F5 Networks FirePass 4100 SSL VPN appliance running Version 6.0 of the controller software uses a complex configuration interface to provide extensive controls over remote clients. The result for IT managers is a secure log-on to the corporate network—but also likely more time in the planning stages to get all clients up and running.
Click here to read the full review of F5 Networks FirePass 4100 SSL VPN appliance.
2
F5 Networks FirePass 4100 SSL VPN appliance running Version 6.0 of the controller software uses a complex configuration interface to provide extensive controls over remote clients. The result for IT managers is a secure log-on to the corporate network—but also likely more time in the planning stages to get all clients up and running.
The FirePass 4100, which began shipping in May, is a 2U (3.5-inch) form factor appliance that is rated for 2,000 concurrent users. For our tests, we configured the FirePass 4100 for 1,000 concurrent users (which F5 estimates is the correct configuration to support 10,000 employees with 10 percent average concurrency).
Outfitted with support for full network access, proxy-based client Web access, client/server application and integrated endpoint security, the FirePass 4100 costs $69,990. This pricing is comparable to that of other appliance-based SSL VPNs.
Also like other SSL VPN vendors, F5 touts the ease with which the FirePass 4100 can be configured. However, managing the power of the configuration settings of the latest version of FirePass is anything but easy. IT managers should expect to spend at least a week working with the product and its 512 pages of documentation to fully understand the available options.
We used dynamic group mappings to associate users with resources when they logged on. This allowed us to maintain user and group settings in our AD server that FirePass then retrieved each time a user attempted to log on.
During our tests, we discovered that many of the new features in the FirePass 4100 create the potential for IT managers to overcomplicate access control. We recommend that IT managers who decide to go with the FirePass 4100 start off with the simplest configurations and slowly add new policies while carefully documenting any configuration changes.
As with the Aventail EX-2500 running Version 8.7 of Aventails controller software, access methods and application resources quickly intertwine on the F5 FirePass 6.0 product.
During tests, for example, we created several groups of users to emulate the various departments that make up eWeek. When we altered resource access to Microsoft Exchange, we had to carefully review all the user groups to ensure that e-mail access was maintained for all.
One valuable feature that the FirePass 4100 offers is the ability to run pre-log-on checks. To fully use this function, IT managers should assign a desktop expert to specify the exact processes that can and cant be running for a client to access the network, as well as registry settings and operating system service packs. For example, we specified that Windows XP had to be using Service Pack 2 with the Windows Firewall running before a client would be allowed to log on to the corporate network.
While we were able to provide access to nearly all our test network resources, we had trouble getting the Trixbox VOIP solution to work.
According to company officials, SIP (Session Initiation Protocol) is not officially supported by the FirePass appliance at this time, and our attempts to set up routes that would allow the protocol to travel across our network in the SSL VPN tunnel were unsuccessful in the time we allotted for the test.
We will continue working on the configuration with F5 engineers and will post our subsequent findings at blog.eweek.com/eweek_labs.
FirePass provides a range of client downloads that support special access to resources. We were able to use these controls to enable a variety of preconfigured clients, including Microsoft Terminal Services and VNC (virtual network computing), as well as support for Opswat integration libraries for anti-virus and firewall software found on endpoints.
Next page: Evaluation Shortlist: Related Products.
Page 3
CheckPoints Connectra
SSL VPN that is available as software or as an appliance (www.checkpoint.com/products/connectra/index.html)
Cisco Systems SSL VPN services
The SSL VPN services modules for the Catalyst 6500 and 7600 complement the better-known and more widely implemented IPSec VPN services on Cisco gear (www.cisco.com)
Juniper Networks Secure Access
Junipers enterprise appli-ances are Common Criteria-certified (www.juniper.net/products/ssl)
OpenVPN
A community-supported software project that runs on a variety of platforms, including Windows, Linux, Apple Computers Mac OS X and Sun Microsystems Solaris (http://openvpn.net)
Positive Networks PositivePro
A hosted VPN and endpoint security service (www.positivenetworks.com)
Whale Communications Intelligent Application Gateway
Focuses on endpoint security and precise application access control (www.whalecommunications.com)
Technical Director Cameron Stur-devant can be reached at cameron_sturdevant@ziffdavis.com.
Check out eWEEK.coms for the latest news, views and analysis on servers, switches and networking protocols for the enterprise and small businesses.