Road Warriors Wield Better VPN

Cerner conserves time and money with Aventail's hosted SSL VPN.

Cubicle dwellers who complain loudly when the network goes down for an hour have nothing on the consultants at Cerner Corp. Until last year, it wasnt unusual for as many as six Cerner consultants working off-site to be expected by the client to share one analog line to connect to the Cerner corporate network using modems and an IP Security VPN (virtual private network). Not surprisingly, that left consultants at the health care services company with too much downtime.

With 50 percent of Cerners $751 million in revenues generated by its 2,000 consultants, Eric Siley, senior manager of Cerners Technology Transformation Group, knew something needed to change. Last year, he decided to replace the IPSec VPN with an SSL (Secure Sockets Layer) VPN—hosted by Aventail Corp.—for his road warriors. (Cerner home office employees and affiliate offices are still on an IPSec VPN.)

The move enables employees to access network applications by traversing firewalls using a VPN software client and an Internet connection. While the per-user operating costs of the SSL VPN are equivalent to the cost of running the IPSec VPN—and security levels are about the same—using a hosted SSL VPN solution has allowed Siley to reduce management costs through ease of deployment and by reducing complexity for end users. In addition, the SSL VPN will eventually make it easier for Cerner to provide partners and suppliers with access to key Cerner systems such as enterprise resource planning while retaining control of access and authentication.

"I dont see having something like an IPSec client as a long-term strategy for our traveling associates," said Siley, in Kansas City, Mo. "It works very well from point to point, but for people who are going to connect through other networks, a proxy SSL VPN provides the security for both networks were looking for and, more important, convenience."

As enterprises look to provide remote access to employees, partners and suppliers in ways that guarantee security, cost savings and performance, an increasing number are bypassing traditional IPSec VPNs in favor of SSL VPNs. In fact, research company Gartner Inc., in Stamford, Conn., recently predicted that, by this year, 60 percent of corporate users will regularly use a thin-client SSL VPN instead of a fat-client IPSec VPN for accessing business data because of the ease of deployment and use.

As part of Cerners anytime- anywhere work environment, each Cerner consultants laptop has an Aventail Connect client. When a user tries to launch his or her local Microsoft Corp. Outlook client, for example, the Connect client automatically prompts the user for credentials for authentication. Users traverse their local firewall through the standard HTTP port for Web traffic and enter their own corporate firewall through the open Socks port accessed by proxy servers. The sessions are secured using SSL encryption. Because SSL firewall ports generally are kept open, firewalls are not reconfigured to provide access.


  • Company Cerner Corp.
  • Location Kansas City, Mo.
  • The need To provide 2,000 consultants with a more convenient and flexible way to access mission-critical applications while on the road
  • The solution Remove consultants need for dial-up accounts and modems by replacing the companys IPSec VPN with an SSL VPN; outsource management and hosting of the SSL VPN
  • Products Aventail Connect SSL VPN client; Aventail.Net Managed Services
  • Whats next Piloting VPN appliances to possibly bring authentication and management in-house; piloting clientless VPN solutions
While Aventail currently handles authentication of Cerner users on the SSL VPN, Siley continues to control access policies and permissions. He is now testing SSL-based appliances from Aventail and other vendors, which would allow him to manage the authentication and host the SSL VPN internally. That would give him more control over the VPN, which will become more important as he begins to roll out access to business partners.

Siley is also pilot testing so-called clientless SSL VPN access, with which users gain access to Cerner applications using only a Web browser. He is currently working with Aventail to make his enterprise applications accessible from the Aventail VPN.

Success with the SSL VPN, however, does not mean Siley has plans to get rid of his existing IPSec VPN from Nortel Networks Corp. As Cerner opens affiliate offices and acquires other companies, Siley plans to bypass traditional—and expensive—frame relay networks in favor of IPSec VPN connections. In addition, as the company rolls out an 802.11b wireless LAN, Siley said he will use the Nortel IPSec VPN to secure all wireless connections.

"We have grown explosively in the last couple years, and rather than replacing a lot of frame relay, weve built out using IPSec VPNs from the beginning," Siley said. "While Im quite pleased with the SSL VPN, I still have to be sold on the idea of SSL for connecting static locations."

Senior Writer Anne Chen can be reached at