01-07-2013 11:48 AM
Hi All,
We are looking at some hardware devices to be used in small AV/Videoconferencing rack installations.
The rack will be on customer premises and it has often been the case in the past that the customer would allow us remote access to each device through their firewall using individual 1:2:1 NATed IP address. However, some of the equipment we are now using (Extron) unfortunately does not implement encrypted IP communication (such as SSH or HTTPS) and as such we cannot pass such unencrypted traffic across the institutions network border. In addition, assigning multiple IP addresses can be costly for an institutions IP address range (whilst we could port forward the remote admin protocols of many devices to a single IP address, unfortunately, some of our management servers don't allow this (aka Cisco TMS - a bugbear for another thread!), and it is also true that institutions may have multiple racks across multiple campuses, however, at this moment in time we are looking for a solution on for an individual rack rather than to being able to manage an entire campus through a single VPN device (although we will certainly look at this possibility in the future).
Each rack may only contain a handful of devices (say around 5), and each of the devices will need to be contactable using either some remote administration protocol such as Telnet, SSH, HTTP, HTTPS or VNC. So far, I have been looking mainly at the Cisco ASA 5505, but have also been toying with the 881 router with Advanced IP licence, or even the ISA550 (which although meant for small business might suit out needs).
The traffic the device needs to deal with should not be that great - a single HD videoconference stream is around 2Mbps. The reset of the external traffic would only be remote administration and monitoring. The IP traffic of the actual rack equipment (apart from the VC endpoint) is pretty much internal to the rack.
It is possible that the VPN does not need to be kept open, and can be brought up as and when required for remote administration. Of course, IF we want to be able to monitor the devices, then a more permanent VPN needs to be established. I feel that in the first instance, and SSL VPN would work, although in the second instance we would be looking at an IPSEC tunnel (I have read briefly about Group Encrypted Transport VPN, but have no idea really what this is or if it would be of use here).
The VPN hardware device needs to be able to operate in a transparent mode where the devices obtain IP address from the institutions network and also be seen and monitor by local network server if required.
Am on on the right line with the devices selected? Has anyone got any further comments regard the suitability of the VPN types.
Cheers
Chris
01-07-2013 01:15 PM
Hi,
I got to admit that my opinion/suggestion is pretty biased because of the fact that I have only done VPN implementations with certain devices and certain VPN types.
The most common types of VPNs I've configured for this purpose have been
The devices which I have commonly used to create VPN connections between sites have been
And on the actual VPN setus that I have done
I have to say that I have been most comfortable with the ASA5505 setup (both Hardware VPN Client and L2L VPN). This is because I'm more familiar with the PIX/ASA/FWSM side than the Cisco Routers with which I have to rarely configure anything that special. I also find that its the ASA5505 gives me alot tools for troubleshooting purposes while ofcourse it lacks some that the routers have.
If I'm not totally mistaken the ASA5505 might be cheaper than the the C881 routers also.
Pros and Cons of the 2 types of VPN I have used
Hopefully some of the above information has been helpfull. Please rate if so
And naturally ask more and I'll see if I can answer your questions.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide