Need Advice for a good VPN Client for my company (1000 users)

My company currently purchased Meraki across the board, for Switches, and Firewalls in every site (China, Australia, UK, US) . 6 Buildings in total across the world. They were using non-standard sub-par equipment until they standardized each building.

​

Now that we have Meraki’s we are trying to upgrade our VPN clients for people to work remotely and still access resources into our main buildings. Each building that needs access to each other has a P2P Tunnel already, so inside our network there’s no issues.

​

However, Outside the network it’s still anybody’s guess. We’re using Pulse (a very old crappy version, no one likes it) to access the UK and US, and have nothing implemented for the rest of the networks.

​

Now when we went to setup the Meraki’s for VPN client access we noticed that Meraki doesn’t have a software client to create its own VPN adapter. You have to go to Windows or Mac and create a connection using the native OS settings. This brought up a very bad issue with our clients not split-tunneling traffic. While there IS technically a way around this and you can run a script to add these split tunnel fixes, my boss is looking for a piece of software that will work with the Meraki VPN settings.

​

The Software he wants should do the following.

​

Have multiple profiles that we can import in order to setup different building configs easily.

Allow Split-Tunneling (obviously, standard practice here)

Officially supports Meraki hardware.

Works and looks the same on both Mac and PC.

​

We are aware that Meraki supports ASA’s. And while that is a solution, that will tend to be a very expensive solution, as you need to buy licenses for each user that will be connecting to each building. So if you have 1000 users and all of them are connection to each building (not realistic example, I know, but this is for sake of numbers). You will need 6000 licenses in total, which will get very expensive as you have to update your license support every year. So we’re looking for alternatives.

​

If anyone has any suggestions I’m all ears. I’ve already been suggested PfSense, and am frankly turned off by the fact that it’s freeware with the option to buy support. But if their support is good I would be open to that.

​

Thanks for everyone help and your time!!

The Meraki Client VPN will be a significant step down from Pulse.

​

What don’t you like about it? Pulse is basically the #1 for client VPN these days, they’re really great, assuming you can buy newer gear.

The licensing for any connect is per user not per-user-per-device.

Still open source but openvpn could be an option. Pretty well received in small enterprise space.

Another thing that makes it tricky is having an integration point for MFA.

Would it be cost effective to do upgrade of Pulse Secure?

You have the clients deployed into your user community already. Just a matter of upgrading the gateway/concentrator itself and the clients using Powershell/landesk/sccm…whatever.

My company is very large and we use pulse no problem. We’re doing decent posturing and profiling with it as well as pre-connect compliance checks. Also integrated DUO MFA with it which was well received by our user community.

If capital project funding is a problem there are some clever political capital and internal process scams you can pull to keep cost in check.

Example:
Have your threat and vulnerability management team point out some flaws with your current pulse secure client version to force remediation efforts (upgrade) as part of standard security policy. This will be operational dollar that’s not calculated as part of your capital project labor estimates because what do ya know…it’s already done.

We pull shit like this all the time.
We call it political capital

I guess I don’t completely follow your design. Why deploy and manage 6 different VPN servers in 6 buildings/locations when you can just centralize it somewhere on your network? I always recommend Cisco AnyConnect and ASA to people for client VPNs. It’s got support for every major platform and the consistent look and feel and ease of management you’re looking for. The hardware is not that expensive and we run 700-800 users all the time with rarely any issues. It just works.

If your Microsoft licensing is suitable why not look at DirectAccess or even better Always On VPN. (DA being phased out)

No client nesessary.

Source: Been using DA since Srv2008 and Vista. Users love it as it is zero touch for them. It just works.

No third-party software I’m aware of that works with Meraki.

We are aware that Meraki supports ASA's. 

Not sure what you mean by this, unless you mean Anyconnect? Meraki doesn’t support Anyconnect. You could use an ASA installed somewhere and have everyone Anyconnect to it, maybe one ASA per region. Anyconnect licenses are relatively cheap, like 5-10$/user depending on your total user count. Most of our customers that went with Meraki firewalls still maintain another non-Meraki firewall for client VPN and VPNs to non-Meraki peers.

Or just use a combination of Powershell/Group Policy/CMAK to configure your Meraki VPN clients.

Multi-profile I use the NCP client (primarily the WG branded one but the normal one is the same) for 20+ VPN profiles I can switch around easily with. It works with the WG 2FA VPN program so after initing the IPSEC tunnel, a push is sent to confirm the connection and then allowed.

