With the ESG line of gateways, EnGenius completes the foundation for EnGenius Cloud. The first gateway, ESG510, is already available and ensures that from the cloud environment you no longer have to go through a third party gateway to get to your access points and switches. That means you can stay within the same ecosystem from cloud to access point.
Refer to the following graphic on how EnGenius envisions this schematically:
The idea is that all management takes place from a single environment in the cloud. This is not only conveniently organized, but is also inherently more secure than a variety of different network environments. For example, you can roll out certain policies network-wide. You can then be sure you don’t miss anything, something that can happen to you quite easily with a heterogeneous network stack.
The PDUs can already be seen in the above picture as part of EnGenius’ portfolio. These are coming later this year. The company is also working on developing IP cameras to integrate with EnGenius Cloud. When all these new products are here, EnGenius will have developed a comprehensive portfolio.
EnGenius Cloud ESG510
The EnGenius ESG510 is the first gateway within the EnGenius Cloud offering. This is a modest little box, but one with muscle. It contains a quad-core processor clocked at 1.6 GHz. It also has four network connections. That in itself is nothing special, nor is the fact that two WAN ports can be configured. What is rather special is that all four connections offer 2.5Gbps of bandwidth. This gives your organization a nice amount of bandwidth at its disposal. Otherwise, there is not much else special to see on the outside. In addition to a console port, there is also a USB 3.0 connection, this allows for connection of a USB mobile dongle to facilitate WAN failover to a mobile network.So, this brings the total to three WAN connections.
The EnGenius ESG320, ESG610 and ESG620
In addition to the ESG510, there are now three more gateways on the way. These are the ESG320, ESG610 and ESG620. The ESG320 is aimed for price-conscious customers, who need only 1 Gbps ports (four of them). This version has a dual-core processor under the hood. The ESG610, on the other hand, has a higher clocked processor (2.2 GHz), but otherwise the same housing as the ESG510. The ESG620 also has this more powerful processor, 4 additional 2.5Gbps ports as well as adding 2 SFP+ ports.
Furthermore, all models can be used to power an access point. The ESG320, ESG510 and ESG610 each have 1 port that can provide PoE+, the ESG620 has four. This is an important feature as far as we are concerned. Namely, it means that for a small branch office, you only need a gateway and an access point to set up a working network. No need to connect a switch with PoE+ in between. If we look at the number of VPN tunnels, one of the reasons to purchase such a gateway as an organization, we see that the ESG510 can handle 200, the ESG610 and ESG620 go up to 300. For the ESG320, the official specification is not known at this time. However, that’s probably going to be less than 200 given its more limited processing power.
There is choice for all kinds of sizes of organizations and branch offices. In the following graphic, you can see the ESG320, ESG610 and ESG620 together with the ESG510:
More SD-WAN than Security
When you see the acronym “ESG,” you might be inclined to think that stands for EnGenius Security Gateway. Meanwhile, the “S” seems to stand mostly for SD-WAN. It focuses primarily on optimally setting up multiple connections and setting up VPN tunnels between locations.
It has a stateful firewall on it, of course, but not things like deep packet inspection (DPI), intrusion detection, antivirus, anti-spam and so on. On a security gateway you would expect this, on a SD-WAN gateway not necessarily. On the other hand, you can argue about whether you still need all these security features on a gateway, since most traffic will go through encrypted connections (SSL/TLS/IPSec).
Looking at the options for the ESG510 within the EnGenius Cloud management environment, they are nice and clear. There is, of course, a tab where you can set up the WAN connection and subnets within your own environment. On the WAN tab, you can configure two WAN connections and specify whether to add the mobile network as well. Furthermore, here you can make your public IP address easier to reach when setting up VPN tunnels by adding one of the dynamic DNS services.
The settings for the WAN on a gateway like the EnGenius ESG510 are something you must think about very briefly. Not necessarily what those settings should be, but rather how to get them on the box. After all, here we are dealing with a device that connects to the EnGenius Cloud. When you enter the settings in the cloud environment, they are not yet on the ESG510. Not even if you connect it to your WAN. At least, not if you still need to provide specific settings for PPPoE or a VLAN. Then the gateway cannot connect.
