Cloudflare Spectrum alternative

Jimmy9008

Hi folks,

I have been trying to find Cloudflare Spectrum alternatives and have had little luck. Reaching out to see if anybody has suggestions.

What we are trying to do: We have Citrix storefront sitting in our DC. This is currently behind a Cisco firewall allowing tcp/udp from whitelisted IPs around the globe. Storefront uses https/443. Once authenticated users download Citrix ICA file which uses a range of TCP and UDP ports to connect to their Citrix remote desktop in our DC. Not 443/80/8080.

We have recently become global and would like to go from whitelisted IPs on the Cisco to being behind a WAF/CDN for this resource. I started initially looking at Cloudflare however they only proxy 443/80 unless you purchase Cloudflare Spectrum, which takes the price from $200pcm to over $100k per year for their enterprise plan. Well, thats what they have quoted anyway. We are looking for any lower cost options.

I have looked at other options like Akamai and Citrix CWAAP. Akamai are not able to offer other TCP/UDP ports and CWAPP is still $72k per year.

Do you have any ideas on what to look at? We would probably be open to about $12k per year.

Cheers,
Jim

Dashrender

Why the use of the other ports? That seems like one of your larger hurdles...

Jimmy9008

@dashrender
There are a range of TCP/UDP required ports for the solution to work. Once example is EDT. Our DC team have that on to help the user experience for remote connections. I think that is UDP 2598. There are other examples too.

TCP / UDP : 2598
TCP / UDP : 443
TCP: 8008
UDP: 16500 - 16509

Jimmy9008

One options we are considering is to make storefront internal only. You can only get to it once having SSL VPN active, but that wont help remote contractors who do not have our machines/certificates to get on to the VPN.

1337

@jimmy9008 said in Cloudflare Spectrum alternative:

One options we are considering is to make storefront internal only. You can only get to it once having SSL VPN active, but that wont help remote contractors who do not have our machines/certificates to get on to the VPN.

It's very common for global companies to use VPN for contractors to access internal systems. You need to set up some kind of on/offboarding process though.

Having been on the contractor side we usually get NDAs, a list of security compliance things that need to be fulfilled and then VPN client software, credentials, MFA, hardware tokens etc. But I've also seen complete VMs delivered and even ready to use laptops for remote system access.

Most contractors I know run a VM for each customer for example using virtualbox or vmware workstation. Then you have a clean OS and whatever software needed for remote system access. It's usually the easiest way to handle many customers with different requirements.

notverypunny

@jimmy9008 said in Cloudflare Spectrum alternative:

@dashrender
There are a range of TCP/UDP required ports for the solution to work. Once example is EDT. Our DC team have that on to help the user experience for remote connections. I think that is UDP 2598. There are other examples too.

TCP / UDP : 2598
TCP / UDP : 443
TCP: 8008
UDP: 16500 - 16509

I'm not the citrix expert in our shop, but we're full VDI (XenDesktop) with S4B and Zoom both running HDX and the only thing that we have to have open to the internet is HTTP and HTTPS incoming. I'd ask the questions surrounding why those other ports have to be open inbound (and make sure that the answers make sense) before spending anything or adding more moving parts into the picture than you've already got.

scottalanmiller

@jimmy9008 said in Cloudflare Spectrum alternative:

One options we are considering is to make storefront internal only. You can only get to it once having SSL VPN active, but that wont help remote contractors who do not have our machines/certificates to get on to the VPN.

Create another VPN solution just for them? It'll be better than exposing all that otherwise.

Jimmy9008

@scottalanmiller said in Cloudflare Spectrum alternative:

@jimmy9008 said in Cloudflare Spectrum alternative:

One options we are considering is to make storefront internal only. You can only get to it once having SSL VPN active, but that wont help remote contractors who do not have our machines/certificates to get on to the VPN.

Create another VPN solution just for them? It'll be better than exposing all that otherwise.

That could be an option. Will revisit this project in the summer, its on the back burner now due to other priorities.

Jimmy9008

Was wondering if anything like NGINX or HAProxy have a suitable solution we could use. Maybe we could point the public DNS entry to HAProxy hosted somewhere in a datacenter and if the traffic is 80/443 protect with WAF, and if any other suitable port allow through.

The paid HAProxy seems to have a WAF. Not sure on the cost though. As long as we keep citrix/back end patched, and keep it behind our MDR platform, and only allow traffic from the proxy, maybe that will be ok.