VPN Replacments

VPN
1

Hi all,

We currently have a Ivanti/Pulse VPN unit, which is behind a Juniper Firewall and Junuper core switch. This is generally fine for us but we are looking at a hardware refresh next year and wondering what options we might have. We have around 100 ish staff with 80 concurrent vpn licenses though about 40-50 generally connected.

We could just replace this as is, but I’m wondering if there’s other solutions that people are using that could work. Like replacing with a Fortinet and just run the vpn through the firewall.

Or even look at a VPN on a VM or hosted in Azure?

Just trying to get some general ideas.

2

We had the Juniper/Pulse combo before and swapped to Palo Alto when we had a hardware refresh - partially to avoid the VPN per-user stuff.

We did look at the Fortinet too, but the cost difference was at the time not massive and Palo Alto seemed to be regarded as better. Though this was for the entry class device, and I know Palo Alto stuff is… Well, not always budget friendly.

Happy with the swap regardless.

3

pfSense and OpenVPN makes a nice little VPN server without $$ licensing, build on your own hardware

4

For whatever it’s worth, I’m running Forticlient VPNs straight from laptops to the edge Fortigates and it works like a charm.

5

Pritunl is nice little free vpn server.

6

I’m happy with our Fortigate + VPN

7

You can run the VPN through the Juniper firewall as long as you have a recent firmware version. The feature is called “Juniper Secure Connect” and the licensing is rather inexpensive.

8

Assuming you are a windows shop, MS always on vpn?

If you swap to palo alto i think vpn licenses were included? Meaning a serverless solution.

9

Twingate has been good for us. Recently had a high profile user tell me that it’s been the best VPN\ZTNA option he has used over the years with us, we have been through a bunch.

10

How hands on do you want to be?
Personally I would go with a dedicated machine, and a Wireguard setup, assigning personal certificates per user.

It’s super fast…

11

We run Sonicwall, its…fine. Get some weird disconnect issues when transferring large files sometimes, and I wish the transfer speeds were better overall.

Should probably switch to something else.

12

Check out CloudZiti. Its a SaaS zero trust overlay built on open source OpenZiti. It builds outbound only connections, least privilege, microsegementation, posture checks, private DNS and more. Others mentioned Twingate, its similar in ways, but also more expansive - e.g., can also do ‘east-west’ ZTN connectivity in LAN. It also supports integration via the Azure API for posture check from Microsoft Endpoint Manager as you mentioned would be good in another comment.

13

snow punch psychotic straight cautious direful obscene materialistic flag wine

This post was mass deleted and anonymized with Redact

14

Fortinet works fine aside from the common credentials issues by users or its service stopping. SonicWall along with. Just the amount of users you have make sure mfa is set in place.

15

The available ZTNA options can feel a little daunting, we (enclave.io) made a vendor directory to help https://zerotrustnetworkaccess.info

Let us know if you find it useful.

(disclosure- founder @ enclave.io)

16

What are you accessing over the VPN?

If you’re at the stage of finding a new vendor perhaps your vendor could be a zero trust option with reverse proxy or similar?

It’s 2023, VPNs aren’t needed for most use cases.

17

edge marry capable thought tie towering rain profit brave recognise

This post was mass deleted and anonymized with Redact

18

Have a look into ZTNA access solutions. Most vendors have them. The main benefit is that you don’t need to expose any ports to the internet for remote access.

I’ve used Netskope Private access which is good and easy to setup.

19

Thanks for that. Palo Alto doesn’t feel like it’s in our budget though if we can drop the Pulse PSA devices and roll the cost in. Hmm.

20

Sure, but how did you extend for MFA?