Jun
03
Filed Under (Geekspeak, Work) by Justin on 2008-06-03

If you’ve been following all my posts about SonicWALL, you know that I’ve purchased a ton of gear to construct a nice, widespread VPN. This network consists of the SonicWALL NSA 3500 at my corporate office and a TZ150 at 20 of our remote offices.

Today, I began production deployment to remotes and I have to say, am absolutely, 100% satisfied with the SonicWALL VPN solution. It really is a thing of beauty and it “just works” like you would hope and expect. I’ve had a TZ150 at my house for about a week and I can move my laptop from the office to my coffee table at home, and aside from the latency browsing network shares and such, I still feel like I’m physically connected to the Corporate LAN.

I’ve struggled for the past 12-18 months with deploying our Aastra 9112i VoIP telephones to branch offices for a number of reasons, but primarily because of all the NAT problems associated with SIP packets. The other nagging issue was provisioning and maintaining updates to all these phones once in the field. All the config files and firmware for the Aastras reside on the Asterisk server at the Corporate HQ and are accessed via TFTP and I wasn’t really keen on opening up that port to the entire world. The VPN solves all of these problems! I did the initial provisioning by plugging the phone in to my VOIP LAN at Corporate. The phone pulled down it’s config (which now contains ONLY the internal addresses in the config file) and the latest firmware update as well. Once that was complete, the phone rebooted and I made a successful test call. I took the phone home with me last night, plugged it in to my home network which has that VPN tunnel to Corporate already up, and the phone linked up to Asterisk right away with no additional finagling. Color me impressed!

So now I only have 19 more devices to deploy over the next several weeks and our IT infrastructure will certainly be exponentially more secure than it was a week ago. The VPN is something that has been needed for a while, but funding it was always an issue. Considering the nature of our business, all the personal information we deal with associated with that, and the rising rate of identity theft, we finally realized the time was right and the risk too great to continue operating the way we were any longer. I’ll continue to post updates as the deployment progresses.

(8) Comments    Read More   

Comments

Ian Beyer on 3 June, 2008 at 10:55 am #

I agree – SonicWall hardware VPN is rock solid. I wish I could say the same for the software VPN, which sucks big green hairy chunks through a silly straw.


Justin on 3 June, 2008 at 11:00 am #

Yeah, the hardware solution is so good that I keep joking that I’d just about rather carry around a TZ190W with an aircard that have to use the software VPN client.


Brian Slezak on 13 June, 2008 at 11:07 am #

Well, I’m sorry I was right about the software VPN when we tweeted about that last month. I would rather have heard it works great for you and we needed to fix something. Grr.


Renato on 2 July, 2008 at 8:47 am #

Nice blog Justin. I’m actually looking to do the same at our infrastructure, we already own TZ170s at our 18 remote offices and a PRO3060 at our HQ. But I’m unsure on the hardware to use with that. What VoIP hardware did you use to roll out VoIP successfully?


Justin on 5 July, 2008 at 9:19 am #

Renato,

We have a “vanilla” Asterisk system – totally built and hand-configured by me. The base system is CentOS 4.6 and Asterisk and all other associated packages are installed on top of that. We’re using a Sangoma A101 for connecting the server to our voice T1/PRI and are using Aastra SIP endpoints everywhere. It’s a mixture of Aastra 480i, 9133i, and 9112i phones.

As I mentioned in the post, initial provisioning is done by plugging in at HQ so the phone finds the TFTP server through DHCP option 66.

We actually have two totally seperate physical networks at my Corporate office for regular data and VoIP. The VPN tunnels are setup so that the branch offices have access to both networks. Then, once the phones are in at the remote, they “just work” like you’d expect. They’ll even pull down new firmware and configuration updates nightly.


justin moore » Blog Archive » Halfway Mark on 9 July, 2008 at 1:00 am #

[…] officially crossed the halfway mark in the big SonicWALL deployment of 2008. Ten of the 19 endpoints are in place and working absolutely beautifully. We are deploying […]


Renato on 9 July, 2008 at 4:04 pm #

So, each location has a separate VPN for data and voice as well, correct? I know you said the phones are on a separate subnet/VLAN, but are all the phones (including branches’) on that same subnet?


Renato on 9 July, 2008 at 4:22 pm #

Also, what is your backup plan when the Internet connection goes out at the branch?


Post a Comment
Name:
Email:
Website:
Comments: