Question regarding VPNs and static IPs
Good afternoon everyone,
I am currently working on a project, and just need to verify some knowledge as I am still new to it.
Basically, I have a server in which I will be creating virtual machines. Now each of these virtual machines will need a connection to each clients site. So we host the server, client is located elsewhere and needs a constant connection to us. We will probably have roughly 10 of these virtual machines, so my question is:
Do I need a static IP address from my ISP so that each client can have a connection to us at all times? My plan is to get optimum and they will be giving us 5 IPs. I also will be getting a Juniper router with a fail-over connection, so no down time.
I appreciate this guys and it'd be great if this community could help me out, cheers!
I am currently working on a project, and just need to verify some knowledge as I am still new to it.
Basically, I have a server in which I will be creating virtual machines. Now each of these virtual machines will need a connection to each clients site. So we host the server, client is located elsewhere and needs a constant connection to us. We will probably have roughly 10 of these virtual machines, so my question is:
Do I need a static IP address from my ISP so that each client can have a connection to us at all times? My plan is to get optimum and they will be giving us 5 IPs. I also will be getting a Juniper router with a fail-over connection, so no down time.
I appreciate this guys and it'd be great if this community could help me out, cheers!
Comments
-
it_consultant Member Posts: 1,903You should only need to dedicate one IP on your side for this to terminate the VPN's. If you were doing a direct punch in (no VPN, opening holes in the firewall and routing them in) you would need to either have one IP per client or port jump. Assuming you are setting up a VPN for each client, one public IP can handle as many connections as your firewall can handle.
-
m3zilla Member Posts: 172It depends on how big you are, and how many clients you plan on bringing on. If you're using private IP for the "interesting traffic" or encryption domain, you have to be mindful of overlapping IP(s). For example, both client A and client B are using the 10.1.1.0/24 address space.
-
flipk337 Member Posts: 4 ■□□□□□□□□□Thanks for the replies guys. Potentially there can be about 100+ clients. The connection needs to be secure as well. The idea would be that each of the clients sites they would be using 192.168.0.0/24, I just don't plan on having any client have trunking or communication between the LANs. perhaps my logic is flawed.
Basically we do restaurants, so each site has the "brain" of an IP of 192.168.0.98 and each waiter station has an IP of 192.168.0.x where X corresponds to the station number.
So if we have each client site using 192.168.0.x, would that interfere with other sites using the same scheme? Its my understanding it won't cause any other lapping because each client site has no communication to the others.
Would it be better for each client to have their own different network? -
it_consultant Member Posts: 1,903Thanks for the replies guys. Potentially there can be about 100+ clients. The connection needs to be secure as well. The idea would be that each of the clients sites they would be using 192.168.0.0/24, I just don't plan on having any client have trunking or communication between the LANs. perhaps my logic is flawed.
Basically we do restaurants, so each site has the "brain" of an IP of 192.168.0.98 and each waiter station has an IP of 192.168.0.x where X corresponds to the station number.
So if we have each client site using 192.168.0.x, would that interfere with other sites using the same scheme? Its my understanding it won't cause any other lapping because each client site has no communication to the others.
Would it be better for each client to have their own different network?
Yes, in fact, its the only practical way for it to happen. Think about it for a second, setting up a VPN is akin to yanking a very long ethernet cable to the other network. If you have more than one network on the 192.168.0.xxx range, how will your router know where you intend to send the traffic? There are ways to set this up - but it gets complex quickly and based on the questions you are asking, you are probably outside of your technical range right now. -
phoeneous Member Posts: 2,333 ■■■■■■■□□□What are you hosting on the servers? How big is the internet facing pipe?
-
flipk337 Member Posts: 4 ■□□□□□□□□□It is out of my technical knowledge, I've been trying to find some documentations on it, but I can't find much. I believe I have enough information though to go forth, it'll be a big project and I look forward to the challenge and learning the material. thanks it_consultant for your help. I can't think of any more questions for now, but any more light you can shed on the topic that'd be great.
and phoeneous we will be hosting Windows 7 pro, and the the pipe will be 50MB download and 25 upload if that's what you mean. and -
al3kt.R*** Member Posts: 118Does your Juniper router support SSL VPN? If yes then you have all that you need: have your clients connect to your router's public IP interface either via their browser or via installing and running the appropriate SSL client, dependind on your application needs, and voila there's your required remote-access VPN. At the router you will need to config the VPN server and to place applicable ACLs and bookmarks directing and allowing access to your VMs.
