31 Mar 2020 WatchGuard VPN Round-Up
VPN Round-Up – Pros and Cons
Previously I have covered the different types of VPN technology and how to configure them. Today I will be weighing up the pros and cons of each providing different use cases for each one.
SSL VPN using WatchGuard Access Portal via a web browser for RDP or specific applications
- Extremely quick and easy to set up with no configuration required client-side
- For those that need access to a high compute workstation without needing to open RDP or rely on other screen sharing services this provides the most elegant solution without performance issues
- Lightweight so no performance issues and full-featured via the use of HTML 5 allowing you to publish specific applications to specific groups of users
- Can be accessed from anywhere on any device without the risk of a virus or malware infecting the remote station from the users own device
- Integrates with Active Directory, RADIUS and Firebox-DB for authentication and can be further secured with WatchGuard AuthPoint MFA service
- Does require a Terminal Server or each individual workstation to have a Static / DHCP reservation
- If you close your browser window you will be logged out of the remote session
- Not compatible with all applications
Perfect for those who need a high compute workstation or to access a specific application on the go meaning you could perform work from a tablet without security or performance issues or without needing to install a VPN client or configure one
To see how to configure the Access Portal click here.
IKEv2 VPN Using the inbuilt Windows, MAC and IOS VPN Client
- By far the most robust VPN utilising multi-layer security with IPSec and certificates to ensure the user is whom they say they are
- Lightweight so performance is not compromised resulting in low CPU usage
- Widely supported by Windows, macOS, IOS and Windows Mobile so there is no application to install client-side
- Integrates with RADIUS and Firebox-DB for authentication and can be further secured with WatchGuard AuthPoint MFA service
- The configuration files cannot be pushed out by Group Policy yet
- Doesn’t support Active Directory authentication so requires a RADIUS server with Certificate Authority
- Requires IPSec to be allowed outbound
Perfect for any application especially if Voice is a requirement due to the lightweight protocols in use although RADIUS can be a requirement most enterprises are starting to shift towards using RADIUS / 802.1x infrastructures.
To see how to configure IKEv2 click here.
SSL VPN Using the WatchGuard VPN Client
- Uses TLS encryption on port 443 which is typically not restricted
- The client can be pushed out via Group Policy without the end-user needing to install anything as such
- Integrates with RADIUS, Active Directory and Firebox-DB for authentication and can be further secured with WatchGuard AuthPoint MFA service
- Relies on TCP resulting in it having the most overhead impacting on performance
- It is the most CPU intensive out of all three
- Not suitable for latency-sensitive applications such as VoIP or if you need to transfer large files in a hurry
Perfect for those who need to push out a VPN client quickly without the user needing to do anything or those that do not have a RADIUS/Certificate authority.
To see how to configure SSL-VPN click here.
If you would like to get in touch with any further questions about this article or any other technical enquiry, please contact us on +44 (0) 1488 647 647
Author: Alex Claro – Solutions Architect Team Lead at Purdicom (CCNP, CWNA). To read this article and more by Alex on LinkedIn check here: https://www.linkedin.com/in/alex-claro/detail/recent-activity/posts/