• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Roaming users with laptops - VPN for internet access?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> VPN >> Roaming users with laptops - VPN for internet access? Page: [1]
Login
Message << Older Topic   Newer Topic >>
Roaming users with laptops - VPN for internet access? - 10.Jul.2008 10:43:43 AM   
dgunner

 

Posts: 34
Joined: 1.Dec.2005
Status: offline
I have about a dozen or so roaming users with a laptop used for Internet access both at home or from hotels etc.

At the moment they just plug in (local firewall) to the network or connect over wireless and browse the web.

I am wondering whether they should in fact VPN to our network first to gain Internet access so we can better protect their machines.

Is this generally considered a good idea ( a company I used to work for before I did this sort of thing did it without any problems) or even of benefit? Will it not slow down their Internet access?

I don't want to go overboard but at the same time think that as they nearly all use dodgy wireless connections it's probably a good idea.
Post #: 1
RE: Roaming users with laptops - VPN for internet access? - 10.Jul.2008 11:00:37 AM   
jdostal

 

Posts: 27
Joined: 20.Sep.2007
Status: offline
You might be better off just creating GPO's that bump up the Windows Firewall on the laptop when they are off domain...

Do you use a web filter?  WebSense actually has a laptop client that you can install...the client is invisible to the user, but it basically checks back with your web filter every time a user makes a request to see if it's allowed or not.  Works pretty well!

(in reply to dgunner)
Post #: 2
RE: Roaming users with laptops - VPN for internet access? - 10.Jul.2008 1:12:31 PM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

the only complain I have about ISA is the VPN client, it is TOO SLOW!! Maybe is better you test your proposing solution and see how it goes.

Donīt know websense, but it sounds good too.

Regards,
Paulo Oliveira.

(in reply to dgunner)
Post #: 3
RE: Roaming users with laptops - VPN for internet access? - 14.Jul.2008 11:25:39 PM   
mdriest

 

Posts: 70
Joined: 18.Dec.2003
Status: offline
quote:

ORIGINAL: paulo.oliveira

Hi,

the only complain I have about ISA is the VPN client, it is TOO SLOW!! Maybe is better you test your proposing solution and see how it goes.

Donīt know websense, but it sounds good too.

Regards,
Paulo Oliveira.


Hello Paulo,
 
We use the MS VPN Client (CMAK'd) on Windows XP Pro with ISA Server 2006 Enterprise (2 node array) and we experience no slowness what-so-ever with any type of traffic.
 
Prior to the ISA 2006 Ent 2 node we were running ISA Server 2004 Standard on a single node with no issues for 2 1/2 years.
 
Did you happen to see slowness with a particular concurrent amount of VPN Users (say over 200, etc)?
 
By the way our VPN requires it to be the remote gateway and all internet access is routed through the VPN (IE Proxy Auto Config script).
 
Mike Driest
Network/Systems Administrator
 
Industrial Control Repair
www.industrialcontrolrepair.com

(in reply to paulo.oliveira)
Post #: 4
RE: Roaming users with laptops - VPN for internet access? - 16.Jul.2008 8:42:29 AM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi Mike,

I feel the slowness with only one user connected. I donīt think this has to be with my bandwidth, cause we have 1MB and is not fully used.
If I ping from VPN network to an internal server, the reply is about 400ms.
quote:

By the way our VPN requires it to be the remote gateway and all internet access is routed through the VPN (IE Proxy Auto Config script).

I use it the same way, otherwise it will be a security issue.

Is there any guide to help me improve my VPN performance? I appreciate any suggestion.

Note: I donīt use CMAK.

Regards,
Paulo Oliveira.

(in reply to mdriest)
Post #: 5
RE: Roaming users with laptops - VPN for internet access? - 16.Jul.2008 8:54:42 PM   
mdriest

 

Posts: 70
Joined: 18.Dec.2003
Status: offline
quote:

ORIGINAL: paulo.oliveira

Hi Mike,

I feel the slowness with only one user connected. I donīt think this has to be with my bandwidth, cause we have 1MB and is not fully used.
If I ping from VPN network to an internal server, the reply is about 400ms.
quote:

By the way our VPN requires it to be the remote gateway and all internet access is routed through the VPN (IE Proxy Auto Config script).

I use it the same way, otherwise it will be a security issue.

