By Cameron Sturdevant  |  Posted 2005-10-10 Print this article Print

Watchguard Technologies Inc.s Firebox SSL Core with Citrix Systems Inc.s Citrix Secure Access is a good Secure Sockets Layer VPN solution for small and midsize businesses that want ease of use for remote users who need access to secure network resources.

However, the WatchGuard SSL VPN is a little like a "turducken"—a turkey stuffed with a duck stuffed with a chicken, all roasted together. Not only does WatchGuard provide the hardware and Citrix most of the software, but eWEEK Labs tests revealed that software Citrix acquired from Net6 Inc. is used throughout the Firebox SSL Core appliance. The good news is that all this hardware and software has been expertly assembled, and we had no trouble getting the various components to perform.

Read more here about SSL VPNs.
Firebox SSL Core with Citrix Secure Access is a 1U (1.75-inch) rack-mountable appliance that costs $2,790, including a five-tunnel license pack. The device, which started shipping in August, can be licensed for as many as 205 tunnels for $22,590.

The Firebox SSL Core with Citrix Secure Access appliance is designed to support fewer tunnels than Citrix offerings targeted for large-scale enterprise use. The Firebox appliance competes with SSL VPNs including Aventail Corp.s EX-750 and Nokias Nokia 60s SSL VPN.

The WatchGuard SSL VPN is less expensive than its rivals to get up and running. However, the Firebox SSL Core cannot be managed with the WatchGuard Firebox System Manager, used for keeping tabs on WatchGuard firewalls, so the bigger administration picture may be more expensive.

Watchguard uses Citrix SSL VPN technology to provide the lightweight client and tunneling technology between end-user systems.

The WatchGuard solution supports a variety of client operating systems, including all flavors of Microsoft Corp.s Windows 2000 and Windows XP, as well as Linux platforms with at least the 2.4 kernel. The Firebox SSL Core appliance also includes a client that supports Apple Computer Inc.s Mac OS X systems running Java Virtual Machine Version 1.4.2 or higher.

During eWEEK Labs tests, the appliance was relatively simple to install and manage, especially compared with IP Security-based VPN tools. We installed the Firebox SSL Core behind a WatchGuard Firebox X1000 as a peer on our protected network. (While the Firebox SSL Core looks exactly like WatchGuards firewall products, it is not an in-line device as they are.)

Installing and integrating the appliance with our existing security infrastructure took a matter of hours. We used Funk Software Inc.s Steel-Belted Radius for user authorization. As with any SSL VPN, we opened port 443 through the firewall to enable a connection to our Firebox SSL Core. When a client first connects, a stub of the SSL VPN client is installed on the end-user system. Users then can simply double-click on the Firebox SSL Core icon to initiate a connection.

The Firebox SSL Cores management interface is oriented to large-scale networks but is workable for a smaller-scale environment.

The help screens that are displayed at all times in the Web-based remote administrative terminal were copious and useful. We also used the customizable portal pages to create welcome pages specific to different groups of users. For example, we could configure the system so that a particular group of users got access to the e-mail system but not to the accounting system. The ease of administration provided by the customized portals was a nice touch.

We configured the Firebox SSL Core appliance to check client system files, registry entries and running processes to ensure that anti-virus and personal firewall software were installed on client systems before a VPN tunnel could be established. The registry and file checks happen only at log-in time, but the Firebox SSL Core client software continually checks processes on the client systems.

We also were able to specify a split tunnel configuration, whereby traffic destined for the protected network was carried through the Firebox SSL Core tunnel while network traffic for the Internet, such as Web browsing, was not. All changes we made to configurations were immediately made available to connected clients.

The Firebox SSL Core appliance also has some features that a small subset of users will likely find useful, including Kiosk mode operation, which allows authorized end-user systems using either Internet Explorer or the Mozilla Foundations Firefox to make a clientless connection to network resources.

We used the Kiosk mode to make a VNC (virtual network computing)-like connection to access shared network drives on our test network as well as computers running Windows Terminal Services. Kiosk mode is limited to just a few services, but it worked well in tests.

Next page: Evaluation Shortlist: Related Products.

Cameron Sturdevant Cameron Sturdevant has been with the Labs since 1997, and before that paid his IT management dues at a software publishing firm working with several Fortune 100 companies. Cameron also spent two years with a database development firm, integrating applications with mainframe legacy programs. Cameron's areas of expertise include virtual and physical IT infrastructure, cloud computing, enterprise networking and mobility, with a focus on Android in the enterprise. In addition to reviews, Cameron has covered monolithic enterprise management systems throughout their lifecycles, providing the eWEEK reader with all-important history and context. Cameron takes special care in cultivating his IT manager contacts, to ensure that his reviews and analysis are grounded in real-world concern. Cameron is a regular speaker at Ziff-Davis Enterprise online and face-to-face events. Follow Cameron on Twitter at csturdevant, or reach him by email at csturdevant@eweek.com.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel