Recommendatins for new NetScreen firewall/VPN

  • We are looking at buying a new NetScreen firewall/VPN.

    What should it do:

    1. allow the creation of VPN connections (we will have ± 40 VPN users in 3 different security requirements: sales / consultants / IT support)
    2. it should filter spam and virusses (HTTP, POP, SMTP, Exchange, NetBIOS, …) on the VPN connections
    3. we want to use Windows XP Professional with Service Pack 2 as the native VPN client (prefer not to use NS-Remote)
    4. we have 2 outgoing WAN connections
          - all server traffic should be routed over WAN link 1
          - all cllient traffic should be routed over WAN link 2
          - if one WAN link goes down, all traffic should be routed over the remaining active link
    5. ofcourse it should have firewall capabilities
    6. We would like to integrate it with Microsoft CA (certificates) and IAS (RADIUS) server for authentication
    7. ofcourse as secure as possible but still easy to setup/maintain.

    Any recommendations?

  • The “Extended” version which has 25 VPN tunnels is part (NS-5GT-203)


  • MaxPipeline,


    the 5GT. But I believe that you can only have up to 10 VPNs according to the data sheet.

    It says in the datasheet:
    Concurrent VPN tunnels: 10
    Tunnel interfaces: 10

    Does every user who sets up a VPN connection uses 1 tunnel? Or do I create 1 tunnel on the firewall and all users connect to this tunnel (and as such it only uses 1?). What is the difference when they talk about “tunnel” and “tunnel interface”, it is all new to me and a bit confusing?!

    What about the “extended product license”, which increases session and VPN tunnel capabilities to 4000 and 25 respectively.  (ARE THEY talking about tunnel or tunnel interfaces here ???)


  • The SSG520 is a bit pricy I guess? If not it has the features you want and loads of performance.

  • If you are wanting to filter spam and viruses, right now the only Netscreen box that can do that is the 5GT.  But I believe that you can only have up to 10 VPNs according to the data sheet.  Otherwise you can perform the other tasks you mentioned.  But if you have greater bandwidth needs and need to support at least 40 VPNs then you will need to go with perhaps an NS204/208 but you will lose antispam and antivirus support.  I would stay away from the NS25/50 as I have had some iffy experience with them possibly related to older hardware design.