We are having some users moving into an external partner’s building. The partner is willing to setup a separate VLAN for our users on their network, and even setup a VPN between their building and our building. Also we use VMware Horizon for the user desktops.
My question is, how do I ensure only my users can access our network? Do I just setup a firewall for anything coming from that VPN saying it can only go to the VMware connection broker and no where else? Thanks
Better would be to put your own firewall appliance on that VLAN and put your tunnel there.
There is still a risk that “other systems” are placed on that VLAN by them… so yes you may want to employ some access rules on your end, the other end, or both.
Yeah, if they give your users their own VLAN then just put a FW rule for the tunnel that only allows traffic from whatever subnet they assign for your users. You could also apply rules to restrict destinations and traffic types for better security.
Usually you’d put your own firewall in place and let it do the tunnel. VPN to a third party company would have to be extremely carefully with very strong rules in place (zero trust).
We would almost never do something like that - it would be an absolute last resort.
In phase 2 of the VPN setup, map the network that is the VLAN they give you. That will limit traffic across the tunnel to only systems that are in the VLAN they setup for you. Then, if using Horizon, just limit traffic to needed ports to connect to Horizon. The Virtual Desktop session will be where all of the web traffic, email, etc. happen from.
I have an ASA available. Would I be able to use his internet/public IP? Or would I need a new Public IP on his connection/my own internet service?
Would I tunnel using their internet? Like how Just_Curious_Dude mentioned using NAT-T?
Should I still look into a NAT-T configuration along side these recommendations?
NAT-T would allow you to not have a public IP and to use theirs.
NAT-T I believe, yes, but I’ll be honest it’s been a good 8 years since I’ve touched an ASA. I used to manage a ton of them but I’m too rusty on the details these days.
We’re all Meraki now and that’s all plug-and-play especially when it comes to VPN. We have 30 sites and I’ve spent maybe 10 minutes in the past 5 years configuring VPNs 
Sure. NAT Traversal is pretty much built into all VPN setups now-a-days, so it shouldn’t be too difficult to setup if you need it.
Thanks I’m going to dig into that. Appreciate the help