be free in life, all else being beyond your power: that is to recognize and profess the truth." - Leo Tolstoy
I think it's a BIG mistake to install a firewall and then "just forget it". Especially in a production environment. This is not a static environment. Every firewall release, left unattended, is a WASTING ASSET because it is immediately subject to hostile probing and odds-on to be compromised unless frequently updated to keep up with new attacks. You may be one of the lucky ones to avoid the attention of hackers/crackers, but in a business environment, can you afford to take the risk? This is one of the reasons "purpose-built equipment is prohibitevely expensive". This is also why, imo, when it comes to security, proprietary, closed products, get my vote, as long as they're accompanied by commensurate warranties on the part of the vendor(s) (It amazes me how few so-called security "professionals" look at the warranties and the support the vendors provide, and discuss in advance what happens if the vendor's system is compromised). To add to the VPN issue: MacOSX, before you go splurging on tunnel licenses, estimate the maximum number of concurrent VPN connections you will need - that's the proper metric. If you need only 1 or 2, there is no need for a site-to-site VPN, since in such case you can establish a (software) client-to-server VPN as needed. If you need something more robust, easy to use, and proven in the field, the Cisco boxes mentioned above are a good option. Although I think the small-business products by Sonicwall are better suited to smaller offices. But currently, for simplicity and ease-of-use, I'd go with Sofaware . Their small business offerings are very competitive, and they also sell a home version, which I've been using for the past few months. The annual subscriptions for security are currently the cheapest among comparative products. The prices for gateway antivirus, antispam and filtering are also right up there. Ofcourse, security is a very competitive field and vendors keep leapfrogging each other, both in technology and support. Next year, one of the other players may be on top in the small office market. My loyalties are very fickle.
Thanks for all this information so far, keep it coming!
Now, just to give you an exact idea of what I want to have done...
I install and service Toshiba phone systems, and they can be connected to a network, for administration. I have had more problems than not recently with customer getting these Voip PRI's and I can't maintain a good connection over dial-up... even for a quick change. I want to take advantage of the network capabilities of the systems, to remedy this growing problem.
BUT
I do not want to ask every customer to have their IT guy to have to set me up with VPN (not their problem/security issues/etc.).
My goal is to find a plug-n-play device that I can install ahead of the customers firewall, plug into the NIC on the CIX and connect to it from any high-speed internet connection with my laptop... mainly at the office.
What hardware software combinations do you suggest for this?
BTW, I'm sure there are many answers, so please let everyone speak before bashing their ideas. I'm open to every/anything at this point, t better serve my customers.
- Tony Ohio Data LLC Phone systems, data networks, firewalls and servers in Central Ohio. Some people aren't used to an environment where excellence is expected.
Tony, There is not an "easy" way to do what your describing. The easiest solution that I can think of for what you want would be to find out what ports the Toshiba uses for admin communications and have the IT folks forward the needed ports to the system.
Most larger companies with an actual IT guy shouldn't have much of a problem doing it since they can also normally limit access to just your office IP address. Any of the smaller companies running cheapo firewall/gateways can probably live with you installing a new gateway with the configuration to suit your needs.
If you had a dedicated computer on each site for programming, it would be a whole different story. A program called "teamviewer" will allow remote access to a computer from virtually anywhere with normally no changes needed on the firewall.
Originally posted by sph: I think it's a BIG mistake to install a firewall and then "just forget it". Especially in a production environment. This is not a static environment. Every firewall release, left unattended, is a WASTING ASSET because it is immediately subject to hostile probing and odds-on to be compromised unless frequently updated to keep up with new attacks. You may be one of the lucky ones to avoid the attention of hackers/crackers, but in a business environment, can you afford to take the risk?
i think you misunderstood the entire point of what i was saying, sph. at no time did i suggest using freebie firewall software in a production environment; i was merely proposing a low-cost way of learning how these devices work.
oh, and ALL computer equipment is considered a wasting asset - your CPA can explain the term for you if you're confused.
"There is one thing and only one thing in which it is granted to you to be free in life, all else being beyond your power: that is to recognize and profess the truth." - Leo Tolstoy
Originally posted by 93mdk93: i think you misunderstood the entire point of what i was saying, sph. at no time did i suggest using freebie firewall software in a production environment; i was merely proposing a low-cost way of learning how these devices work.
oh, and ALL computer equipment is considered a wasting asset - your CPA can explain the term for you if you're confused.
Fair enough, I'm sorry if I misunderstood. I used the term "wasting asset" to signify security-related depreciation, not the financial one.
Other than that, I think ipofficeguy's suggestions cover what MacOSX was asking for.
Security is a kinda sore issue with me, so sorry again for being a bit forceful. Maybe I should give an example of what's actually out there in computerland web page Everything listed on this page is a security vulnerability.
