Re: Hey, Leythos!
- From: Leythos <void@xxxxxxxxxxx>
- Date: Sun, 28 Oct 2007 06:48:51 -0400
In article <OJsDL3RGIHA.4476@xxxxxxxxxxxxxxxxxxxx>, bogus@xxxxxxxxxxx
says...
"Leythos" <void@xxxxxxxxxxx> wrote in message
news:MPG.218d8418b7c40078989720@xxxxxxxxxxxxxxxxxxxx
In article <euWYgrNGIHA.5208@xxxxxxxxxxxxxxxxxxxx>, bogus@xxxxxxxxxxx
says...
Hi, Leythos!
You seem to like the WatchGuard products a lot. What current models would
you recommend for a business that has 25 users at the main site and three
remote sites that use a terminal server for access to the main site's
apps
and data? They have SBS 2003 and a Windows 2000 terminal server that may
get
replaced with 2003 in a few months. Trend Micro CSMS for SMB 3.6 on
server
and workstations, including the remote sites and laptops, and Vamsoft ORF
in
front of the SBS for additional spam filtering.
The remote sites have one workstation each and they currently do not use
VPN, but might do so later.
You mentioned that you do not use their UTM service. Do you know anyone
who
does have experience with their UTM products? My main concern there is
stopping inappropriate web browsing and as additional virus/malware
protection.
I just signed up as a reseller for WatchGuard.
Thank you for your time, and I always value your opinion!
WatchGuard X750e for the main office, and X10e for the remote offices.
Do the remote people actually need PC's or are they only connecting to
the terminal server? This makes a difference in the solution as we would
configure the remote offices differently depending on the solution.
They need the PC for a local color mixing application for their stucco
coloring at the remote locations, they use the TS for accounting, but
sometimes they have users who also connect from home and on the road. We
already use Outlook for remote email.
Do you own their ISP connection or can they use their home computers on
it also? This makes a difference because you can limit all outbound
traffic that does not go through the VPN tunnels.
I prefer not to allow IE on the TS, so they do that from their local
stations. I think that I know what you mean about Internet only via the VPN,
but their remote location can only get some low-end DSL due to distance and
cost restrictions.
Well, implement HTTP Proxy filtering and blocking of what you want, from
the IP of the terminal server, then allow IE and apply security settings
via GPO for just the Terminal Server, it's as safe as IE can be.
You also implement "Web Blocker" so that they can't screw around on the
net.
Now, you block web browsing on their local PC's so that they really
can't screw around - this means they can only browse when connected into
the TS - and that means you can track where they visit and also block
what you don't want them to have access to.
If they have HOME ISP service you can get them cheap VPN routers, since
they would be using their OWN computer and ISP service, then, setup a
rule in the firewall to only allow TCP 3389 to the terminal server -
this means that if they compromise their home network it doesn't
compromise your network.
Also, since we're in the SBS group, RWW is the way to go since there is
only one workstation at the remote locations.
I need to change them over to that.
If you allow them to use a PC at their location and you've not locked it
completely down, don't have quality AV, etc.... if you allow all ports
through the VPN, then you're risking your local network big time.
I use Web Blocker at every clients location and we lock it down tight,
we also implement content filtering using HTTP Proxy and SMTP Proxy
rules that remove what could be malware.
We use GFI for Exchange filtering and AV filtering of email.
Hope this helps, there is a lot more to discuss, but their UTM works
fine, we just never put all of our eggs in one vendors basket.
Well, in the case of antispam, I have two baskets right now...ORF and Trend
Micro, and Trend again for AV. Adding a firewall with UTM for web site
filtering and AV would keep up their productivity.
Thank you for the model numbers. I will look into them.
We normally see about 30% increase in productivity from abusers - and
the number of abusers is more than you would think - take away their
local IE ability and force them to browse through the TS and you'll be
amazed at how things turn out - you will see about 1-2 weeks of
complaining and getting the rules set right - so that you are blocking
the most without blocking what they need for business reasons.
The VPN requires a good connection, RWW also requires a good connection,
but it doesn't seem to be as picky as the VPN would, Remote Desktop is
the same performance. With RWW or RD, you can lock down the ports to
ones that won't provide as large a compromise vector.
--
Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@xxxxxxxxxx (remove 999 for proper email address)
.
- Follow-Ups:
- Re: Hey, Leythos!
- From: Gregg Hill
- Re: Hey, Leythos!
- References:
- Hey, Leythos!
- From: Gregg Hill
- Re: Hey, Leythos!
- From: Leythos
- Re: Hey, Leythos!
- From: Gregg Hill
- Hey, Leythos!
- Prev by Date: WTB: WE BUY SOFTWARE - MICROSOFT, ADOBE, SYMANTEC, COREL & MANY OTHERS
- Next by Date: Re: Outllook over http, sharepoint versions, and www publishing servic
- Previous by thread: Re: Hey, Leythos!
- Next by thread: Re: Hey, Leythos!
- Index(es):
Relevant Pages
|