One way to solve this is to first connect a PC directly to the ESG510 and then set the settings correctly in the interface of the gateway itself. A perhaps even simpler alternative is to first put the ESG510 behind an existing gateway. Then it will connect and you can immediately write the correct settings to it from the cloud environment. Of course, the connection will then be lost the moment the aforementioned PPPoE or VLAN data is implemented. At that point you can change the WAN connection from old to new gateway (i.e., the ESG510).
Much attention to VPN
In addition to the WAN settings, the ESG510 is mainly about having the possibility to make VPN connections. This makes sense considering that the ESG510 is positioned primarily as an SD-WAN gateway.
As usual in gateways, the EnGenius ESG510 offers two flavors, site-to-site and client-to-site. You use the former to connect two different office locations, and the latter to give endpoints on-the-go access to the network behind the gateway. By the way, you can neatly specify in the site-to-site settings which local subnets are allowed to use the VPN connection. So you certainly don’t have to open up your entire corporate network.
Mesh vs. Spoke-and-Hub VPN
EnGenius uses something that goes by the name of one-click VPN, or Auto VPN. You can then set up VPN connections between gateways at the push of a button. This is so easy because you control everything from a central location, which is the cloud. You couldn’t have done it otherwise. This centralized control also makes it possible to automatically restore any broken connections. Right now, EnGenius can promise that a connection never stays disconnected for more than a few minutes. In fact, the devices poll towards the cloud every five minutes. Perhaps in the future steps will be taken to move more in the direction of near real-time. In principle, that should be fine.
There is a choice of either a Mesh architecture or a Hub-and-Spoke architecture when setting up site-to-site VPN. Both have advantages and disadvantages. Hub-and-Spoke means that everything is controlled from a central location, the hub. This hub, especially in larger networks, must be quite powerful and equipped with a huge uplink. Otherwise, it can never handle all those simultaneous connections. At the beginning of the corona pandemic, many organizations suffered from the latter, when suddenly 100 percent of employees had to access the corporate network via a VPN connection.
With a mesh architecture, you don’t have this problem. You just have less overview and control. In some organizations, such an architecture will also not be allowed for that reason. In any case, it’s good that EnGenius offers you the choice.
Additional conveniences for site-to-site VPN
Looking further into the options you have for site-to-site VPN, we see two additional conveniences. First is automatic NAT Traversal. This feature, which does require you to have a Pro license by the way, allows you to set up a VPN between two EnGenius gateways even if another firewall is in between.
Again, this is possible because of the EnGenius Cloud acting as a broker of sorts. The gateways tell the cloud exactly where they are and what settings they have. Then the connection can be set up right through the NAT of the intermediate router, so to speak. Note that the intermediate router must support full cone NAT. With symmetric NAT this does not work and you have to do it manually. If you don’t have a Pro license you have to do it manually anyway.
The last notable part of the site-to-site VPN settings is the Add non-EnGenius Gateway heading. This allows you to add a gateway from another manufacturer, or an EnGenius gateway in another organization (other than the one you have configured in your EnGenius Cloud) to the VPN network from the cloud environment. This is a completely manual job, though; this is where EnGenius Cloud cannot help. After all, it has no data and telemetry on this gateway. Still, it’s a handy feature to have. Many organizations will have already made investments in the past. They can then just write those off; they don’t have to replace devices that are not yet due for replacement.
Finally, it’s worth mentioning that on a map you can see exactly the connections between an organization’s different sites. You do need a Pro license for this. A future feature where you can connect an SSID on a remote access point to the gateway via VPN. This is aimed at home workers who have a company access point with the company SSID. Those then automatically have a connection to the office. You can compare this to EoGRE, the difference with this, though, is that EoGRE takes place on Layer 2, the feature we’re talking about here on Layer 3.
The capabilities for site-to-site VPN connections are quite extensive. Clearly, a lot of focus has been placed on that. On the client-to-site configuration page there are fewer options. This of course makes sense, as a client-to-site VPN is less complex compared to a Site-to-site VPN.
Conclusion: powerful box with clear emphasis on SD-WAN
At the bottom line, EnGenius has put quite an interesting product on the market with the ESG510. Especially if you’re not looking for a security gateway, but more for a product to quickly and efficiently tie together different branches, then this little box may well be on the shortlist. It features relatively powerful hardware, a total of three (W)WAN connections, 2.5Gbps bandwidth ports and PoE+ on one of the LAN ports.
In terms of capabilities, most organizations will be more than satisfied with the options in terms of site-to-site VPN, still the main use case for the ESG510, in addition to load balancing and failover.