I need help choosing a firewall/vpn solution.

I need help choosing a firewall/vpn solution. I would MOST appreciate anyones help in making this choice. I have been reading these newgroups, speaking with sales engineers and trying to make the most intelligent decision on my own. I have to admit the more I learn the more I can define what I need...but cannot determine a final product selection.

We are a small business with limited funds. When I spoke with Cisco they told me that they had a small-business solution designed to be both affordable and easy to use. It was only $15,000 !!! I guess Cisco is too big to know what a small-business budget is. :) I would like to keep my budget between $2000 and $4000.

Here is what I really need to purchase.

I want to purchase a new firewall/UTM device to replace my aging SonicWall Pro 200. I need this device to be able to route traffic with different rules for each route AND act as a DHCP server. I will try and explain what I mean by this with an example. I have a network of around 25 computers and 4 servers.. We have a block of 64 public ip address that are using for external access. The 4 servers are as follows:

  1. Microsoft Small Business Server 2003 with Exchange Server running.
  2. Microsoft Windows Server 2003 with Citrix Presentation Server running.
  3. A Windows XP security camera server with proprietary video remote services.
  4. A VOIP PBX telephone server (not connected currently...but want it to be). The 25 computers consist of primarily Windows XP boxes with a couple of Mac OSX and Windows 2000 boxes. We also have around 10 network-connected devices (i.e. network printers, scanners, time clocks, etc.). We have 5 mobile users who need to be able to connect to our network through some type of VPN solution. We also have a branch office that has a SonicWall TZ170 Wireless.

My requirements for this project are as follows:

  1. The device(s) must be a DHCP server for our internal network (192.168.168.x).
  2. The device(s) must be able to reserve internal addresses for certain devices so that they will always keep the same ip (so that our ip printers & devices will always be at a certain 192.168.168.x address).
  3. The device(s) must be capable of taking requests for various external public IP addresses and transferring that traffic to static internal-network devices. In example, taking our external IP address and route that traffic to our internal network Exchange server residing at This feature must be able to apply different security policies (open port settings) to different extIP/intIP translations. We need to lock down our Exchange server as tight as possible and allow our camera server to be almost wide open. THIS IS VERY IMPORTANT AND IS THE MAIN REASON THAT WE ARE REPLACING THE SONICWALL PRO 200, AS IT IS NOT CAPABLE OF THIS FEATURE.
  1. The device(s) must be able to connect to our Branch Office's SonicWall TZ170 Wireless device creating a VPN tunnel so that the users at that office are able to share our network without having to run local VPN software. (I might be willing to replace the TZ170W if the solution required it)
  2. We currently use the VPN solution provided in Microsoft's Small Business Server 2003. We like this because it doesn't require any extra software on the remote users computers. We are however interested in replacing this with an SSL VPN device for ease of use and cross-platform support. We have several users that would like to connect via their smartphones and know that this is an option with some manufacturers SSL-VPN products. It would be nice if this SSL VPN device could verify that the connecting user has virus software installed PRIOR to letting them connect.
  3. Must be easy to setup and maintain. If we add another server it must be easy to create a new public-to-private iIP route with unique policies/rules WITHOUT disturbing the other previously configured settings. This is one problem with our current SonicWall Pro 200...we tried to install a new VOIP server and we couldn't open the ports for just that device...we had to open them for all the traffic.

I sincerely appreciate your help and if I can do anything to help clarify my needs please let me know. I cannot tell you how grateful I am for the help.

< michael
Reply to
Loading thread data ...

Why ? , you have W2K3- Servers, which can do the job better, than every firewall i know.

On DHCP-Server: static entries, on Firewall dito. no problem.

OK, but you don't need only a new firewall (hardware), you need a concept. Never allow traffic from the untrusted to the trusted network. Therefore exists a DMZ. if you are running Exchange and IIS public visible in the internal lan, you don't need a firewall, you can use a simple router, the security is the same.

If it is a standard IP-sec VPN, it should be no problem with most solutions.

a VPN endpoint in the internal lan: brrrr.

VOIP is a problem, because it oftens has the need of dynamic ports. This is also a must to place him in the DMZ

OK, some ideas for firewalls:

  1. Astaro
    formatting link
    as UTMS-Firewall, but you have to look for a consltant in your region.
  2. Cisco ASA 5505 or 5510, depending on your real needs.
  3. take a look to M0n0wall
    formatting link
    and spend money for servers and proxies (as ALG) in the DMZ.

A budget from 0? (m0n0wall) up to 3000? Astaro, Cisco ASA 5510, without implementation is imho realistic.

bye Christoph

Reply to
Christoph Hanle

WatchGuard and SnapGear have FW appliance solutions in your price range.

formatting link
formatting link

formatting link
If you want to know more about the products, then I suggest you get on the phone with them and go to their Web site and look at product spec. sheets.

Reply to
Mr. Arnold


I am a Sonicwall partner. They have a number of different possibilities that are well within your price range. I would be happy to discuss what Sonicwall can offer you. Feel free to give me a call at my office or drop me an email at jamie at danmarkcom dot com.

-------------- Posted via

formatting link

Reply to
Jamie Jamison

Sorry. I left off my office number in the last post, and I can't seem to get the edit to stick. My office number is 256-766-1580.

-------------- Posted via

formatting link

Reply to
Jamie Jamison

Bad move - SBS should be the DHCP server and the only DHCP server on any network where you use SBS, if not, you stand a real problem with resolution. It should also be the DNS server for all of your computers, including itself.

Firewalls don't do that, that's a function of your internal DNS and your ability to create a DHCP reservation in your SBS Server.

Most every firewall can do this - WatchGuard is my choice, and you can have multiple HTTP rules or SMTP rules, that you can define as from IP Z.x.c.v or V.d.r.f or anything, and you can map them to any internal IP and even a different port if needed.

Simple, Watchguard, as well as most others, act as IPSec VPN endpoints/servers.

WatchGuard has a SSL VPN appliance, and their firewalls, X550 and above act as PPTP VPN Servers, so your users can connect to the firewall and then have rules applied based on their user/group (on the firewall) to limit their access to the SBS network. You don't need a Dual NIC solution then, making life a LOT easier for branch office solutions.

WatchGuard does this, has done it for years, and it's simple.

VOIP is simple, but you have to understand how VOIP works and the requirements, it also helps to know the ports that are bring use.

formatting link
- call them or email me.

You really need to fix your network, SBS should be the DHCP server as well as your ONLY DNS server for you to properly use SBS.

Reply to

Thank you for your suggestions so far. I am learning tons. I probably need to hire a consultant but in my budget it isn't easily done. I am glad that I have this forum to help me make the decision.

Thanks again for the recommendations.

Keep them coming...even if only to flame my original post. I take constructive criticism pretty well. ;)

Reply to

I would recommend you take a look at a lower-end Sidewinder G2 appliance while your researching firewalls

formatting link
I've used them for years and they are rock-solid.

I also suggest that you only use the firewall to allocate DHCP to your VPN clients and use an internal DHCP server for the internal clients.

Reply to
Default User

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.