Re: Hey, Leythos!
- From: "Gregg Hill" <bogus@xxxxxxxxxxx>
- Date: Sun, 28 Oct 2007 17:43:35 -0700
Holy Zimbabwe, Batman! Your clients must have a lot more money than mine do.
Mine are more in the x55e range than the x750e.
My biggest client has only 25 users at the main office and one or two at
their remote locations.
The x10e is about what I expected in price, but the x750e caught me off
guard.
Remote sites are connecting only via TS right now...no VPN yet.
Do you use the Fireware Pro?
Gregg Hill
--
----------------
DISCLAIMER WARNING: the information contained in any reply I make is merely
an OPINION, one that I hope you will consider when you make a choice as to
what you will do on your systems or network.
**No recommendation is to be implied by my OPINION.**
There, that should cover it!
"Leythos" <void@xxxxxxxxxxx> wrote in message
news:MPG.218e3301fe3e873798972c@xxxxxxxxxxxxxxxxxxxx
In article <OJsDL3RGIHA.4476@xxxxxxxxxxxxxxxxxxxx>, bogus@xxxxxxxxxxx
says...
"Leythos" <void@xxxxxxxxxxx> wrote in message
news:MPG.218d8418b7c40078989720@xxxxxxxxxxxxxxxxxxxx
In article <euWYgrNGIHA.5208@xxxxxxxxxxxxxxxxxxxx>, bogus@xxxxxxxxxxx
says...
Hi, Leythos!
You seem to like the WatchGuard products a lot. What current models
would
you recommend for a business that has 25 users at the main site and
three
remote sites that use a terminal server for access to the main site's
apps
and data? They have SBS 2003 and a Windows 2000 terminal server that
may
get
replaced with 2003 in a few months. Trend Micro CSMS for SMB 3.6 on
server
and workstations, including the remote sites and laptops, and Vamsoft
ORF
in
front of the SBS for additional spam filtering.
The remote sites have one workstation each and they currently do not
use
VPN, but might do so later.
You mentioned that you do not use their UTM service. Do you know
anyone
who
does have experience with their UTM products? My main concern there is
stopping inappropriate web browsing and as additional virus/malware
protection.
I just signed up as a reseller for WatchGuard.
Thank you for your time, and I always value your opinion!
WatchGuard X750e for the main office, and X10e for the remote offices.
Do the remote people actually need PC's or are they only connecting to
the terminal server? This makes a difference in the solution as we
would
configure the remote offices differently depending on the solution.
They need the PC for a local color mixing application for their stucco
coloring at the remote locations, they use the TS for accounting, but
sometimes they have users who also connect from home and on the road. We
already use Outlook for remote email.
Do you own their ISP connection or can they use their home computers on
it also? This makes a difference because you can limit all outbound
traffic that does not go through the VPN tunnels.
I prefer not to allow IE on the TS, so they do that from their local
stations. I think that I know what you mean about Internet only via the
VPN,
but their remote location can only get some low-end DSL due to distance
and
cost restrictions.
Well, implement HTTP Proxy filtering and blocking of what you want, from
the IP of the terminal server, then allow IE and apply security settings
via GPO for just the Terminal Server, it's as safe as IE can be.
You also implement "Web Blocker" so that they can't screw around on the
net.
Now, you block web browsing on their local PC's so that they really
can't screw around - this means they can only browse when connected into
the TS - and that means you can track where they visit and also block
what you don't want them to have access to.
If they have HOME ISP service you can get them cheap VPN routers, since
they would be using their OWN computer and ISP service, then, setup a
rule in the firewall to only allow TCP 3389 to the terminal server -
this means that if they compromise their home network it doesn't
compromise your network.
Also, since we're in the SBS group, RWW is the way to go since there is
only one workstation at the remote locations.
I need to change them over to that.
If you allow them to use a PC at their location and you've not locked it
completely down, don't have quality AV, etc.... if you allow all ports
through the VPN, then you're risking your local network big time.
I use Web Blocker at every clients location and we lock it down tight,
we also implement content filtering using HTTP Proxy and SMTP Proxy
rules that remove what could be malware.
We use GFI for Exchange filtering and AV filtering of email.
Hope this helps, there is a lot more to discuss, but their UTM works
fine, we just never put all of our eggs in one vendors basket.
Well, in the case of antispam, I have two baskets right now...ORF and
Trend
Micro, and Trend again for AV. Adding a firewall with UTM for web site
filtering and AV would keep up their productivity.
Thank you for the model numbers. I will look into them.
We normally see about 30% increase in productivity from abusers - and
the number of abusers is more than you would think - take away their
local IE ability and force them to browse through the TS and you'll be
amazed at how things turn out - you will see about 1-2 weeks of
complaining and getting the rules set right - so that you are blocking
the most without blocking what they need for business reasons.
The VPN requires a good connection, RWW also requires a good connection,
but it doesn't seem to be as picky as the VPN would, Remote Desktop is
the same performance. With RWW or RD, you can lock down the ports to
ones that won't provide as large a compromise vector.
--
Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@xxxxxxxxxx (remove 999 for proper email address)
.
- Follow-Ups:
- Re: Hey, Leythos!
- From: Leythos
- Re: Hey, Leythos!
- References:
- Hey, Leythos!
- From: Gregg Hill
- Re: Hey, Leythos!
- From: Leythos
- Re: Hey, Leythos!
- From: Gregg Hill
- Re: Hey, Leythos!
- From: Leythos
- Hey, Leythos!
- Prev by Date: Re: Outllook over http, sharepoint versions, and www publishing se
- Next by Date: Re: Hey, Leythos!
- Previous by thread: Re: Hey, Leythos!
- Next by thread: Re: Hey, Leythos!
- Index(es):
Relevant Pages
|
