In article , Mike wrote: :We presently have a 501 on an SDSL line and are interested in creating :a VPN to give roughly 50 users in 10 remote offices access to Exchange. :We also want some people to be able to get to the network from home.
:One of our consultants says the 501 is fine, and just needs software :upgrades.
There is no software upgrade on the 501 that allows you to exceed the 10 peer limit. You say "10 remote offices", but the "peer" limit includes some ways of configuring remote users (e.g., teleworkers, out of town staff that need to connect throguh.)
There are also expressed throughput limits for VPN connections on the 501 that are -much- lower than the rated encryption speed. I take those throughput limits with several grains of salt, seeing as they date from before the 501 performance was substantially improved, but I would be significantly concerned about whether a 501 could handle 50 VPN users.
:Another says we need a 515E. In reading this group, I noticed :there is a 506E that would probably work well.
I wouldn't trust a 501 for that much traffic without a fair bit of traffic simulation. The cost of -doing- that traffic simulation would be -far- higher than the cost of going for a 506E, which is a noticably faster device with no per-user license limits, and with a limit of 25 peers instead of 10. The 506E also supports a DMZ (though not as cleanly as the 515E.)
In other words, I wouldn't seriously consider the 501 for the application unless the capital budget was very tight but there is an excess of spare time available to the network/security administrators.
506E vs 515E... that's where the question starts to get interesting. What's the rated bandwidth of the SDSL line, and what's the expected amount of Exchange traffic? We find that different internal groups vary considerably on volumes of Exchange traffic -- the more business related groups tend to pass around large documents in email. I found a case the other day where a business logo that was less than
1" by 1" onscreen took more than 750Kb, mime encoded to a megabyte.
: Which will give the best bang for the buck?
Over the short-term, that turns out not to be the most interesting question.
Exchange turns out to be a real nuisance to firewall properly. Or at least Exchange 2000 was; we're still settling into Exchange 2003. I don't know whether it was just because we have peered Exchange servers, but ... well, best not to get me started on all of the problems :( Even if your VPNs are wide open and you are using static public IPs everywhere, you cannot handle Exchange 2000 properly with a PIX 6.x series firewall.
PIX 7.0(1) has "transparent" "layer 2" firewalls, and has is supposed to have noticable improvements in it's handling of RPC (remote procedure call.) It still doesn't really groove NETBIOS if I interpret the notes correctly, but -potentially- you could skip the major problesm by going Layer 2 instead of Layer 3.
PIX 7.0(1) is available for the 515E (memory upgrade recommended), but is -not- available for the 506E; we have no definite word as to whether it ever will be. Different people have, in good faith, posted indicating that they had been told different answers.
You have a -better- chance of dealing with Exchange with a 515E with
7.0(1)... on the other hand, you know what they say about never deploying a dot-zero or dot-one release in a production environment!
Also, when I say that there are problems, it's pretty difficult to say whether the users will ever notice those problems. Our users often report problems with Exchange, but those problems are difficult to correlate against particular network events; as best we can tell, a fairly high percentage of the reported problems would occur even if there were absolutely no firewall in place.
:In a partly-related issue, since we already have a Citrix box :(T-1+501), might we be better off using it instead of a VPN? It is :dedicated to one application and would need additional licenses and :hardware.
Having your remote users Citrix over to the same subnet as your Exchange server would likely sidestep a number of Exchange problems. But it wouldn't be nearly as fast or user-friendly as having Outlook right on every desktop.
What Exchange features do your users use? If it is -just- the email and address books, then you can save a lot of trouble by using ldaps together with imaps or pop3s, rather than having the full suite of Microsoft protocols eroding your sanity.