It's phenomenally easy once setup to use and maintain SSL-VPNs. It's all a matter of initial setup and having the money to license clients and the SSL VPN server, as long as your headend equipment allows it.
Regards"Tigranes: Good heavens! Mardonius, what kind of men have brought us to fight against? Men who do not compete for possessions, but for honour."--- Herodotus, The Histories
"Nipson anomemata me monan opsin"--- Gregory of Nazianzus
"Bruce Schneier's secure handshake is so strong, you won't be able to exchange keys with anyone else for days."--- Bruce Schneier Facts -
it_consultant Member Posts: 1,903It is out of my technical knowledge, I've been trying to find some documentations on it, but I can't find much. I believe I have enough information though to go forth, it'll be a big project and I look forward to the challenge and learning the material. thanks it_consultant for your help. I can't think of any more questions for now, but any more light you can shed on the topic that'd be great.
and phoeneous we will be hosting Windows 7 pro, and the the pipe will be 50MB download and 25 upload if that's what you mean. and
I used to do this with small dr's offices which needed to connect into big hospitals to get x-ray images and such. The hospital would provide pages of documentation on setting up the VPN so it wouldn't interfere with other networks, their own network, provide HIPPA protections etc. I don't think an SSL VPN type solution would be appropriate, sounds like a persistent VPN is the way to go, which is what you are talking about. -
al3kt.R*** Member Posts: 118it_consultant wrote: »I don't think an SSL VPN type solution would be appropriate, sounds like a persistent VPN is the way to go, which is what you are talking about.
SSL VPNs can be of the auto-connect on start-up & always-on type (as long as the user does not turn off the client), but that requires a capable S/W client (not just the browser) to install on remote machines."Tigranes: Good heavens! Mardonius, what kind of men have brought us to fight against? Men who do not compete for possessions, but for honour."--- Herodotus, The Histories
"Nipson anomemata me monan opsin"--- Gregory of Nazianzus
"Bruce Schneier's secure handshake is so strong, you won't be able to exchange keys with anyone else for days."--- Bruce Schneier Facts -
it_consultant Member Posts: 1,903al3kt.R*** wrote: »SSL VPNs can be of the auto-connect on start-up & always-on type (as long as the user does not turn off the client), but that requires a capable S/W client (not just the browser) to install on remote machines.
I don't think this offers anything that a persistent VPN doesn't already offer while adding in the mess of having to maintain a VPN client on the client server. Lest they do a windows update (true story) and the anyconnect client will no longer function. I haven't seen the type of need OP has solved by a client VPN solution. It would certainly work, but I don't think it would be nearly as robust has having the two firewalls work out the VPN connection. -
al3kt.R*** Member Posts: 118it_consultant wrote: »I don't think this offers anything that a persistent VPN doesn't already offer while adding in the mess of having to maintain a VPN client on the client server. Lest they do a windows update (true story) and the anyconnect client will no longer function. I haven't seen the type of need OP has solved by a client VPN solution. It would certainly work, but I don't think it would be nearly as robust has having the two firewalls work out the VPN connection.
No objection m8, these are valid thoughts & facts you communicate. To add more, costs can be high when purchasing the required SSL licenses, depending on the manufacturer.
Nevertheless the technology is mature enough as a potential alternative to site-to-site VPNs, offering on-demand or always-on options, it scales really well, it's easy to maintain after initial setup, it's fairly secure, so one should research and evaluate it ( & ask about) for its pros and cons depending on one's requirements.
My experience with SSL is really great so far, so I feel obliged to share that bro."Tigranes: Good heavens! Mardonius, what kind of men have brought us to fight against? Men who do not compete for possessions, but for honour."--- Herodotus, The Histories
"Nipson anomemata me monan opsin"--- Gregory of Nazianzus
"Bruce Schneier's secure handshake is so strong, you won't be able to exchange keys with anyone else for days."--- Bruce Schneier Facts -
dover Member Posts: 184 ■■■■□□□□□□al3kt.R*** wrote: »costs can be high when purchasing the required SSL licenses, depending on the manufacturer.
**cough**Cisco**cough**
Have to agree with the awesomeness of the (correctly configured) SSL VPN; though I'd probably roll out a site-site solution.