OK here is the problem.
#1: no one wants anything installed on the their computers (VPN clients are famous for breaking things and causing 20% increase for tech support).
#2: users want to run over anything (ADSL, Cable, Dialup, ISDN, Wireless, whatever).
#3: Company Policy Prevents any users from doing split tunneling on remote Computers because they are most likely to be breach with viruses, Trojan horses, and horny teens on their parents computer). Non-split tunneling makes all of their Internet Packets Proxy and Filtered. Installing the Client will not work because all they have to do is disconnect the VPN.
#4: they want a Dial-backup Solution when the Main Broadband goes belly-up (we all been there). WITHOUT any users getting technical.
Solution (at the time):
#1: Nortel Contivity 100 (Instant Internet 100). Last year only one vendor stand-up and presented a Hardware VPN Nat Routers. It Cost a $1000 back then and was FULL of bugs that are finally fixed.
#2: The Contivity 100 (C100) logs into the VPN Switch (Only tested on Nortel Contivity 4500) as a LDAP User under a group (which can be filtered).
#3: For Redundancy we point the C100 to a DNS Name (which either round-robin or caches the multiple VPN Public IP Addresses). Because of the Non-Split Tunnel we setup the ISP DNS Addresses and VPNs Public IP Address to static Route to the WAN (instead of the Tunnel).
#4: For more Redundancy we added a ping out the Primary WAN. If the ping fails we nail-up the dial-out to the ISP and send all traffic out there. If the ping comes back it will swing the traffic back to the primary WAN.
#5: The only requirement is Ethernet Modem (USB was not a network standard back then).
Problem with Solution:
#1: NAT vs. Pingable Workstations. Because ALL traffic enters the Corporate Networks are NATed, this allows anyone who can plug in their PC into the C100 full access into our network. The only prevention is to shut down the Remote Site. The C100 Admin right can fix this but no one wants an ugly widget on their PC. Nortel will fix it in 4.0 making all workstation visible with CAT.
#2: Nortel is putting both C100 and C400 to end of Life but will replace both with the C300 but still no information on it.
This Question to the Internet Techies:
#1: Now that a YEAR have pass since I started looking for a solution, can any other vendor out their match a solution for my problem?
#1: no one wants anything installed on the their computers (VPN clients are famous for breaking things and causing 20% increase for tech support).
#2: users want to run over anything (ADSL, Cable, Dialup, ISDN, Wireless, whatever).
#3: Company Policy Prevents any users from doing split tunneling on remote Computers because they are most likely to be breach with viruses, Trojan horses, and horny teens on their parents computer). Non-split tunneling makes all of their Internet Packets Proxy and Filtered. Installing the Client will not work because all they have to do is disconnect the VPN.
#4: they want a Dial-backup Solution when the Main Broadband goes belly-up (we all been there). WITHOUT any users getting technical.
Solution (at the time):
#1: Nortel Contivity 100 (Instant Internet 100). Last year only one vendor stand-up and presented a Hardware VPN Nat Routers. It Cost a $1000 back then and was FULL of bugs that are finally fixed.
#2: The Contivity 100 (C100) logs into the VPN Switch (Only tested on Nortel Contivity 4500) as a LDAP User under a group (which can be filtered).
#3: For Redundancy we point the C100 to a DNS Name (which either round-robin or caches the multiple VPN Public IP Addresses). Because of the Non-Split Tunnel we setup the ISP DNS Addresses and VPNs Public IP Address to static Route to the WAN (instead of the Tunnel).
#4: For more Redundancy we added a ping out the Primary WAN. If the ping fails we nail-up the dial-out to the ISP and send all traffic out there. If the ping comes back it will swing the traffic back to the primary WAN.
#5: The only requirement is Ethernet Modem (USB was not a network standard back then).
Problem with Solution:
#1: NAT vs. Pingable Workstations. Because ALL traffic enters the Corporate Networks are NATed, this allows anyone who can plug in their PC into the C100 full access into our network. The only prevention is to shut down the Remote Site. The C100 Admin right can fix this but no one wants an ugly widget on their PC. Nortel will fix it in 4.0 making all workstation visible with CAT.
#2: Nortel is putting both C100 and C400 to end of Life but will replace both with the C300 but still no information on it.
This Question to the Internet Techies:
#1: Now that a YEAR have pass since I started looking for a solution, can any other vendor out their match a solution for my problem?