Jeff I was actually looking at hamachi tonight. What are your thoughts on it so far?? Im still learning this stuff as well and was curious if that was a program that I could use to connect to a phone system and run a ip softphone thru the program. Any ideas?
Also MacOsx just a thought. Have you thought about just putting the phone system on the customers network, taking over a computer on site via logmein or something and just going thru that??
We have an extensive VPN hub and spoke network. We can access every client's location via VPN and we configure everything remotely.
For our systems we use Sonicwall. We also use the Sonicwall Global VPN client on all our laptops so if we're out of the office and have to stop by a WiFi hotspot to fix someone's problem we can create a VPN tunnel from pretty much anywhere.
Originally posted by Xcountry: Also MacOsx just a thought. Have you thought about just putting the phone system on the customers network, taking over a computer on site via logmein or something and just going thru that??
Yes and we have done that at very few sites, because we don't want to install our admin software on site usually.
----
Quote
Originally posted by MacGyver: You'd asked about brands.
We have an extensive VPN hub and spoke network. We can access every client's location via VPN and we configure everything remotely.
For our systems we use Sonicwall. We also use the Sonicwall Global VPN client on all our laptops so if we're out of the office and have to stop by a WiFi hotspot to fix someone's problem we can create a VPN tunnel from pretty much anywhere.
Exactly what I'm looking for! Can you PM me ballpark costs of integration? (i.e. - cost per user (laptop/desktop/home pc/etc.) and cost per hardware unit). I don't need exacts, just enough to get an idea.
Thanks!
- Tony Ohio Data LLC Phone systems, data networks, firewalls and servers in Central Ohio. Some people aren't used to an environment where excellence is expected.
I guess it all depends on what you have going. For my small end customers, I throw in a netgear fvs114. They can be found cheap, refurb. Only reason is because they had a major software flaw that can be corrected by flashing to the current level. Throw one at each end, set up the vpn, alls good.
Also, you can get the netscreen vpn client free from Sprint's site to allow client side connectivity.
Tony we also run gateway antivirus from the boxes as well so that things get caught at the Sonicwall instead of making it to the workstations and servers. We're renewing several of those subscriptions this week, so I'll pull some numbers for you when I get to the office.
Tony it looks like the boxes have run $300-400 on up depending on how many nodes were needed. Those are the TZ-170s. A few locations are running TZ-170 Wireless units for guest WiFi as well, and there are still a couple of clients utilizing the old Sonicwall Soho3's. It looks like a few more are already running the next generation box, but the 170s are still readily available and a very good unit.
Once you register the units, you get a mysonicwall.com login and you can download the Global VPN Client software for free. I even have it on an Ipaq PDA from back when I was doing a lot of the tech work just in case I had to fix a problem at a client's location while I was the mall or something. Once you connect via the GVPN Client, you'll get a private IP address from that location's LAN and you can ping around the network and do whatever you need. For the phone switches we have a dedicated workstation just for us that's hooked to the phone system as well as other things we monitor.
We have each client's location set up on a different subnet so if I'm setting at my desk and I try to ping 192.168.1.x, the packet routes automatically to that client's LAN. Using our administrative login, I can even access client 1's LAN from client 2's offices. It uses the hub and spoke system so the packet runs back down the line to our NOC (the hub), and then out the spoke to that client.
It's not uncommon for us to go all year and never set foot on a client's site.
Originally posted by MacGyver: Tony it looks like the boxes have run $300-400 on up depending on how many nodes were needed. Those are the TZ-170s. A few locations are running TZ-170 Wireless units for guest WiFi as well, and there are still a couple of clients utilizing the old Sonicwall Soho3's. It looks like a few more are already running the next generation box, but the 170s are still readily available and a very good unit.
Once you register the units, you get a mysonicwall.com login and you can download the Global VPN Client software for free. I even have it on an Ipaq PDA from back when I was doing a lot of the tech work just in case I had to fix a problem at a client's location while I was the mall or something. Once you connect via the GVPN Client, you'll get a private IP address from that location's LAN and you can ping around the network and do whatever you need. For the phone switches we have a dedicated workstation just for us that's hooked to the phone system as well as other things we monitor.
We have each client's location set up on a different subnet so if I'm setting at my desk and I try to ping 192.168.1.x, the packet routes automatically to that client's LAN. Using our administrative login, I can even access client 1's LAN from client 2's offices. It uses the hub and spoke system so the packet runs back down the line to our NOC (the hub), and then out the spoke to that client.
It's not uncommon for us to go all year and never set foot on a client's site.
That is EXACTLY what I am looking at learning/integrating. Thank you so much for that wonderful explanation! I will do some research on it and get back to you with questions/comments... (you are now my official go-to Sonicwall FAQ rep!). :toast:
- Tony Ohio Data LLC Phone systems, data networks, firewalls and servers in Central Ohio. Some people aren't used to an environment where excellence is expected.