Filed Under (Geekspeak, Work) by Justin on 2008-04-19

The blogging has been pretty sparse here lately, and I’m quite aware of that fact. Most of the action for me has started happening over on Twitter because its so quick and easy.

I kicked off a major project or three at work this week and they’re all dependant on one central project: a massive VPN rollout. For those who don’t know, I work for smallish company with a rather large footprint. Counting our corporate office where I work, we have 25 locations. Each branch office relies on several services housed at corporate and connect to these sources over the wide-open internet. A VPN has always been on my radar, but never really been considered fiscally until about two week ago when we finally decided to bite the bullet and do it.

My initial plan was to use OpenVPN running on top of Linksys WRT54GL’s at the branches and grab a new Dell R200 to be the hub of the VPN. After about three days of flashing different firmwares on my Linksys at home (OpenWRT, dd-wrt, Sveasoft) and trying to make it work, I threw in the towel and went back to the drawing board. I’ve mentioned before that we have a Watchguard Firebox Core X750e at corporate and I’ve been mostly happy with it. A quick look showed the Firebox Edge X10e to be the cheapest endpoint available to this with Watchguard hardware. However, at around $300 each, this would really quickly get very expensive. Not only that, but I couldn’t come up with anyone I knew who had a Watchguard deployment of this size to ask their advice and opinions.

As I was seeking advice from my pals in the Church IT RoundTable IRC channel, by some act of providence, Mark Moreno decided to grace us with his presence in the channel. I definitely need to insert a disclaimer and an apology at this point. Mark is a guy who is really knowledgeable and passionate about the product he sells and he makes no excuses for being a salesmen either. As a result, I’ve always given Moreno a really hard time about SonicWALL gear, mostly just for kicks. He knows to expect this kind of trash-talk whenever I’m around and always takes the ribbing in good fun. As Mark came in, I made the joke to everyone that I could probably make him drool with the details of the VPN project I was working on. Sure enough, he took the bait and started putting together some quotes. His initial number was somewhere in the range of $15,000 and I just laughed. We talked back and forth over the course of a few days and settled on a newย  SonicWALL NSA 3500 to replace the Firebox at corporate and 22 SonicWALL TZ 150 endpoints to go to the branch offices and stripped them down to firmware only – no UTM or support options. The best part of all this is that Mark is preconfiguring all the VPN tunnels before shipping the hardware to me. I really give major props to Mark and SonicWALL for working hard to match an absolutely INSANE price that I found on NewEgg for the TZ 150. The final pricetag with hardware and his consulting time was just a little more than half of his original quote – quite a substantial savings!

Once the VPN is in place, I finally be able to rollout the IP phones I’ve been sitting on for a year to the branch offices, implement a web-based time clock for our staff employees, and join the remote PC’s to our Active Directory domain, which opens a TON of doors for management of these remote computers (software deployment and security patches via WSUS to name a couple).

So, if you don’t hear from me in the next few weeks, just check my Twitter feed (also conveniently located in the sidebar of this blog) or drop me an email or leave a comment. I’ve got a lot of work to do! Thanks again to Mark Moreno for making this a reality from a budget standpoint. I’ll update here as we progress with the implentation and you can bet I’ll let you know if I hit any snafus specifically related to SonicWALL.

(6) Comments   


Jason Lee on 19 April, 2008 at 3:42 pm #

Welcome to the family. It looks like we aren’t the only SonicWall poster child anymore… well your the little brother atleast.
Kudos to Mark.

David Szpunar on 20 April, 2008 at 12:19 am #

I’m trying not to be jealous that you’re getting an NSA 3500 before I am (maybe/hopefully) ๐Ÿ™‚ But hey, better to have another person familiar with the system before me so I have a support network in place…just in case Mark Moreno and Jason Lee (and Jeremie Kilgore) are unavailable if I run into trouble!

I am so itching to play on a SonicWALL box to mess with the config at least ๐Ÿ™‚

Congrats on the deal going through and I look forward to your status tweets and chats!

Justin on 21 April, 2008 at 10:20 am #


You can checkout demos for the administration of pretty much all SonicWALL gear at this demo site.

Tsudohnimh on 22 April, 2008 at 9:45 am #

Allow me to be the voice of dissension, I’m sorry you have chosen Sonicwall. Watchguard has the best logging/reporting of any firewall I’ve ever seen and their application layer proxies are the most granular I’ve ever seen. Did you ask a WG sales engineer for a referral to a client? I’d been glad to visit with you. I’ve got several networks this large all running on WG. Never the less best of luck to you.


Treading in to SonicWALL Waters» justin moore on 28 May, 2008 at 2:41 pm #

[…] previously mentioned, we’re switching away from a one-year old Watchguard Core x750e to SonicWALL NSA 3500 at my […]

spenser on 2 June, 2008 at 9:36 am #

Based upon this week’s experience with Watchguard business policies, you did well to have avoided them.

Ask a question like “do you have printed manuals”, that counts against your quota of a grand total of 3 allowed support incidents.

Ask them to configure your download account to make strong vpn encryption available, another deduction from your allowed quota. Even when they refuse because they don’t know the new cryptography export regulations.

And don’t forget about the thousands of dollars annually in support fees to keep your livesecurity services running.

You can definitely tell they were recently acquired by a vulture capitalist.

Post a Comment