you need to provide secure remote access to Web-based apps as well as
other network resources, then an
SSL VPN is a great choice. Unlike IPSec VPNs,
SSL VPNs do not require any special client software in order to access resources
inside the enterprise. Now business partners, road warriors, and users at public
Internet access terminals can safely and easily get to the information they need
without adding to IT staff’s workload.
The Aventail EX-750 SSL VPN appliance provides granular yet flexible secure
remote access without requiring an overly complex GUI. Users and resources are
easy to create and manage through the browser-based GUI, and Aventail end point
management is first rate. Some advanced end point features, however, require
additional licensing. The appliance supports all types of VPN access, including
Aventail Connect, a Windows application for seamless network integration.
Notably, concurrent connections are limited to 50 users.
Ready, set, connect
Initial installation of the 1U rack-mountable EX-750 took less than an hour. I
completed the first part using a local serial connection and the rest using a
secure browser session. An easy-to-follow wizard stepped me through assigning an
IP address, subnet mask, and gateway to the appliance. The Aventail AMC (ASAP
Management Console) is neatly laid out and well organized, with a handy Quick
Start set of links that guide you through major configuration and policy
definitions.
The EX-750 comes with flexible user authentication tools. Users are grouped into
realms, with each realm defined by the user store (LDAP, Active Directory,
RADIUS, or local user list) and the credential type (digital certificate, token/SecureID,
or username/password). For my test, I created a realm based on users in Active
Directory in less than 10 minutes. AMC does a fantastic job of making LDAP and
Active Directory connections quick and easy, and the included Test Connection
feature ensures everything is correct.
Resource definition is another area where Aventail excels. Adding a network
resource requires naming it, defining whether it is a network, URL, or file
system resource, and configuring its specific settings, such as share name, IP
address, or URL.
As with other SSL appliances, the EX-750 offers three modes of access: Web
client, thin client, and network-based. Web-client access simply secures and
redirects the user to Web resources inside the enterprise via a Web browser. I
tested this feature using both Internet Explorer and Mozilla Firefox, and had no
trouble accessing Web applications behind the EX-750.
Thin-client support uses Aventail On-Demand, a download-on-access Java applet.
Unlike clients for solutions such as Rainbow NetSwift iGate, the Aventail client
installs no network drivers and makes no changes to the client’s host file but
is also limited to TCP-based applications. When the session is over, the client
closes with no lasting traces.
Aventail Connect is a Windows-based software client that runs in the background
on a remote user’s PC. Unlike Aventail On-Demand, it provides transparent access
to protected resources over both TCP and UDP (User Datagram Protocol) protocols.
The client launches prior to the user logging in to his or her computer. This is
important, because it allows the user to log in to a Windows domain over the SSL
tunnel and come under all group policy restrictions and log-in script processing
as defined by administrators. From the users’ perspective, they are part of the
enterprise, even though they are not inside the local network.
Maintaining control
Aventail Connect’s EPC (End Point Control) is the end-user security policy
engine. Through EPC, Connect can be set to clear the remote user’s browser cache
at the end of a session. By purging the cache, any potentially sensitive
temporary files are deleted from the PC. Administrators can also force other
open browser windows to close at the start of a secure session. Aventail Connect
also checks to ensure Zone Labs, Sygate, or WholeSecurity services are installed
and running prior to allowing the session to begin. This feature is not included
in the base price of the appliance and comes at an additional cost.
Administrators create security profiles using the Connect Administrator Tools
and distribute the package to remote users either as a file-attached e–mail
message or through the company portal. Because Aventail Connect is centrally
managed, administrators can enforce security policies to remote users from one
location. For example, decisions such as whether cache cleaning is required or
whether a specific anti-virus application is present on the remote PC can be
defined and pushed out to all Aventail Connect users.