We have an opportunity to replace a competitor's router with a Cisco Security Appliance. I have a few questions about the SA540. I am on the edge between recommending a SA540 or a ASA5505/5510. I will try to address my SA questions in this forum and find the appropriate forum for the ASA questions.
The customer has approx 15-20 users, but there is very high security availability requirements. Single site, with users accessing the network remotley. The customer uses Dual WAN and is requesting Active/Active WAN connectivity.
1. According to the Datasheet, it supports Load Balancing and Failover (via the optional port for dual WAN). Is the optional support an added feature? Am I to understand that it will concurrently use both WAN services?
2. Is there any support for having two SA540s in Active/Standby? So, should there be a hardware failure, it would fail over the SA automatically, transparent to the end users? That may not be a deal breaker, as the customer is saying that buying a spare to have on hand and a manual reconnect may be acceptable. But, I am trying to present value.
3. I see no this device that we have SSL VPNs available. I am trying to determine what level of VPNs are available on this appliance. On the ASA you have three different options of SSL vpns: Client, Thin Client, and Clientless. Are all three available on this appliance?
This question assumes the active/active dual WAN.
4. There current device has an issue and I'd like to be able to say that we aren't going to have the issue on this device. The issue is that a user authenticates with a website, then (while using it) the router switches them to the other WAN service, so they have to reauthenticate. So, how do I go about addressing that? Are there any quantifable metrics that I can use to address that?
For example, I would like to tell the customer that once an internal IP requested internet, that internal IP will continue to use the same WAN service until there is a 5 minute period of inactivity. That's just an example. I don't know if it does that or if that level of information is available. or maybe it uses some other method of determining where to send a packet.
5. I don't see any support for authenticating VPN users via LDAP?
6. The Datasheet says that it supports 16 VLans. Does this mean that we can do 2 WAN connections, a DMZ, and 13 internal subnet/vlans, provided we don't exceed 16 total VLans?
7. Is there any support for IP Phone proxy. This feature on the ASA allows you to connect your phone anywhere with internet connectivyt and it find the ASA and uses the ASA to proxy to an internal call manager.
At any rate, any advice would be appreciated.