Thanks for the info - looks like I may want to try this on a smaller scale first but your help is very much appreciated!
On Wed, 09 Mar 2011 11:04:47 -0500 Francois Gaudreault <[email protected]> wrote: >Hi, > >Are your clients plugged into local manageable switches? Are they > >supported in PF? I don't know what will be the behavior of the VPN >hub, >but I'll give you some hints about what we usually do in routed >networks. Are you using VLANs at your locations? > >Basically, you'll need to have your PF servers in your central >location. In each remote site, you'll need to create a >registration/isolation VLAN with proper subnetting. In those >subnet, >PacketFence will act as the DHCP and DNS server. The DHCP traffic >for >the registration and isolation will be forwarded to PacketFence >using ip >helper-address on the first level 3 interface that the traffic >hits. >Furthermore, if you want to have isolation capabilities, you must >forward a copy of the production DHCP as well. > >For SNORT and Nessus, I don't see issues there. As long as your >internet traffic goes out at your central location, you'll only >need one >probe. > >We did a lot of routed network deployments, so I don't see why it >couldn't work. > >Let me know if you need more information. >> Hi, >> >> New to this forum - looking at PF as a possible solution to my >NAC >> needs for a number of remote offices. I have several remote >offices >> >> that do not have IT staff and the computers are essentially >> unmanaged. These computers connect through site-to-site VPN >tunnels >> >> to a central hub that has resources used by the remote offices >> (email, web proxy, etc). In some cases there are also resources >> behind the VPN routers at the remote offices that other remote >> offices have access to (PBX, file servers, etc). >> >> DHCP for the office computers is handled locally at each office >by >> the router. Another possible complication is that the central >> server system is actually a VMware ESXi 4.x hypervisor-based >system >> >> (one vm is the VPN hub, one is the web proxy, etc). >> >> What I would like to happen is if a computer from a remote >office >> (call it site A) connects through the VPN tunnel to the central >> system (i.e. site B) the connection is intercepted by PF and a >> registration is required. I would also like the Nessus and Snort- > >> type capabilites to be utilized and the registration/isolation >> VLANs to be on the central system so that any unregistered, >> unpatched, or mis-behaving systems don't get any farther than >the >> VPN hub. >> >> Is this doable and does anyone have any examples on how they >have >> done it? >> >> Thanks a bunch... >> >-- >Francois Gaudreault, ing. jr >[email protected] :: +1.514.447.4918 (x130) :: >www.inverse.ca >Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence >(www.packetfence.org) > > >------------------------------------------------------------------- >----------- >Colocation vs. Managed Hosting >A question and answer guide to determining the best fit >for your organization - today and in the future. >http://p.sf.net/sfu/internap-sfd2d >_______________________________________________ >Packetfence-users mailing list >[email protected] >https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
