Untangle disapointment no ipsec or HA.

[sky-knight]

If you think VMWare is that expensive...

Well you need to call me because I'm telling you point blank it's wrong, and if someone ripped you for that much send some money my way.

Besides, if you need Untangle to be that fool proof do you have redundant internet connections? Do you have a router that manages them properly? The best deployment option on that scale is just to wrap the Untangle with the Cisco that's at the edge anyway.

[dell4242]

Ok how much would it cost for a decent san, vmware licenses, multiple nics, and hbas?
On a new build.
You're looking at 12k in vmware licenses if you just need vmware and Ha. around 5k for the servers Usually with multiple nics.
Software licenses for the servers.
Implementation costs.
Fibre channel or infinband switches, ethernet switches for your storage fabric.
A san.
It adds up on a new implementation.

I'd love to hear your thoughts on how much a new clustered vmware build out costs.

If you think VMWare is that expensive...

Well you need to call me because I'm telling you point blank it's wrong, and if someone ripped you for that much send some money my way.

Besides, if you need Untangle to be that fool proof do you have redundant internet connections? Do you have a router that manages them properly? The best deployment option on that scale is just to wrap the Untangle with the Cisco that's at the edge anyway.

[dell4242]

Besides, if you need Untangle to be that fool proof do you have redundant internet connections? Do you have a router that manages them properly? The best deployment option on that scale is just to wrap the Untangle with the Cisco that's at the edge anyway.

Yes all of our clients require multiple isps. Depending on size of the client solutions vary. Some clients are happy with route tracking, dns monitoring, and no edge. Other clients need bgp on the edge with multiple routers for different carriers.
I work with financial companies that don't accept downtime.

[far182]

Vmware is wonderful and we have it implemented at several clients, but it's not the ha solution for us and untangle. Qos is crap under virtualization.

I believe that untangle doesn't want IPSec because of the support calls. They say that already, openvpn is accounting for the majority of their support calls. Which frankly amazes me, but I believe them.

Did you know that their openvpn implementation is hub and spoke only? As in site A is the hub, and site b and site c can only VPN into site a. If site c needs to talk to site b, it has to go through site a. Bet that will bake your noodle!

All in all, Untangle is my favorite.

[dell4242]

Vmware is wonderful and we have it implemented at several clients, but it's not the ha solution for us and untangle. Qos is crap under virtualization.

I believe that untangle doesn't want IPSec because of the support calls. They say that already, openvpn is accounting for the majority of their support calls. Which frankly amazes me, but I believe them.

Did you know that their openvpn implementation is hub and spoke only? As in site A is the hub, and site b and site c can only VPN into site a. If site c needs to talk to site b, it has to go through site a. Bet that will bake your noodle!

All in all, Untangle is my favorite.

Yup pretty much everything I build now on the server side is esx or esxi, with vsphere.
Esxi free is really great for dr environments, where you can run have several servers running on a freely licensed box, and application clustering. Have played around with virtual box and zen server too. But my preference is vmware.
That said the implementation costs for a full blown vmware infrastructure aren't cheap. When you add up the san, and networking costs it really adds up. 10gb is even more onerous. You need a san for vmotion and drs. Proprietary sans aren't cheap. And as mentioned previously I wouldn't chance my vmware infrastructure for security reasons. Sure you can pause machines on nfs shares, but that's for sissies.

The hub spoke design sounds like a feature .
Do the vpns fall back to backup interfaces if the primary is down? Can you just hack the config file.

To be honest I'm afraid of any vpn that doesn't have a command line. Cross platform vpns are usually a nightmare... I understand why they don't want those calls. But why not make it a free unsupported mega beta app (that works if you know what you are doing). I'd use it.

[sky-knight]

Dell... given what you've indicated, vs the requirements you've posted all over the place.

Untangle isn't the solution for you, and I may humbly suggest it never will be. This is a SMB product, and everything you're talking about is small scale enterprise or larger. You simply don't do the kinds of things you're doing with a UTM like this. Untangle can be part of the over all scheme. But it's integrated by placing it in router mode hanging off the edge router, and your edge router is only routing specific sessions through it so you can use the nice cheap content filters. Anything else, given the stuff you've posted, simply won't work.

And I have entry level VMWare clusters with 3x blades, 3x SANs, and appropriate network equipment starting at ~10,000. That's 3 sans, 3 blades, and the VMWare licenses. I'm sorry you haven't bothered to call VMWare and look into what they really carry. If I could just get those nuts to sell me essentials for 1 cpu on 1 server I'd be happy, and selling it everywhere to cover everything. As it is I have to install trials all over the place, it's almost as if VMWare doesn't want the money.

P.S. OpenVPN in Untangle is limited to the primary WAN interface only, so no with the failover options and whatnot if you lose a primary link you're still down.

[dell4242]

Dell... given what you've indicated, vs the requirements you've posted all over the place.

Untangle isn't the solution for you, and I may humbly suggest it never will be. This is a SMB product, and everything you're talking about is small scale enterprise or larger. You simply don't do the kinds of things you're doing with a UTM like this. Untangle can be part of the over all scheme. But it's integrated by placing it in router mode hanging off the edge router, and your edge router is only routing specific sessions through it so you can use the nice cheap content filters. Anything else, given the stuff you've posted, simply won't work.

And I have entry level VMWare clusters with 3x blades, 3x SANs, and appropriate network equipment starting at ~10,000. That's 3 sans, 3 blades, and the VMWare licenses. I'm sorry you haven't bothered to call VMWare and look into what they really carry. If I could just get those nuts to sell me essentials for 1 cpu on 1 server I'd be happy, and selling it everywhere to cover everything. As it is I have to install trials all over the place, it's almost as if VMWare doesn't want the money.

