By Andrew Garcia  |  Posted 2004-05-10 Print this article Print

Juniper Networks NetScreen-SA3000 is an excellent choice for enterprise networks, providing a slick, mature remote access solution. We tested Version 4.0 of the device, which combines an intuitive and unobtrusive user interface with the most granular administrative control of all the products we reviewed. However, the devices myriad authorization options can easily trip up administrators.

The configuration we tested costs $36,890 for 100 concurrent users. The base price for a clustered pair is $29,695, with additional licensing costs for clustering and concurrent users of the SAM (Secure Application Manager) and Network Connect features. Version 4.0 began shipping in February.

The NetScreen-SA3000s Instant Virtual Extranet technology provided clientless access to our Web servers, Windows file shares, and SSH and Telnet-enabled resources. Thin-client support and full network connectivity options are also available for additional cost.

The SAM module ($16 per concurrent user) gives administrators the choice between ActiveX (W-SAM) and Java-based (J-SAM) thin clients. We preferred the J-SAM module for its multiplatform support, but it dynamically updates the remote machines Hosts file, which requires administrative permissions on the remote client. Administrators also can add a series of loop-back addresses to their domains external DNS (Domain Name System) server.

Network Connect ($16 per concurrent user) provides an IPSec-like full-network-access option that provides remote users with an IP address on the protected network. Unlike AEPs solution, installing this component does not require a reboot of the users machine, and the component can be configured to clean itself off the system after the user terminates the session.

The NetScreen-SA3000 provides the most granular authentication and authorization features of the products we tested. Like the Symantec and AEP products, the SA-3000 can authenticate users from multiple back-end servers on a single log-in page, but we also configured the SA-3000 to offer different log-in pages (at different URLs) for RADIUS- and LDAP-based users. This a nice option for companies that wish to offer different pages for their own employees and their external partners.

However, access to resources must be applied in a multitude of places. Access must be controlled according to Realm (the original authorization server), Role (a server that assigns resources according to group or user attributes) and Resource (the target server and network application).

We liked the breadth of access options these servers provide, but wed like to see some kind of wizard that would walk administrators through the application process.

With the J-SAM module in place to add native file browsing and Terminal Services access, remote access worked equally well via Internet Explorer and Mozilla (on both Windows and Linux). We did, however, have to disable Mozillas integrated pop-up blocker and cookie protections to get J-SAM to launch correctly.

The NetScreen-SA3000s high-availability option was easy to configure and adapted capably to our simulated outages. We configured the units in an active/ passive formation, although both units can be active at the same time in conjunction with a separate load balancer. The Central Manager license for a cluster pair costs $3,995.

Click here to read the next review in this series.
Check out eWEEK.coms Security Center at http://security.eweek.com for security news, views and analysis.
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page:  

Andrew cut his teeth as a systems administrator at the University of California, learning the ins and outs of server migration, Windows desktop management, Unix and Novell administration. After a tour of duty as a team leader for PC Magazine's Labs, Andrew turned to system integration - providing network, server, and desktop consulting services for small businesses throughout the Bay Area. With eWEEK Labs since 2003, Andrew concentrates on wireless networking technologies while moonlighting with Microsoft Windows, mobile devices and management, and unified communications. He produces product reviews, technology analysis and opinion pieces for eWEEK.com, eWEEK magazine, and the Labs' Release Notes blog. Follow Andrew on Twitter at andrewrgarcia, or reach him by email at agarcia@eweek.com.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel