Hi, Are your clients plugged into local manageable switches? Are they supported in PF? I don't know what will be the behavior of the VPN hub, but I'll give you some hints about what we usually do in routed networks. Are you using VLANs at your locations?
Basically, you'll need to have your PF servers in your central location. In each remote site, you'll need to create a registration/isolation VLAN with proper subnetting. In those subnet, PacketFence will act as the DHCP and DNS server. The DHCP traffic for the registration and isolation will be forwarded to PacketFence using ip helper-address on the first level 3 interface that the traffic hits. Furthermore, if you want to have isolation capabilities, you must forward a copy of the production DHCP as well. For SNORT and Nessus, I don't see issues there. As long as your internet traffic goes out at your central location, you'll only need one probe. We did a lot of routed network deployments, so I don't see why it couldn't work. Let me know if you need more information. > Hi, > > New to this forum - looking at PF as a possible solution to my NAC > needs for a number of remote offices. I have several remote offices > > that do not have IT staff and the computers are essentially > unmanaged. These computers connect through site-to-site VPN tunnels > > to a central hub that has resources used by the remote offices > (email, web proxy, etc). In some cases there are also resources > behind the VPN routers at the remote offices that other remote > offices have access to (PBX, file servers, etc). > > DHCP for the office computers is handled locally at each office by > the router. Another possible complication is that the central > server system is actually a VMware ESXi 4.x hypervisor-based system > > (one vm is the VPN hub, one is the web proxy, etc). > > What I would like to happen is if a computer from a remote office > (call it site A) connects through the VPN tunnel to the central > system (i.e. site B) the connection is intercepted by PF and a > registration is required. I would also like the Nessus and Snort- > type capabilites to be utilized and the registration/isolation > VLANs to be on the central system so that any unregistered, > unpatched, or mis-behaving systems don't get any farther than the > VPN hub. > > Is this doable and does anyone have any examples on how they have > done it? > > Thanks a bunch... > -- Francois Gaudreault, ing. jr [email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) ------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
