Hello everyone. We currently use Citrix for users to access a shared desktop to do work. Over the last 4 years we have doubled in size (600+) and have found that the hardware needed to sustain our users is getting very demanding. We are thinking of moving a good amount of users to VPN so that they can use their firm provided laptops to do their daily work. We have a call with Twingate today as it looks very easy to setup and we like that it can integrate with Entra Id for user identity and crowdstrike to verify if someone can connect.
I know Palo Alto is a leader in this field from what I have read. To setup Palo Alto I know we would need to change out our firewall and configure it, although we may use an outside vendor to help us out with that.
I wanted to get your opinions from those who have used either one or both. Pros/Cons.
EDIT: One thing I forgot. How do you handle the VPN if users are in the office? We have 5 offices and one Datacenter. The offices are connected to the datacenter via SD-WAN. Can we still connect to the VPN if thats the case?
I find it interesting you are trying to solve a hardware capacity problem … with more hardware solutions (Palo). In 2024. You should look into what Cato Networks is doing, I’ve been deploying this for a lot of my customers to solve the exact issues you mention. They are also a leader in the same MQ you mention Palo for. It’s a totally cloud delivered solution that provides remote access (as well as SDWAN and a number of other security services). It shifts your entire connectivity model to a user-centric one so you don’t have to worry about how to handle VPN in office vs at home.
I cannot say much for set up of Global Protect VPN but my work uses it and we have it set as “Always on” only data that goes through it is company applications. But here is what I can answer. Yes even with it always on when in office and at home it connects for us. When on the internal network at the office it says “You are on the internal Corporate Network” where when on the VPN itself it says connected to domain when working from home.
Are you considering other options? I work on the open source ZTNA solution https://openziti.io/. If you don’t want to self-host, my company (NetFoundry) provides a managed SaaS version. It has integrations with Entra ID etc.
Wrt to users in the office, you deploy endpoints to their devices, that provides a high performance, app-specific routing and connectivity. It doesn’t disrupt the SDWAN, but over time you will probably realise you don’t need SDWAN. If you have any local connections that’s no issue, deploy an OpenZiti/NF Edge Router (i.e., the data plane) to your local branch and route locally without breaking out to the internet.
I think there are a lot of decent solutions out there for this use case and the main differentiators are usually
addressed in the “What else do you need?” question.
Cato Networks is solid. Easy, secure, high performing (specifically optimizing TCP-based traffic like SMB) and great visibility. You can implement your ZTNA strategy as well if that’s the direction you’re going, because it’s built into the platform natively. You have options to include a host of other “SASE” services (full inline advanced threat, etc.), but you can also keep it simple and fix just this use case. In bake-offs, it tends to outperform (throughput) most other solutions due to the TCP acceleration that’s baked in. Context is important though, so I can’t say it beats everyone else in every scenario.
Cloudflare has a pretty simple solution, but it’s also pretty rudimentary at this time. It’s not fully app aware yet. If you wanted to allow SMB or other protocols, then you’re really taking a legacy L3/L4 approach to defining them. Performs well, though, from a throughput standpoint. If you need inline security, you’ll have to find another solution or put a firewall between their connector(s) and the resources users need to reach.
Palo PRISMA Access is decent. Not the highest performing, particularly if you want to incorporate inline security controls at some point down the road. I think it’s because of how their inspection services are asymmetrically distributed throughout their cloud. It works, but isn’t the easiest to deploy, IMO.
Netskope & Zscaler both have “private access” solutions, but no inline security really available.
All the above are more modern-day, cloud-native or cloud-oriented solutions which I think is worth a consideration so you’re not revisiting the capacity topic again anytime soon.
If I may ask, are you connecting to any file sahres through the VPN or using any applications that connect back to a file share? If so, how is the speed of opening/saving files? Are you running any excel macros or using any applications that connect to a SQL database?
I personally don’t but others do it is a bit slower than in the office but that also depends on the speed of the persons wifi. Example of someone has 1G internet they may feel a bit of delay but if someone had 500MB internet they will have a longer delay. The delay comes from a communication speed. So connection speeds will vary based on distance from where they are connecting and their internet speed. But we haven’t had complaints about speed only complaints we had is sometimes if the PC is off for a long period,like months at a time because person uses desktop and has a laptop just for wfh in emergencies, of time VPN doesn’t work and is usually fixed by reinstalling it to the latest version
To add my work does a split tunnel so only work applications like network files and our on prem erp are running through it. All internet traffic not needed to on prem goes through ISP to the internet.