To provide support for our customers, our support staff has to establish VPN connections in order to connect to hardware devices that are located in the networks of our customers.
Due to security reasons, all remote access connections are established from an isolated environment. I.e. our support staff first connects to a virtualized jumphost which is directly connected to one specific customer via site-to-site VPN (currently configured on our perimeter firewall in the mentioned support DMZ).
After a big growth in terms of customers and employees, the number of VMs has also increased significantly. E.g. 20 dedicated VMs for the most important projects. So in total, the number of VMs is significantly higher than the number of support employees. Therefore, we have thought about switching to personalized VMs in order to save resources.
But we are not sure how to ensure that only one site-to-site VPN tunnel will be opened from this personalized jump host at the same time. E.g. a support employee should not be able to open a connection to customer X and customer Y at the same time.
Does someone know software solutions that allow the following scenario:
- User presses "connect to customer XY" within the jumphost
- this information will be sent to a vpn concentrator
- the VM is now able to communicate over the site-to-site VPN tunnel
- User presses "disconnect from customer XY" within the jumphost
- this information will be sent to a vpn concentrator
- the VM is not able to communicate over the site-to-site VPN tunnel anymore
Does anyone have experience with such an environment?
Can anybody share best practices about providing support with a combination of personalized jumphosts and site-to-site VPNs?
Best Regards
gumlozol
