Results 1 to 10 of 10
  1. #1
    Untangler
    Join Date
    Aug 2009
    Posts
    62

    Default Desperate to Use Untangle for Offsite Cloud Filtering

    There are other cloud filtering solutions that schools are flocking to in order to provide service to 1:1 devices outside of the school building.

    I am desperate to find a way to do this with my existing Untangle appliance.

    The current suggestion is to use OpenVPN. That is unfeasible due to the stability and management nightmare with over 700 devices.

    I have talked to Untangle representatives before about this, but my feature request would be for a cloud extension of existing appliances. The best example I can provide is iBoss. They are now entirely cloud based, but they did have many customers with physical appliances. In order to provide those customers with the same cloud advantages, they offered a way to use their existing subscriptions with their cloud services, which in turn provided a centralized dashboard to manage everything.

    I know that type of a product takes an enormous amount of work, but Untangle is already doing an amazing job with their current cloud integrations (it ScoutIQ, Command Center). An iOS/Chromebook/Windows extension/app/profile that would seamlessly integrate with the on-prem appliance would be invaluable!

    Two of the three K-12 schools that I work with are moving to 1:1 in a matter of a few months, and unfortunately are looking for alternatives to Untangle because of the need to filter the devices offsite. I do not mention that with any malicious intent, but I do need to be honest to what is happening because of the past few months.

    Any thoughts? Ideas? I am brainstorming a way to build my own "DNS filter" running on an on-site VM that would pass through the Untangle appliance.

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,056

    Default

    OpenVPN has it limits sure...

    But why not just use L2TP? You can use group policy, or inTune to configure the VPN endpoints if they're Windows based. There are similar tools for other platforms.

    Authentication is handled via RADIUS, which while you'd have to operate that service somewhere, could be aimed at any number of different authentication systems.

    I reject the notion that OpenVPN cannot be used, but yes... you'll have to wrap up that 3rd party client with some automation to support it. You side step all of that by using L2TP, and it's in the IPSec module... right now... What's stopping you?

    By the way InTune + OpenVPN means dynamically upgrading VPN end points... You have the technology to do the cloud thing yourself, you could host an Untangle instance in Azure and become your own cloud provider... You have the tools!

    Now, Untangle v16.0 is going to bring with it a new WireGuard module... I cannot wait for that one because a cloud Untangle running WireGuard with inTune published soft clients is going to be KILLER! Especially in the education space. And you don't need a shiny "dashboard" to realize it.
    Last edited by sky-knight; 06-15-2020 at 01:55 PM.
    CMcNaughton likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Untangler
    Join Date
    Aug 2009
    Posts
    62

    Default

    Thank you for your reply. Don't get me wrong, I use OpenVPN in Untangle all the time for remote access into my network. I love it for that! However, manually managing that many clients would be exhausting and not practical!

    I did ask about using IPSEC when I first started this project. The representatives I talked to immediately discouraged it due to stability concerns. It is no problem for me to authenticate via RADIUS to my domain controller, however I need to find a way to make this as seamless and invisible as possible.

    Interesting idea with spinning up an Azure instance, however that would require the purchase of an additional subscription, which I absolutely can not do.

    Could you please provide some details about "InTune published soft clients"? The devices I need to protect are a combination of iPads and Windows 10 Education laptops that will indeed be managed by InTune.

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,056

    Default

    Hmm...

    Well if you're going with InTune... then why not slap a Windows Server behind a cloud hosted Untangle and fire up SSTP? This path doesn't require 3rd party VPN software at all.

    There are some issues with Untangle's IPSec module... and at your scale you'll probably want the convenience of Microsoft's solid integration. What you're looking to configure is the "Always on VPN" which is one of the many hardware profiles you can configure via inTune.

    You get what Untangle is good at, along with side stepping it's relatively weak VPN functionality for a far more complete solution. SSTP runs over TCP 443 as well, so there are far less issues with client connectivity issues relative to L2TP or PPTP. All it costs you is an SSL certificate... but even that can be defrayed with LetsEncrypt.

    The same server can offer L2TP for mobile devices... I don't think there's an SSTP client for iPad. But the L2TP client on the iPad is stable, so you can just use that protocol for those devices. Both of which are just inTune profiles to apply.
    Last edited by sky-knight; 06-15-2020 at 05:56 PM.
    MrBryce2000 likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Untangler
    Join Date
    Aug 2009
    Posts
    62

    Default

    Hmmm....intriguing idea!

    I will have to do this all on-prem, since I have been officially banned from spending any money on this. So that means nothing cloud hosted. Fortunately this school will soon have a 1GB fiber connection, so that will help.

    I have Server 2016 licenses available, and will research SSTP using LetsEncrypt. I could theoretically have the internal NIC of this VM on a dedicated VLAN in order to restrict this traffic from touching the rest of my network.

    One additional question; I am very new to Intune, is there a way to only enable this VPN when these devices are off campus? I don't want to consume my bandwidth via a VPN loop.

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,056

    Default

    You control that in the VPN server itself, but I think it's also represented in the inTune profile. There are rules to handle all of that in both places.

    You'll have to forgive me, because I don't have access to inTune myself to confirm all this. I've built networks based on this tech, but for some reason Microsoft didn't make inTune part of their Action Pack. So once the consulting bit I did ended, I lost access. None of my regular managed service clients have moved past Microsoft 365 Business Standard, so I don't have those tools available to me to look at, and in this case that matters a ton because Microsoft is making improvements to inTune on a weekly basis. I haven't been in that admin panel in six months, so I'm certain my remembrance of how it all actually looks is quite stale.

    So I can talk about this in theoretical terms, but I can't give you specifics. It sounds like you have the tools you need to make a solid go of it already though.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #7
    Untangler
    Join Date
    Aug 2009
    Posts
    62

    Default

    You are correct, InTune has changed/improved considerably in the past six months, especially for education tenants! It is honestly quite overwhelming!

    Managing the VPN connection via the InTune profile will probably be the best way to go, especially if this is going to be an "always on" VPN connection.

    I still prefer a solution like what Securly, iBoss, GoGaurdian provides for this situation, especially since VPN stability is a main concern of mine with this idea. I will be 110% onboard if Untangle can provide a cloud extension solution like that for schools that would make offsite filtering much more feasible. I recommend their NG Complete package to every school that I have worked at, and have installed many appliances myself. My stories about their incredible product are many, and I was even interviewed for one of their case studies.

    So obviously I have a strong loyalty to Untangle, and want to stay with them at all possible. The infrastructure of this larger school will make this VPN idea a possibility, however I have two smaller schools where this will just not work at all, unfortunately.

    However, I will work on this and will definitely report back what happens.

    Thank you, sky-knight, for your help and insight!

  8. #8
    Untangler
    Join Date
    Aug 2009
    Posts
    62

    Default

    UPDATE

    This school ended up purchasing cloud DNS filtering via one of the companies I mentioned in a previous post. I didn't have a chance to try my VPN idea, but the more I thought through it, the more of a potential problem it became, especially with up to 1000 devices.

    So my request still stands: for a cloud based DNS filtering extension of an existing on-prem appliance. This may not be useful for many of Untangle's clients, but for schools needing 1:1 filtering offsite, it would be invaluable.

  9. #9
    Newbie
    Join Date
    Jun 2020
    Posts
    1

    Default

    As a potential customer, the ease of off site filtering is over of my criteria for purchasing. Thank you all for your suggestions and experiences.

  10. #10
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,056

    Default

    DNS Filters in an age of DNS Sec overrides...
    CMcNaughton likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2