By Cameron Sturdevant  |  Posted 2006-07-26 Print this article Print

The Aventail EX-2500, part of a family of SSL VPN appliances, neatly combines a straightforward user interface with powerful remote access and security policies. We tested the appliance with a feature-complete, late-beta edition of the Version 8.7 software, slated for availability on Aug. 7.

We were impressed with the capability of the $62,995 EX-2500 we tested, which came fully loaded with all the Web and client/server access methods the appliance offers. The EX-2500 supports 2,000 concurrent users, and we tested it configured for 1,000 users.

Aventail also offers the EX-750 for 10 to 25 concurrent users, starting at $3,995. The EX-1600 appliance supports as many as 250 concurrent users and is priced starting at $5,995.

Click here to read a review of F5 Networks FirePass 4100 SSL VPN appliance.

The pricing for all the Aventail appliances is comparable to that of F5s products and other appliance-based SSL VPN systems.

The Aventail EX-2500 is a 1U (1.75-inch) form factor appliance that we implemented in a "one-arm" design—using a single cable to connect the EX-2500 to our network.

Nearly all SSL VPN vendors trumpet the simplicity with which the devices can be implemented. The reality for both the Aventail EX-2500 and the F5 FirePass 4100 is that IT managers must put a fair amount of work into adding the devices to the network.

In the case of the Aventail EX-2500, we needed to make several choices regarding user account creation, authentication and resource availability (including applications, file shares and Windows domains).

Our first test was to see if we could get a pair of VOIP (voice over IP) softphone clients to talk to each other across our firewall in a secure session. After spending about 2 hours with Aventail technical support, we were able to complete a call in which parties on both sides of the connection could communicate.

Because any VPN technology is typically used to forward connections from a user to a network resource, applications including VOIP and FTP that use cross-directional and bidirectional connections are quite tricky to set up. We used a Trixbox (trixbox.org) IP phone system that is based on Digiums open-source Asterisk PBX. We used free Counterpath X-Lite softphone clients (www.xten.com), which we installed on our external remote access clients and on a PC on the internal network.

We created a network tunnel service, assigned IP addresses from our internal DHCP (Dynamic Host Configuration Protocol) server to the PPP (Point-to-Point Protocol) connections coming from the remote access clients and created a pair of access rules.

We were able to place SIP-based telephone calls from our remote access clients to extensions on the internal network, and vice versa. The call quality was unremarkable, but we had no trouble hearing and understanding both sides of the connection.

IT managers can expect to see SSL VPN makers adding new support features at a rapid pace, and this release of the Aventail EX-2500 is no exception.

For example, previous versions of the product supported a capability that Aventail calls WorkPlace sites, or customized Web portals. Each WorkPlace has a unique look and different authentication and access methods. In previous versions of the appliance, the domain name had to be the same for each site; in the latest version, we were able to specify different URLs for each site. This level of customization makes it easier to control what network resources are offered to users and streamlines the authentication process.

The Aventail EX-2500 was easy to integrate with our Microsoft AD (Active Directory) infrastructure. User and group credentials arent stored on the EX-2500 but are referenced in existing user and group data that was stored in our AD domain controller.

We used a wild-card search of the directory to create lists of users that we made members of user communities on the EX-2500.

We liked the fact that we could easily integrate remote access clients into our IP address space using our existing DHCP server. With one simple configuration, we directed the EX-2500 to pull available IP addresses from our DHCP pool. This setup facilitated the more difficult task of setting up the reverse routes we needed to enable our VOIP telephony solution.

Next page: Evaluation Shortlist: Related Products.

Cameron Sturdevant Cameron Sturdevant has been with the Labs since 1997, and before that paid his IT management dues at a software publishing firm working with several Fortune 100 companies. Cameron also spent two years with a database development firm, integrating applications with mainframe legacy programs. Cameron's areas of expertise include virtual and physical IT infrastructure, cloud computing, enterprise networking and mobility, with a focus on Android in the enterprise. In addition to reviews, Cameron has covered monolithic enterprise management systems throughout their lifecycles, providing the eWEEK reader with all-important history and context. Cameron takes special care in cultivating his IT manager contacts, to ensure that his reviews and analysis are grounded in real-world concern. Cameron is a regular speaker at Ziff-Davis Enterprise online and face-to-face events. Follow Cameron on Twitter at csturdevant, or reach him by email at csturdevant@eweek.com.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel