ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Cloudflare Spectrum alternative

    Scheduled Pinned Locked Moved IT Discussion
    9 Posts 5 Posters 695 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      Jimmy9008
      last edited by

      Hi folks,

      I have been trying to find Cloudflare Spectrum alternatives and have had little luck. Reaching out to see if anybody has suggestions.

      What we are trying to do: We have Citrix storefront sitting in our DC. This is currently behind a Cisco firewall allowing tcp/udp from whitelisted IPs around the globe. Storefront uses https/443. Once authenticated users download Citrix ICA file which uses a range of TCP and UDP ports to connect to their Citrix remote desktop in our DC. Not 443/80/8080.

      We have recently become global and would like to go from whitelisted IPs on the Cisco to being behind a WAF/CDN for this resource. I started initially looking at Cloudflare however they only proxy 443/80 unless you purchase Cloudflare Spectrum, which takes the price from $200pcm to over $100k per year for their enterprise plan. Well, thats what they have quoted anyway. We are looking for any lower cost options.

      I have looked at other options like Akamai and Citrix CWAAP. Akamai are not able to offer other TCP/UDP ports and CWAPP is still $72k per year.

      Do you have any ideas on what to look at? We would probably be open to about $12k per year.

      Cheers,
      Jim

      1 Reply Last reply Reply Quote 0
      • D
        Dashrender
        last edited by

        Why the use of the other ports? That seems like one of your larger hurdles...

        J 1 Reply Last reply Reply Quote 0
        • J
          Jimmy9008 @Dashrender
          last edited by

          @dashrender
          There are a range of TCP/UDP required ports for the solution to work. Once example is EDT. Our DC team have that on to help the user experience for remote connections. I think that is UDP 2598. There are other examples too.

          TCP / UDP : 2598
          TCP / UDP : 443
          TCP: 8008
          UDP: 16500 - 16509

          N 1 Reply Last reply Reply Quote 0
          • J
            Jimmy9008
            last edited by

            One options we are considering is to make storefront internal only. You can only get to it once having SSL VPN active, but that wont help remote contractors who do not have our machines/certificates to get on to the VPN.

            1 scottalanmillerS 2 Replies Last reply Reply Quote 0
            • 1
              1337 @Jimmy9008
              last edited by 1337

              @jimmy9008 said in Cloudflare Spectrum alternative:

              One options we are considering is to make storefront internal only. You can only get to it once having SSL VPN active, but that wont help remote contractors who do not have our machines/certificates to get on to the VPN.

              It's very common for global companies to use VPN for contractors to access internal systems. You need to set up some kind of on/offboarding process though.

              Having been on the contractor side we usually get NDAs, a list of security compliance things that need to be fulfilled and then VPN client software, credentials, MFA, hardware tokens etc. But I've also seen complete VMs delivered and even ready to use laptops for remote system access.

              Most contractors I know run a VM for each customer for example using virtualbox or vmware workstation. Then you have a clean OS and whatever software needed for remote system access. It's usually the easiest way to handle many customers with different requirements.

              1 Reply Last reply Reply Quote 2
              • notverypunnyN
                notverypunny @Jimmy9008
                last edited by

                @jimmy9008 said in Cloudflare Spectrum alternative:

                @dashrender
                There are a range of TCP/UDP required ports for the solution to work. Once example is EDT. Our DC team have that on to help the user experience for remote connections. I think that is UDP 2598. There are other examples too.

                TCP / UDP : 2598
                TCP / UDP : 443
                TCP: 8008
                UDP: 16500 - 16509

                I'm not the citrix expert in our shop, but we're full VDI (XenDesktop) with S4B and Zoom both running HDX and the only thing that we have to have open to the internet is HTTP and HTTPS incoming. I'd ask the questions surrounding why those other ports have to be open inbound (and make sure that the answers make sense) before spending anything or adding more moving parts into the picture than you've already got.

                1 Reply Last reply Reply Quote 2
                • scottalanmillerS
                  scottalanmiller @Jimmy9008
                  last edited by

                  @jimmy9008 said in Cloudflare Spectrum alternative:

                  One options we are considering is to make storefront internal only. You can only get to it once having SSL VPN active, but that wont help remote contractors who do not have our machines/certificates to get on to the VPN.

                  Create another VPN solution just for them? It'll be better than exposing all that otherwise.

                  J 1 Reply Last reply Reply Quote 2
                  • J
                    Jimmy9008 @scottalanmiller
                    last edited by

                    @scottalanmiller said in Cloudflare Spectrum alternative:

                    @jimmy9008 said in Cloudflare Spectrum alternative:

                    One options we are considering is to make storefront internal only. You can only get to it once having SSL VPN active, but that wont help remote contractors who do not have our machines/certificates to get on to the VPN.

                    Create another VPN solution just for them? It'll be better than exposing all that otherwise.

                    That could be an option. Will revisit this project in the summer, its on the back burner now due to other priorities.

                    1 Reply Last reply Reply Quote 0
                    • J
                      Jimmy9008
                      last edited by Jimmy9008

                      Was wondering if anything like NGINX or HAProxy have a suitable solution we could use. Maybe we could point the public DNS entry to HAProxy hosted somewhere in a datacenter and if the traffic is 80/443 protect with WAF, and if any other suitable port allow through.

                      The paid HAProxy seems to have a WAF. Not sure on the cost though. As long as we keep citrix/back end patched, and keep it behind our MDR platform, and only allow traffic from the proxy, maybe that will be ok.

                      1 Reply Last reply Reply Quote 0
                      • 1 / 1
                      • First post
                        Last post