Our company is moving forward with a pilot project on implementing an SSL-based VPN that could turn into a production situation if all goes well.\u00a0 We are trying to decide what unit capacity to purchase, and we're also looking at having redundancy as transparent as possible to the user in the final system. Suggestions?\n- Via the InternetOur company is moving forward with a pilot project on implementing an\u00a0 SSL-based VPN\u00a0that could turn into a production situation if all goes well.\u00a0 We are trying to decide what unit capacity to purchase, and we're also looking at having redundancy as transparent as possible to the user in the final system. Suggestions?- Via the InternetAfter looking at the different vendors' products in this area, see which will loan you a unit for testing.\u00a0 Depending on the size of your final implementation and what type of success story your company could be used as, you should be able to find at least one vendor that would be willing to work with you in this way.\u00a0 If not, look at the unit that will give you the most capacity for the least cost, and one in which the money wouldn't be considered wasted in the event you didn't proceed with the project.You can get the redundancy you're looking for in one of two ways; both require that some type of central authentication system, such as\u00a0LDAP,\u00a0RADIUS\u00a0or TACACS, be supported. The first option involves the clustering concept. This allows for the SSL VPN hardware to handle load-balancing for you so if a unit fails or has to be taken out of service, all your users aren't affected at the same time.\u00a0 This feature may come at a price that may make it more expensive than it's worth depending on how important this is to you.The other option is something you can do yourself. Setting up a round-robin DNS to give out different IP addresses for the same host name request allows you to accomplish load balancing similar to\u00a0clustering. With round-robin DNS, this may be a little harder to accomplish. You would need to have very short TTL values set for the records so if a unit failed you would be able to remove the A record containing the IP address of the downed unit, and get users up and running as quickly as possible.\u00a0 This would still not cover situations in which some ISP's DNS systems wouldn't get refreshed DNS info as quickly as they should.