If you are building a new or re-architecting a User-VPN (aka SSL VPN or Client to Site VPN) based solution, then you should consider at least following design ingredients in your solution
- Built on OpenVPNĀ® and is compatible with all OpenVPNĀ® client software
- Provide certificate based SSL VPN user authentication
- LDAP/AD Integration
- Support multi factor authentication (MFA) methods such as Google, DUO, Okta, SAML and LDAP
- You should also be able to combine various authentication and authorization components to add extra level of security for the interaction. For instance the solution first authenticate from a corporate LDAP entity and then consult with DUO for MFA
- Authenticate a VPN user directly from the VPN client to any IDP via SAML protocol. The SAML protocol and a client with SAML support must be the key requirement
- Supports external PKI for OpenVPN Certificates
- The solution must provide a Profile Based Access Control so that beyond the authentication and autharization that was discussed above, one should also control the access right at the IP Address, CIDR or Subnet level (aka Profile Based Network Segmentation)
The Aviatrix solution has all the above mentioned design ingredients. On top of that it has features such as Geo-Location based connectivity to the closest VPN GW (or Concentrator) with support for both TCP and UDP based load-balancing
Look at this Clara customer case-study (Clara is part of SoFI now) for reference
Comments are closed