HeadSpin Documentation
Documentation

On-Premise Deployment Options

There are four deployment options for on-premise:

  1. Fully Managed by the Customer. This is the default once the customer network team gets involved and plans to scale out the deployment.
  2. Assisted Networking. Option 1/3 for a quick setup. This requires the customer adding one exception for the VPN server IP to the outbound firewall.
  3. Assisted Networking with Client VPN Profiles. Option 2/3 for a quick setup. Each user installs a VPN profile on their computer that communicates with a dedicated hosted VPN server. This requires the customer adding one exception for the VPN server IP to the outbound firewall.
  4. Assisted Networking with Site to Site VPN. Option 3/3 for a quick setup. This requires the customer adding one exception for the VPN server IP to the outbound firewall, and for the customer to create an OpenVPN or IPSEC site-to-site tunnel between their network and the HeadSpin static IP supplied.

We recommend to do Option 2 or Option 3 when first starting, with a plan to migrate to Option 1 long term. The choice depends on the customer security policy.

Fully Managed by Customer

customer firewall

See Fully Managed Network Setup Checklist and Fully Managed DNS Configuration for configuration details.

Assisted Networking

assisted network

Steps to deploy:

  1. HeadSpin manages the DNS for the hostnames that we provide.
  2. Add an outbound firewall exception for the dedicated VPN server IP and the HeadSpin Router IP.

Assisted Networking with Client VPN Profiles

Assisted Networking with Client VPN Profiles

Steps to deploy:

  1. HeadSpin manages the DNS for the hostnames that we provide.
  2. Add an outbound firewall exception for the dedicated VPN server IP.
  3. HeadSpin will work with your network team to confirm a non-conflicting private subnet for the client VPN. The default range <code class="dcode">172.28.0.0/15</code> of will usually work out of the box.
  4. For each user, install an OpenVPN client with a provided profile. The client must be active to access to the HeadSpin system.

Assisted Networking with Site-to-Site VPN

Assisted Networking with Site-to-Site VPN

Steps to deploy:

  1. HeadSpin manages the DNS for the hostnames that we provide.
  2. Add an outbound firewall exception for the dedicated VPN server IP.
  3. HeadSpin will work with your network team to devide whether to use OpenVPN or IPSEC. For OpenVPN we will coordinate on a non-conflicting private subnet for the client VPN (the default of <code class="dcode">172.28.0.0/15</code> will usually work out of the box). For IPSEC we will coordinate on a public-to-private IP mapping as shown in this diagram.
  4. Set up the routing rules through your vendor gateway via the site-to-site VPN created in Step 3.