Symantec Firewall & VPN

We looked over a bunch of different firewall & VPN solutions during the fall of 2004. We settled on the Symantec 5420 & 4420 because they seemed to fit our needs & our budget well. We could the 5420 firewall in place & then install a 4420 SSL VPN early in the following fiscal year. Symantec promised that in the third quarter of 2005, we could put the two devices together & have redundancy. A big cost savings would be only having to license users concurrently through each device once - not on both devices - for the service they used. I needed 100 firewall licenses outbound & 150 VPN licenses inbound.

We started by installing the 5420 Firewall (FW). An added bonus was FINALLY changing our Internal IP addressing scheme from a routable range to a proper, non-routable range, something I'd wanted to do from the day I walked in the door. (The horrors we inherit!) The project went well. The firewall wasn't particularly straightforward, but it wasn't terrible. At least it worked fine, although I had to buy 50 more licenses since there is no refresh built in. Any IP address sending out through the firewall uses a license. If it changes IP addresses, it uses another. The only way to refresh is to reboot the box. There is no testing to make sure a connection is still being used.

We installed the 4420 SSL VPN into our system in the spring of 2005 & it was a nightmare. We had to change our Internal IP configuration to allow room for the VPN DHCP clients - not a huge deal, but I wasn't happy that our VAR didn't explain & allow for this during the FW installation. All along they'd planned for us to use the layer 3 tunnel & this was a known requirement.
SSL VPNs can be tough to configure sometimes, but our setup is pretty standard. Microsoft did throw a wrench into the works last year when they 'secured' Exchange, Outlook, Outlook Web Access & Server 2003, so I forgave some issues due to this. Besides that, I needed file links to the Novell servers & some simple HTTP links, all of which worked fine.

The initial plan of using a layer 3 tunnel changed to individual tunnels for each service due to a flaw in the OS. While initially a problem, I'm actually glad this happened since there were no firewall services built into the VPN's OS at that time & I don't have enough control over the remote PC's, so this plugged a big security hole that I'd worried about - although no one else seemed bothered by this.

During this time, the poor performance on the VPN was thought to be a hardware problem. We RMA'd the box. The replacement worked fine for half a day & then locked up. It had a hardware problem. So we were forced to RMA the replacement box.

I had the impression my problems were the first time the techs had ever seen them. We spent a lot of time working directly through level 2 support & the developers. What is a piddling little company like mine doing on the bleeding edge? It's not a spot I want to be in. I don't have the resources to exist there.

We limped along on the original box for almost 4 months. It was a time of constant frustration for me & all my users. The box worked - mostly - but at the price of constant reboots & reconfigurations. There was an annoying bug in the file browser that didn't let some users, some times see all the files in some directories. Almost impossible to reproduce, development finally fixed this bug in September 2005 by replacing the ActiveX component. They kept it pretty secret, though. There was no mention that the hot fix this came in would fix that problem.

In the end, it basically came down to flaws in the OS making the box too limited for us. We finally got everything resolved by Symantec upgrading the 4420 to a 4460 in Aug05 for free. Unfortunately, the first 4460 that arrived didn't work. Again, we had to replace the replacement!

I was concerned that the difference between the xx20 & xx60 boxes would be a problem when we put them into High Availability/Load Balancing (HA/LB) mode as planned later in the year. I was assured by the VAR & Symantec that it wouldn’t be a problem since we could put the same OS on both & set them in an active-passive mode. We would primarily use the x460 & the x420 would handle overflow or everything, only if the x460 was down. This would also keep to the plan of licensing one box for both FW & VPN.

SGS 3, the OS that would make both boxes do both jobs came out in September 2005. Since my support on the 5420 Firewall ended in November 2005, I needed to get the upgrade done quickly. I really didn't want to. If you've followed the story so far, you'll know that September was the first month when everything was finally working. But, it was part of our original plan & not having redundancy in the system is worrisome. So we decided to go for it.

----------------- to be continued --------------