Recently I had the task of setting up a Site-to-Site IPSec tunnel between my office and one of my employees home office. At my main business HQ we have a Sophos UTM running inside of a vSphere 4 cluster. However I had to find the cheapest way to get the employee hooked up.
The main tasks of the VPN endpoint at the employee’s site was:
1) Filter web, pop3, and provide security for the devices behind the UTM at the home office (1-3 computers, and other random devices)
2) Provider a Site to Site VPN connection and to allow the user access to internal resources, along with providing access to our VoIP PBX (VoIP phone at employee site)
3) Provide access to other resources such as exchange, CRM, etc… And reverse management of devices at home office from HQ
First I needed to find an affordable computer to install the Sophos UTM software appliance on to. My company is an HP Partner, and we love their products, so I decided to purchase a new computer that would be powerful enough to host the UTM software appliance, and also be protected under HP’s business warranty. I wanted the system to have enough performance that in the future, if the home office was decommissioned, we would be able to use it still as a UTM device but for something else (let’s say a real remote office).
After taking a look at our distributor to find out what was immediately available (as this was a priority), we deiced to pick up a HP Compaq 4000 Pro Small Form Factor PC. Below are the specs:
HP Compaq 4000 Pro Small Form Factor PC
Part Number: LA072UT (Or LA072UT#ABA for the English version in Canada)
||Intel® Core™2 Duo Processor E7500 (2.93 GHz, 3 MB L2 cache, 1066 MHz FSB)
|Operating system installed
||Genuine Windows® 7 Professional 32-bit
||Intel® B43 Express
||Small Form Factor
||Available for free download from www.hp.com/go/easydeploy: HP Client Automation Starter; HP SoftPaq Download Manager; HP Client Catalog for Microsoft SMS; HP Systems Software Manager
||2 GB 1333 MHz DDR3 SDRAM
|Internal drive bays
|External drive bays
||500 GB 7200 rpm SATA 3.0 Gb/s NCQ, Smart IV
||SATA SuperMulti LightScribe DVD writer
||Integrated Intel Graphics Media Accelerator 4500
||8 USB 2.0
1 serial (optional 2nd)
1 parallel (optional)
1 PS/2 keyboard
1 PS/2 mouse
1 microphone/headphone jack
1 audio in
1 audio line out
||2 low-profile PCI
1 low-profile PCIe x16
1 low-profile PCIe x1
||Integrated High Definition audio with Realtek 2 channel ALC261 codec
|Power and operating requirements
||240W power supply – active PFC
|Operating Temperature Range
||10 to 35°C
|Dimensions and Weight
||Starting at 7.6 kg
|Dimensions (W x D x H)
||33.8 x 37.85 x 10 cm
||Stringent Security (via BIOS)
SATA Port Disablement (via BIOS)
Serial, Parallel, USB enable/disable (via BIOS)
Optional USB Port Disable at factory (user configurable via BIOS)
Removable Media Write/Boot Control
Power-On Password (via BIOS)
Setup Password (via BIOS)
HP Chassis Security Kit
Support for chassis padlocks and cable lock devices
||Microsoft Windows Virtual PC
HP Power Assistant
||Protected by HP Services, including a 3 years parts, 3 years labour, and 3 years onsite service (3/3/3) standard warranty. Terms and conditions vary by country. Certain restrictions and exclusions apply.
This system was spec’d very nicely for the requirements we had. Another huge bonus is that it was covered under a factory 3 year warranty from HP. Which means that if anything failed, we would have next business day replacement (I love this, and so do my clients who all purchase HP). The one downside is that the system shipped with a Windows 7 license which we wouldn’t be using, but for the price of the system, it didn’t really matter.
The system only came standard with one Gigabit NIC (Network card), however we need two since this device is acting as a firewall/router. It’s a Small Form Factor system, so we had to find a second network adapter which was compatible with the computers case form factor. The card which we purchased was:
HP – Intel Gigabit CT Desktop NIC
Part Number: FH969AA
Although the computer above is not in the compatibility list for the network card, the network card still worked perfect. Once received, we simply replace the case bracket on the card with one that shipped with it for small form factor computers.
We then burned the .ISO image of the UTM software appliance, and proceeded to install it on the system. It installed (along with the 64-bit kernel) perfectly on the computer. After the install was completed, we configured it to connect to our main central Sophos SUM (Software Update Manager) and shipped the device out to the employee’s home office.
Once installed, we logged on to the Sophos SUM user interface, and created a Site to Site IPsec using the wizard. Within 2-5 seconds the connection was established and everything was working 100%.
After using this for a few days, I checked to make sure the computer was powerful enough to be providing the services required, and it was without any problems.
Just wanted to share my experience in case anyone else is doing something similar to what I did above. If you were to reproduce this, all the hardware should be under $700.00 CAD.