I have a customer is using a Sophos Firewall in a different country and would like their employees to reach out to the resources in this country from a different one through Meraki Firewall installed on the site but prefers SSL VPN Protocol and asks me if Meraki Firewalls use this protocol for VPN.
What can we do in case we do not have SSL feature on Meraki. Is there a way we can use other methods to connect to the Sophos firewall?
Hi @RobustMeraki - have you explored the possibility of configuring a site-to-site VPN between your Sophos and Meraki and then route client traffic accordingly?
Site-to-Site VPN Settings - Cisco Meraki
Yes we have thought about this solution. But are also considering options in case the customer says they need their VPN to only use SSL Protocol. Is there a big difference in using Site to site and SSL protocol? What can the customer be missing in this case?
SSL (or better TLS as SSL is completely outdated) is only the security mechanism to transport the Data. For Site-to-Site VPN, Meraki MX (same as Cisco ASA/FTD) only implements IPsec what every(!) VPN gateway on the market supports. Also Sophos does this.
In case your clients could build up the VPN themselves (Remote Access VPN), Meraki absolutely supports this by using one of the industry "standards" by running AnyConnect.
To build on @CptnCrnch , here is some more info:
https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance
Note that AnyConnect licences are not included with the MX, and you'll need to buy them.
Jup the problem is it will be again an expensive solution for them to buy a firewall plus VPN Licenses for around 500 employees. This is why they are looking for some solution that can be build up over the firewall.
By the way what is the difference when we offer site to site from Sophos to Meraki and VPN over Any Connect?
Hi, in short a site-to-site is a tunnel set up between two sites (firewalls) to connect them. The VPN over anyconnect is used by single clients to connect to the site hosting the Anyconnect server
Which option are they looking for with 'SSL VPN'?
That means if a site to site is setup between Sophos and Meraki MX and if users at the Meraki MX side login to WLAN/LAN of the MX network they will be directly be able to access documents, software etc on the Sophos Site? Have I understood it correctly?
Anyconnect only gives a possibility to access VPN only when one connects to it. But a site to site is permanent and automatic as soon as one logs in MX network.
Yes exactly, but beware of @PhilipDAth post in your other question:
"Building a site to site VPN from the MX85 (behind an MG) to a Sophos is likely to be a NIGHTMARE. I would avoid this at all costs."
At the scale of 500 employees - I consider AnyConnect to be pretty cheap. Have you priced it up yet?