P.S. OpenVPN in Untangle is limited to the primary WAN interface only, so no with the failover options and whatnot if you lose a primary link you're still down.

What type of sans are you using? Blades at the price? Are those supermicro?
I'm really curious here... 3x sans? what vendor?
I mostly use emc and netapp, some equallalogic if the client prefers.

I've built my own sans for home use, and it's hard to build 3 of them for 10k.
Are you talking about iscsi?
Do you charge for implementation?
I've worked with vmware alot... I've installed a lot of environments.
The esentials kit doesn't include high availability. the essentials plus does. In general we implement the advanced acceleration kit, for lower end costumers.

[dell4242]

Dell... given what you've indicated, vs the requirements you've posted all over the place.

Untangle isn't the solution for you, and I may humbly suggest it never will be. This is a SMB product, and everything you're talking about is small scale enterprise or larger. You simply don't do the kinds of things you're doing with a UTM like this. Untangle can be part of the over all scheme. But it's integrated by placing it in router mode hanging off the edge router, and your edge router is only routing specific sessions through it so you can use the nice cheap content filters. Anything else, given the stuff you've posted, simply won't work.

To be honest where I see this fitting is for remote users at home, who want these kind of content filters, want the ability to vpn back to their home office. My requirements aren't all over the place. I want these two features.
You asked about the type of environments I support professionally and I told you. putting this in as a transparent bridge (err router), might make sense I believe I mentioned this previously as an example of how other users are approaching this. If you want me to go away because I make you uncomfortable that's fine, you obviously don't care for my opinion, but I'm no idiot, and I do this stuff professionaly. If I did more small business installs, this is what I'd ask for. This is what untangle costumers have been asking for for years.
I might try to hack it on the side, and I'm curious why it has been put off, and why it's technically dificult.
Then again it's probably more convienient for you to treat me like a troll...

[sky-knight]

The blades are white boxes, single CPU units, but powerful enough for smaller deployments. The SANS are qnap units, nothing special, yes it's iSCSI, and yes you have to be darn careful with it or it gets really slow.

And you don't really need HA, you just need VMotion, it's fast enough.

And I'm treating you like a troll because you asked for it. You came out of nowhere, and started marching around demanding things you had no idea about. Spare those of us that have spent years working on this project fighting to help it grow and become profitable so we can get the toys we want.

Oh, and in all that time how many of my clients have asked for IPSec? That would be... oh...NONE. If you're large enough for multiple sites and have need of that sort of thing Untangle probably isn't the best product for you. You'd have to be a master at the thing to tweak it the 1000 ways necessary to make it stable.

Finally, if you've ever deployed OpenVPN successfully you'll run screaming away from IPSec faster than you can blink. Yes it's THAT much better. IPSec is just garbage, just because everyone uses it doesn't make it better. Sure the ability to terminate an IPSec tunnel would be nice, but it's not a trivial thing to add.

Many in this community have tried, and each of them have failed.

[dell4242]

Dell... given what you've indicated, vs the requirements you've posted all over the place.

Untangle isn't the solution for you, and I may humbly suggest it never will be. This is a SMB product, and everything you're talking about is small scale enterprise or larger. You simply don't do the kinds of things you're doing with a UTM like this. Untangle can be part of the over all scheme. But it's integrated by placing it in router mode hanging off the edge router, and your edge router is only routing specific sessions through it so you can use the nice cheap content filters. Anything else, given the stuff you've posted, simply won't work.

And I have entry level VMWare clusters with 3x blades, 3x SANs, and appropriate network equipment starting at ~10,000. That's 3 sans, 3 blades, and the VMWare licenses. I'm sorry you haven't bothered to call VMWare and look into what they really carry. If I could just get those nuts to sell me essentials for 1 cpu on 1 server I'd be happy, and selling it everywhere to cover everything. As it is I have to install trials all over the place, it's almost as if VMWare doesn't want the money.

P.S. OpenVPN in Untangle is limited to the primary WAN interface only, so no with the failover options and whatnot if you lose a primary link you're still down.

The blades are white boxes, single CPU units, but powerful enough for smaller deployments. The SANS are qnap units, nothing special, yes it's iSCSI, and yes you have to be darn careful with it or it gets really slow.

And you don't really need HA, you just need VMotion, it's fast enough.

And I'm treating you like a troll because you asked for it. You came out of nowhere, and started marching around demanding things you had no idea about. Spare those of us that have spent years working on this project fighting to help it grow and become profitable so we can get the toys we want.

Oh, and in all that time how many of my clients have asked for IPSec? That would be... oh...NONE. If you're large enough for multiple sites and have need of that sort of thing Untangle probably isn't the best product for you. You'd have to be a master at the thing to tweak it the 1000 ways necessary to make it stable.

Finally, if you've ever deployed OpenVPN successfully you'll run screaming away from IPSec faster than you can blink. Yes it's THAT much better. IPSec is just garbage, just because everyone uses it doesn't make it better. Sure the ability to terminate an IPSec tunnel would be nice, but it's not a trivial thing to add.

Many in this community have tried, and each of them have failed.

Ok for my understanding by blade do you mean actual blades are just members of the cluster. Typically I think of blades with a blade enclosure and shared storage and resources. I've deployed them and they aren't cheap.
HA is nice because the failover is automated. THey don't call you it just happens. In addition the essentials kit doesn't include vmotion. The essentials plus does but this includes ha anyway (and support from vmware isn't free).

I've done a lot of ipsec vpn connections, and I've configured ssl vpns. The painful truth is that ipsec is what everyone uses. Interplatform vpns are a PITA, but it's a neccesary evil. I have to do vpn tunnels between different vendors firewalls often enough to know. It takes tweaking, but it works.

I'm sorry if your insulted and that you interpreted my posts that way.