Is there any guide to help me improve my VPN performance? I appreciate any suggestion.

Note: I donīt use CMAK.

Regards,
Paulo Oliveira.

 
Hi Paulo,
 
When we originally had ISA 2004 STD we had a single full T1 line 1.5MB for about 1.5 years  We then upgraded to 2xT1s for a full 3MB about 1.5 years ago.
 
When we had a single T1 there were about 15 or so concurrent VPN Users and then with the 3MB and 2 node ISA 2006 Array we now have about 30 concurrent VPN Users.
 
In either setup we haven't seen any slowness due to VPN.
 
Our MS VPN Client was setup with CMAK, but I've also used the MS VPN Client that's built into Windows XP with no speed differences.
 
When you ping an internal server from VPN and receive 400ms is that while using a Cellular AirCard/Mobile Broadband Card?
 
A lot of our users have Sprint Mobile Broadband Cards and when using EVDO Rev. A I think normal latency to an internal server is about 200ms-250ms on average.
 
I have Comcast at my house and when connected to our VPN the latency to an internal server is an average of 50ms.
 
Who is your ISP?  Can you ping the Router in front of ISA from the same device that gave you 400ms?  If so what's the result?

_____________________________

Mike Driest
Network/Systems Administrator
MCSA + Security

Industrial Control Repair
www.industrialcontrolrepair.com

(in reply to paulo.oliveira)
Post #: 6
RE: Roaming users with laptops - VPN for internet access? - 23.Jul.2008 8:24:50 AM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi Mike,

thanks for the response. Iīll test ir and let you know.

Regards,
Paulo Oliveira.

(in reply to mdriest)
Post #: 7
RE: Roaming users with laptops - VPN for internet access? - 6.Aug.2008 8:11:26 PM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi Mike,

the device I'm using is a notebook. My home speed connection is 200kbps

I pinged to my ISP and the result is below:

   Packets: Sent = 30, Received = 30, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
   Minimum = 663ms, Maximum = 750ms, Average = 683ms

I also pinged to an interal machine and the result is below:

   Packets: Sent = 30, Received = 28, Lost = 2 (6% loss),
Approximate round trip times in milli-seconds:
   Minimum = 642ms, Maximum = 791ms, Average = 684ms

Regards,
Paulo Oliveira.

(in reply to mdriest)
Post #: 8
RE: Roaming users with laptops - VPN for internet access? - 7.Aug.2008 7:10:16 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
I've deployed numerous ISA VPN solutions and had various issues, but never speed problems...wouldn't hestiate to recommend ISA for VPN client use, it really is pretty bulletproof and a great solution when you consider the amount of protection you can achieve with ISA application-layer filters and granular user based access policies.

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to paulo.oliveira)
Post #: 9
RE: Roaming users with laptops - VPN for internet access? - 7.Aug.2008 9:19:44 AM   
mdriest

 

Posts: 70
Joined: 18.Dec.2003
Status: offline
Hi Paulo,
 
The combination of 200kbps and the 683/684ms avg latency is what's killing your speed and overall experience.
 
What time of home connection do you have and who's your ISP?
 
Thank you,
 
Mike Driest

_____________________________

Mike Driest
Network/Systems Administrator
MCSA + Security

Industrial Control Repair
www.industrialcontrolrepair.com

(in reply to paulo.oliveira)
Post #: 10
RE: Roaming users with laptops - VPN for internet access? - 7.Aug.2008 3:39:22 PM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi Jason,

thanks for the reply and for share your experience. But, is not just me, my manager complained about ISA VPN too. One other collegue of my also thinks itīs too slow.

I really like ISA features! In fact, Iīm trully recommending this GREAT firewall to my other collegues, because of itīs cools features.

Do you also think is my internet connection or some misconfiguration on my ISA server?

Regards,
Paulo Oliveira.

(in reply to Jason Jones)
Post #: 11
RE: Roaming users with laptops - VPN for internet access? - 7.Aug.2008 3:42:48 PM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi Mike,

I was afraid you said that about my speed.

I connected at 20:00h. My ISP is a digital TV company named NET.

Regards,
Paulo Oliveira.

(in reply to mdriest)
Post #: 12

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> VPN >> Roaming users with laptops - VPN for internet access? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts