By Cameron Sturdevant  |  Posted 2006-07-26 Print this article Print

F5 Networks FirePass 4100 SSL VPN appliance running Version 6.0 of the controller software uses a complex configuration interface to provide extensive controls over remote clients. The result for IT managers is a secure log-on to the corporate network—but also likely more time in the planning stages to get all clients up and running.

The FirePass 4100, which began shipping in May, is a 2U (3.5-inch) form factor appliance that is rated for 2,000 concurrent users. For our tests, we configured the FirePass 4100 for 1,000 concurrent users (which F5 estimates is the correct configuration to support 10,000 employees with 10 percent average concurrency).
Outfitted with support for full network access, proxy-based client Web access, client/server application and integrated endpoint security, the FirePass 4100 costs $69,990. This pricing is comparable to that of other appliance-based SSL VPNs.

Click here to read a review of Aventails EX-2500.

Also like other SSL VPN vendors, F5 touts the ease with which the FirePass 4100 can be configured. However, managing the power of the configuration settings of the latest version of FirePass is anything but easy. IT managers should expect to spend at least a week working with the product and its 512 pages of documentation to fully understand the available options.

We used dynamic group mappings to associate users with resources when they logged on. This allowed us to maintain user and group settings in our AD server that FirePass then retrieved each time a user attempted to log on.

During our tests, we discovered that many of the new features in the FirePass 4100 create the potential for IT managers to overcomplicate access control. We recommend that IT managers who decide to go with the FirePass 4100 start off with the simplest configurations and slowly add new policies while carefully documenting any configuration changes.

As with the Aventail EX-2500 running Version 8.7 of Aventails controller software, access methods and application resources quickly intertwine on the F5 FirePass 6.0 product. During tests, for example, we created several groups of users to emulate the various departments that make up eWeek. When we altered resource access to Microsoft Exchange, we had to carefully review all the user groups to ensure that e-mail access was maintained for all.

One valuable feature that the FirePass 4100 offers is the ability to run pre-log-on checks. To fully use this function, IT managers should assign a desktop expert to specify the exact processes that can and cant be running for a client to access the network, as well as registry settings and operating system service packs. For example, we specified that Windows XP had to be using Service Pack 2 with the Windows Firewall running before a client would be allowed to log on to the corporate network.

While we were able to provide access to nearly all our test network resources, we had trouble getting the Trixbox VOIP solution to work. According to company officials, SIP (Session Initiation Protocol) is not officially supported by the FirePass appliance at this time, and our attempts to set up routes that would allow the protocol to travel across our network in the SSL VPN tunnel were unsuccessful in the time we allotted for the test. We will continue working on the configuration with F5 engineers and will post our subsequent findings at blog.eweek.com/eweek_labs.

FirePass provides a range of client downloads that support special access to resources. We were able to use these controls to enable a variety of preconfigured clients, including Microsoft Terminal Services and VNC (virtual network computing), as well as support for Opswat integration libraries for anti-virus and firewall software found on endpoints.

Next page: Evaluation Shortlist: Related Products.

Cameron Sturdevant Cameron Sturdevant has been with the Labs since 1997, and before that paid his IT management dues at a software publishing firm working with several Fortune 100 companies. Cameron also spent two years with a database development firm, integrating applications with mainframe legacy programs. Cameron's areas of expertise include virtual and physical IT infrastructure, cloud computing, enterprise networking and mobility, with a focus on Android in the enterprise. In addition to reviews, Cameron has covered monolithic enterprise management systems throughout their lifecycles, providing the eWEEK reader with all-important history and context. Cameron takes special care in cultivating his IT manager contacts, to ensure that his reviews and analysis are grounded in real-world concern. Cameron is a regular speaker at Ziff-Davis Enterprise online and face-to-face events. Follow Cameron on Twitter at csturdevant, or reach him by email at csturdevant@eweek.com.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel