h**********n
发帖数: 7 | 1 40人左右的branch office。需要SSL VPN+firewall。需要H323 ALG来支持Polycom。对
路由要求不高。之前一直用Juniper,对Fortigate不了解。但是得到的报价上Fortigate便宜一
半。我先来说说我关心的优劣势:
SSL VPN:SSG140没有SSL VPN功能,意味着还要再买个SA2500. 讨厌的是SA机器本身不贵,但
是license是按人头来的,10个license就抵上一个机器的钱。Fortigate整合了防火墙和SSL
VPN。而且SSL VPN不要license。
Throughput: SSG140 350Mbps vs Fortigate 5Gbps。 但是受WAN带宽的限制(4.5Mbps
bundled T1+ 6Mbps Broadband Wireless), 350Mbps应该也足够了。
价格:FortigateFG200B是juniper SSG140+SA2500的一半。
兼容:公司其余4个点都用的是Juniper。而且不知道Fortigate对H323 traffic 处理情
况。公司用Polycom CMA,在juniper ALG中需要启用H323 ALG用于外网到内网,在VPN
policy中又要ignore ALG 用于内网到内网。
Technical Support:感觉juniper的support还是很到位的,虽然outsource到印度,但
是至少每次都能直接面对一个warm body。不知道fortigate的support 怎么样。
用过这两个牌子机器的人给点建议吧。谢谢。 |
t*******r
发帖数: 3271 | 2 为啥要用JUNIPER? JUNIPER有啥好的?! |
y*********n
发帖数: 95 | 3 我们在用FortiGate,不过我们不属于公司IT部门的,我们用的Fotigate比较高端的
5001A(准
备升级到5001B)
FortiGate的产品好处在于无论高端还是低端,他们提供同样的功能,一样的管理界面
,如果需要你
可以考虑买个低端的60C什么的测试对H323的支持。
我们用FortiGate主要是他们的Virtual Domain功能,非常适合我们,而且性能也很好
,因为他
们的ASIC。
SSL VPN配置和使用也很方便。
Fortigate便宜
一
不贵,
但
墙和SSL
(4.5Mbps
【在 h**********n 的大作中提到】
: 40人左右的branch office。需要SSL VPN+firewall。需要H323 ALG来支持Polycom。对
: 路由要求不高。之前一直用Juniper,对Fortigate不了解。但是得到的报价上Fortigate便宜一
: 半。我先来说说我关心的优劣势:
: SSL VPN:SSG140没有SSL VPN功能,意味着还要再买个SA2500. 讨厌的是SA机器本身不贵,但
: 是license是按人头来的,10个license就抵上一个机器的钱。Fortigate整合了防火墙和SSL
: VPN。而且SSL VPN不要license。
: Throughput: SSG140 350Mbps vs Fortigate 5Gbps。 但是受WAN带宽的限制(4.5Mbps
: bundled T1+ 6Mbps Broadband Wireless), 350Mbps应该也足够了。
: 价格:FortigateFG200B是juniper SSG140+SA2500的一半。
: 兼容:公司其余4个点都用的是Juniper。而且不知道Fortigate对H323 traffic 处理情
|
t*********e
发帖数: 1136 | 4 如果你用client-less SSL-VPN,应该Juniper比较强。 |
h**********n
发帖数: 7 | 5 多谢yaodongxian。请问你有没有接触过Fortigate的tech support?感觉怎么样?我感觉
Juniper的support还是不错的,有配置问题直接webex到你桌面解决,而且每次都不用
等很久。
【在 y*********n 的大作中提到】
: 我们在用FortiGate,不过我们不属于公司IT部门的,我们用的Fotigate比较高端的
: 5001A(准
: 备升级到5001B)
: FortiGate的产品好处在于无论高端还是低端,他们提供同样的功能,一样的管理界面
: ,如果需要你
: 可以考虑买个低端的60C什么的测试对H323的支持。
: 我们用FortiGate主要是他们的Virtual Domain功能,非常适合我们,而且性能也很好
: ,因为他
: 们的ASIC。
: SSL VPN配置和使用也很方便。
|
h**********n
发帖数: 7 | 6 Juniper的SSL-VPN的确挺方便,没有客户端的配置。但是SSL-VPN理论上都应该是
client-less
的,能说说Fortigate差在哪里吗?多谢啦!
【在 t*********e 的大作中提到】
: 如果你用client-less SSL-VPN,应该Juniper比较强。
|
t*********e
发帖数: 1136 | 7 I think it's the opposite. Most SSl-VPN solutions, including part of Juniper
's, use a client-side piece. You need to install it. The only difference vs.
IPSec VPN is the method/level of plumbing. If you check installed programs
in Control Panel you should see it.
Client-less SSL-VPN can only handle a subset of web applications. It does
not require a client piece. Juniper's client-less solution is claimed to be
the best because it can process more sophisticated web pages than others.
【在 h**********n 的大作中提到】
: Juniper的SSL-VPN的确挺方便,没有客户端的配置。但是SSL-VPN理论上都应该是
: client-less
: 的,能说说Fortigate差在哪里吗?多谢啦!
|
s*****g
发帖数: 1055 | 8 Why not just do SSL-VPN tunnel mode? it is application agnostic,saves much
hassle.
Juniper
vs.
programs
be
【在 t*********e 的大作中提到】
: I think it's the opposite. Most SSl-VPN solutions, including part of Juniper
: 's, use a client-side piece. You need to install it. The only difference vs.
: IPSec VPN is the method/level of plumbing. If you check installed programs
: in Control Panel you should see it.
: Client-less SSL-VPN can only handle a subset of web applications. It does
: not require a client piece. Juniper's client-less solution is claimed to be
: the best because it can process more sophisticated web pages than others.
|
h**********n
发帖数: 7 | 9 Well, I think you are right. I typically use it for web-based
applications. When it comes to network resources like printers or
centralized storage, a client is truly required. What I meant is the
client setup is so simple compared to IPsec VPN since it can be
distributed via Active-X and Java applets. Thanks for the comment.
Juniper
difference vs.
programs
does
to be
others.
【在 t*********e 的大作中提到】
: I think it's the opposite. Most SSl-VPN solutions, including part of Juniper
: 's, use a client-side piece. You need to install it. The only difference vs.
: IPSec VPN is the method/level of plumbing. If you check installed programs
: in Control Panel you should see it.
: Client-less SSL-VPN can only handle a subset of web applications. It does
: not require a client piece. Juniper's client-less solution is claimed to be
: the best because it can process more sophisticated web pages than others.
|
t*********e
发帖数: 1136 | 10 First, you can write simple scripts, based on cygwin and openssh/openssl, to
implement the SSL tunnel yourself, e.g.:
ssh -l -L:: ...
You can map remote hosts to a series of 127.x.x.x local hosts on the PC. It is much cheaper than buying a SSL-VPN equipment.
However, tunnel is not as flexible as client-less SSL-VPN. For example, if
you want to provision internal web apps for your partners to access, you
cannot assume your partners can or want to install a client on their
companies' machines. They may refuse to do so on security concerns. A client
-less solution is the best to go for such cases.
Client-less is also convenient when you want to access from anywhere, on any
computer with a browser. You don't need to count on admin privileges on
that PC in order to install a SSL-VPN client.
【在 s*****g 的大作中提到】
: Why not just do SSL-VPN tunnel mode? it is application agnostic,saves much
: hassle.
:
: Juniper
: vs.
: programs
: be
|
c*****i
发帖数: 631 | 11 这个.....用cisco的,cisco好.
【在 t*******r 的大作中提到】
: 为啥要用JUNIPER? JUNIPER有啥好的?!
|
