Hello All;
Would like to receive your recommendations for Ubiquiti - Service Providers.
Also, if you can share which UTM Security Appliance that you have successfully deployed between your Internet Modem and the USG.
Our environment / initial deployment is for a medium size Church deployment with just a few AP-Pro.
Thanks in advance,
Gary
What are you looking for in a service provider? Someone to install and
manage the solution or something else?
The USG is intended to be used as your primary security device. I don’t
believe there is any benefit to using it in tandem with another security
appliance aside from providing some extra job security to whoever managed
to get that working correctly without causing double-nat and other issues.
If you were going to run something alongside it, there are quite a few
products that function in a transparent bridge mode but the amount of
protection they can offer in that mode is pretty low.
As Alex points out the main way this is done is with a transparent bridge and I’ve done it a few times with Unifi gear for messing about in labs, but realistically, all the service providers I interact with that are standardized on Unifi switches/APs will either standardize on a USG and provide threat management through other means than a UTM or they will deploy a UTM from, Sophos (the darling at the moment among providers), Untangle, Fortigate, Barracuda, Sonicwall, etc.
Anyhow, we only manage Unifi networks in Singapore, but I regularly interact with a service provider in Santa Barbara, which I think is still pretty far from Salinas, but they do manage Unifi networks and are now standardizing on Sophos UTMs if I’m not mistaken: https://sbitgroup.com/
Hi Alex and Isaac,
Thanks for your replies.
We are currently running an ASA 5506-X for our UTM, and it performs well in protecting the church.
I would very much like to keep it employed in front of the USG. The one negative of the ASA is that it has a bare minimum DHCP server, no reservation capability. That’s the positive of the USG, being able to utilize the on board Radius server.
Hi Alex,
Yes, for a provider to eventually take over the general management of the Ubiquiti system.
I think you’ll really struggle to find a service provider willing to take
responsibility for some combination of an ASA + USG. As far as I’m aware,
you’re going to have to run that in some sort of double-nat configuration
which is going to wreck havoc with any peer to peer applications, voice
over IP, VPNs, etc.
I also can’t say the ASA platform is really a very capable UTM at this
point in time, and most of the features will be extremely limited when all
it sees is 1 IP (the USG). In order to make this work in any reasonable way
you’d have to run both products in a very unsupported way - which again, no
service provider is going to want to touch.
If all you’re looking for is better DNS/DHCP/RADIUS, there are several
products (including Synology) out there that can handle that role in a much
more supportable way assuming you want to keep the ASA in play.
Unfortunately, I don’t know any mature IT service provider that would be willing to manage that combo. If they want to support Cisco as part of a larger SDN style network then it’s almost always the Meraki line. It’s probably worth bringing in a few service providers to quote more broadly on network management just to hear what they would be willing to provide as one of them could say “yeah, we’ll provide a UTM and we can manage all the Unifi equipment no problem” and offer a reasonable rate.
Yup Meraki would be a better option if budget is not a big concern.
I manage both Meraki and Unifi networks and my preference is Meraki as it really saves time for my team and great support.
I do support both with my MSP I own but the setup your asking for is not ideal at all either you wait for a few more months and get the new unifi product coming out or just use the ASA. I would recommend if you have the ASA stay with that and add the unifi product behind it and get ready for the dream machine pro then swap it out.
Hi Brian,
Thank you for the reply.
Would you expand upon your input “the unifi product behind it and get ready for the dream machine pro then swap it out.”
Thanks,
G
Yes sorry so what I would do is wait for the dream machine pro it’s currently beta but will be replacing the usg 4 pro or at least that’s how UniFi is selling it.
So replace the switching and ap’s now or soon and use the asa for now no usg4. Also for the ASA almost all features in the current usg line is in the asa your not gaining much right now. Now my typical setup for churches is currently a usg 4 and link it to my webtitan cloud to get the church the content filter that’s missing in the pro.
Why wait it’s because the dream machine pro will have the UniFi controller built so no cloud key needed and the new access controller server built in for the also beta access control system. So I would wait for that part to come out before replacing the ASA.