My only gripe is moving the client around between machines is a manual de-auth, key release and re-auth. There is an onsite key manager you can get but I don’t have enough IPSEC licenses to warrant it.

For funsies, look at the Veeam VPN system. It’s a VM that gives you site to site and single user VPN ingress (IPSEC not SSL) and is super easy to setup/use/configure.

Edit: Veeam VPN is also free.

Do you use the meraki vpn today? Gather some statistics and find out your peak client usage. This will help you to size the correct appliance and licenses needed. Cisco does licensing on maximum concurrent users.

Why do you need 6000 licenses total if you only have 1000 users, assuming each building has network connectivity to the other buildings? You can create user groups to separate traffic from each building too.

If you aren’t going to renew Pulse Secure, my next choice would be hanging a Cisco ASA off the Meraki, and then buying appropriate AnyConnect licenses. AnyConnect will offer you good flexibility on deployment and customization options, and is a generally solid VPN client with a decent GUI. Also, newer AnyConnect supports SAML so you can do fun things like integrate 2FA with Duo - and you don’t have to mess with RADIUS or anything. Next choice after AnyConnect would be a Fortigate with Forticlient SSLVPN, which technically requires no VPN licensing at all (unless you want to do some fancier NAC stuff). A Fortigate 100E supports ~250mbps of SSLVPN throughput according to spec sheet. Fortigate 100F is coming out within the next month and will probably support higher max throughput as well.

You can build custom Forticlient packages for mass deployment but it will require you to sign up for Fortinet Developer Network (free, but SE needs to invite you). Forticlient for Mac works fairly well but has less package customization options than the Windows counterpart. Another “downside” I’d say also, is that currently Forticlient doesn’t support SAML, so if you implement 2FA, the Fortigate in the backend is using LDAP/RADIUS, which isn’t quite as modern or ideal IMO.

It doesn’t get any better than pulse IMO. The only other VPN I would put close to is Netmotion.

Pulse is #1 VPN product on the market. Upgrade to a current appliance if you can stomach the cost. Otherwise AnyConnect on an ASA-X or PAN GP.

This might help get you rolling: IFM - Configure Meraki Client VPN on Windows

How do you plan to secure user traffic to the internet using split tunneling? One the endpoint or using a cloud based security gateway? If you use a cloud gateway you might be able to route your internet traffic there without modifying the Windows tunneling depending on how it’s implemented.

Thank you everyone for you’re replies!! They were all very helpful and the department as a whole decided to stick with Pulse and fix the issues we have with it. All of your help was much needed and much appreciated!!

I see that you decided to stick with Pulse and fix the problems with it, but I’ll add this here for future readers.

Drop Meraki for VPN that’s not the AutoVPN. Meraki is fracking junk for anything IPsec. As of this writing, it’s been an ongoing problem for 3+ years with no end in sight.

If you want to stay Cisco, get Cisco ASA firewalls (not the FTD boxes, nor the FTD firmware on ASA!) for your VPN concentrators. Unfortunately, it gets quite expensive with the per-user AnyConnect licensing.

An alternative I can suggest is Fortinet FortiGate firewalls. As long as you stay purely VPN-only (and not the security fabric) there’s no licensing cost; VPN capacity is sized with the size (model number) of the firewall.

Using a FortiGate 60E firewall (datasheet: https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiGate_FortiWiFi_60E_Series.pdf ), the recommended maximum concurrent SSL-VPN users is 200. Using the VPN client in IPsec mode it will support 500 concurrent remote users. The bigger devices (higher model number) support more concurrent clients.

That particular device runs for approx US$500 for the hardware, support is mandatory but runs somewhere around US$120 annually.

There is no special licensing to run them in HA mode.

There are also virtualized options for most major hypervisor platforms (VMware, Hyper-V, Xen, etc).

I’ve already been suggested PfSense, and am frankly turned off by the fact that it’s freeware with the option to buy support.

Hush! Don’t anger the open source zealots!

OpenVPN is way overrated. The VPN clients are almost universally junk and the server-side is WAAAAAY harder to configure than it needs to be.

If you want a consistent experience between all major end user platforms, OpenVPN is the VERY LAST thing you want.

PLUS, if you have an office in China (such as the OP here), OpenVPN is a non-starter as the Great Firewall of China specifically looks for OpenVPN and blocks it.

Thank you for the clarification, that means I misunderstood what our sales rep was telling us. This actually helps us out quite a bit cost wise.

Pulse works fine for us as well.

Cisco any connect and pulse are both quality if you keep them upto date and add the connections into the. Config file