Meraki VPN Client

DLinMA
Conversationalist

Meraki VPN Client

My client wants to move their server (Windows 7 Pro) into their home which has a generator because their office periodically loses power. Users in the office will be accessing Quickbooks and a database on the ''server''.

 

I'm planning on installing an MX64W in their office. Both places have high speed Internet access (over 50Mbps). Could I use just the VPN software that comes with Windows 7 on the ''server'' and connect it to the office? Or should I consider having an MX64 in both locations?

 

Any suggestions and gotchas would be greatly appreciated!

5 REPLIES 5
PhilipDAth
Kind of a big deal
Kind of a big deal

Personally I would move the accounting product to the cloud.

 

Back to your question - I would use dual MX64's as it provides the most stable solution.  You are less likely to get data corruption because some Windows 7 machine dropped its VPN, blue screened, so some other behaviour that Windows workstations seem to do from time to time.

 

The MX65 has a 10 port Gigabit switch - so if the number of users/devices is low you might get away with just this one device and plug everything into it.

DLinMA
Conversationalist

Thanks for your reply. I greatly appreciate it.

The customer doesn't want to pay the monthly amount to have their server in the cloud and are uncomfortable with the idea.

I'd like your opinion on the following idea for the MX64W at the client's home:

1. Have all the devices (wired and wireless use it)

2. Create VLANs:

    - For IoT devices (possibly don't allow access to the Internet)

    - For Guests

    - For Home

    - For Work (one computer and Ethernet cable)

3. Tie the For Work VLAN to one port which is for the server and VPN and tie that one port to the computer via MAC address.  I realize that it's overkill, but I don't want someone plugging in an infected device and possibly infecting the work network.

 

This would allow the user's home to be more secure as well as allow for secure bi-directional communication between the server and the office network.

 

Am I right, wrong, possibly overlooking something?

Thanks!

Warren
Getting noticed

If the main reason to move it is the unstable power at the office, what about a UPS that would allow it to run for an hour or two and then safely shut down. It seems like everyone who accesses it is in that office. So if the building loses power then no one is going to be using it anyway.

I've not dealt with shared quickbooks in a while - so I have forgotten most of the nuances of it. I switched over to quickbooks cloud when I needed quickbooks - and didn't look back.

Your thought on the setup though would work, you would want to make sure that the site to site vpn firewall is enabled to allow only devices that need to access the server to access it and vice versa. I.e. instead of allowing the whole office subnet to see the subnet at home, just allow the 5 or whatever specific workstations that need it, and block the rest.

The default setup is allow all. Don't forget devices can talk across Vlan's - it's not a firewall/block path. It just blocks the broadcast traffic. A device on vlan 2 can still speak a device on vlan 3 if it knows the destination ip. But like printer discovery wouldn't work.
cta102
Building a reputation

I would suggest either Warrens suggestion of a UPS (and the machine carrying out a graceful shutdown when mains power is lost) or moving to the cloud.

 

Having dealt with sites that use generators the transients caused by generators have crashed (and often killed) devices, (both servers and hardware encryptors) its usually best to avoid the situation.

 

Also nobody has mentioned the potential blame storm should something happen to a server which is located in a domestic location.

Warren
Getting noticed

You can certainly do this. But as Philip has suggested - I'd suggest moving to Quickbooks cloud before you move it to someone's house. Additionally Windows 7 doesn't have much longer before it is end of life, so they should be replacing that shortly. If you need site to site vpn - always buy the MX devices and let them handle it. The windows client vpn is prone to lots of errors.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels