The Aventail EX-2500, part of a family of SSL VPN appliances, neatly combines a straightforward user interface with powerful remote access and security policies. We tested the appliance with a feature-complete, late-beta edition of the Version 8.7 software, slated for availability on Aug. 7.
Click here to read the full review of the Aventail EX-2500.
2
The Aventail EX-2500, part of a family of SSL VPN appliances, neatly combines a straightforward user interface with powerful remote access and security policies. We tested the appliance with a feature-complete, late-beta edition of the Version 8.7 software, slated for availability on Aug. 7.
We were impressed with the capability of the $62,995 EX-2500 we tested, which came fully loaded with all the Web and client/server access methods the appliance offers. The EX-2500 supports 2,000 concurrent users, and we tested it configured for 1,000 users.
Aventail also offers the EX-750 for 10 to 25 concurrent users, starting at $3,995. The EX-1600 appliance supports as many as 250 concurrent users and is priced starting at $5,995.
The pricing for all the Aventail appliances is comparable to that of F5s products and other appliance-based SSL VPN systems.
The Aventail EX-2500 is a 1U (1.75-inch) form factor appliance that we implemented in a “one-arm” design—using a single cable to connect the EX-2500 to our network.
Nearly all SSL VPN vendors trumpet the simplicity with which the devices can be implemented. The reality for both the Aventail EX-2500 and the F5 FirePass 4100 is that IT managers must put a fair amount of work into adding the devices to the network.
In the case of the Aventail EX-2500, we needed to make several choices regarding user account creation, authentication and resource availability (including applications, file shares and Windows domains).
Our first test was to see if we could get a pair of VOIP (voice over IP) softphone clients to talk to each other across our firewall in a secure session. After spending about 2 hours with Aventail technical support, we were able to complete a call in which parties on both sides of the connection could communicate.
Because any VPN technology is typically used to forward connections from a user to a network resource, applications including VOIP and FTP that use cross-directional and bidirectional connections are quite tricky to set up.
We used a Trixbox (trixbox.org) IP phone system that is based on Digiums open-source Asterisk PBX. We used free Counterpath X-Lite softphone clients (www.xten.com), which we installed on our external remote access clients and on a PC on the internal network.
We created a network tunnel service, assigned IP addresses from our internal DHCP (Dynamic Host Configuration Protocol) server to the PPP (Point-to-Point Protocol) connections coming from the remote access clients and created a pair of access rules.
We were able to place SIP-based telephone calls from our remote access clients to extensions on the internal network, and vice versa. The call quality was unremarkable, but we had no trouble hearing and understanding both sides of the connection.
IT managers can expect to see SSL VPN makers adding new support features at a rapid pace, and this release of the Aventail EX-2500 is no exception.
For example, previous versions of the product supported a capability that Aventail calls WorkPlace sites, or customized Web portals. Each WorkPlace has a unique look and different authentication and access methods.
In previous versions of the appliance, the domain name had to be the same for each site; in the latest version, we were able to specify different URLs for each site. This level of customization makes it easier to control what network resources are offered to users and streamlines the authentication process.
The Aventail EX-2500 was easy to integrate with our Microsoft AD (Active Directory) infrastructure. User and group credentials arent stored on the EX-2500 but are referenced in existing user and group data that was stored in our AD domain controller.
We used a wild-card search of the directory to create lists of users that we made members of user communities on the EX-2500.
We liked the fact that we could easily integrate remote access clients into our IP address space using our existing DHCP server. With one simple configuration, we directed the EX-2500 to pull available IP addresses from our DHCP pool. This setup facilitated the more difficult task of setting up the reverse routes we needed to enable our VOIP telephony solution.
Next page: Evaluation Shortlist: Related Products.
Page 3
CheckPoints Connectra
SSL VPN that is available as software or as an appliance (www.checkpoint.com/products/connectra/index.html)
Cisco Systems SSL VPN services
The SSL VPN services modules for the Catalyst 6500 and 7600 complement the better-known and more widely implemented IPSec VPN services on Cisco gear (www.cisco.com)
Juniper Networks Secure Access
Junipers enterprise appli-ances are Common Criteria-certified (www.juniper.net/products/ssl)
OpenVPN
A community-supported software project that runs on a variety of platforms, including Windows, Linux, Apple Computers Mac OS X and Sun Microsystems Solaris (http://openvpn.net)
Positive Networks PositivePro
A hosted VPN and endpoint security service (www.positivenetworks.com)
Whale Communications Intelligent Application Gateway
Focuses on endpoint security and precise application access control (www.whalecommunications.com)
Technical Director Cameron Stur-devant can be reached at cameron_sturdevant@ziffdavis.com.
Check out eWEEK.coms for the latest news, views and analysis on servers, switches and networking protocols for the enterprise and small businesses.