Check Point and Nortel VPNs prove enterprise-worthy
Security strengths far outweigh shortcomings such as heavy IE reliance
Like the Connectra, the 3050 has solid browser-based support but goes on to handle both TCP and UDP apps via a download-on-demand Java applet. The 3050 also comes with canned definitions for Citrix, Telnet, and SSH; it also allows for native Outlook (fat client) connection across the Internet. Nortel provides RPC across SSL without requiring any changes to your Exchange server, much like Exchange 2003's new RPC across HTTP service.
Netdirect is the ActiveX-based full tunnel for those who need a layer 3 connection. Although limited to Windows platforms, Netdirect does allow for full bidirectional TCP/IP traffic and supports both split and full tunneling. I like that the virtual adapter removes itself quietly on disconnect so there are no lasting traces on the PC.
Unlike the Connectra, admins running the 3050 have a huge amount of control over SSL implementation as well as HTTP-specific settings, which allow for granular control over items such as SSL Header rewrites, secure cookies, and image, script, document, and ICA (Independent Computing Architecture) caching. But missing is any type of application firewall.
End-point management and control are handled through Nortel's TunnelGuard service. A Java-based utility, TunnelGuard checks a remote PC for compliance, but only after the user authenticates. It will check for any disk content, running process, and digital certificates on files. Currently it will not perform Registry, program-version, or date checks, which prevents the utility from looking for valid and up-to-date anti-virus programs. Although it's comprehensive, I found the TunnelGuard management overly complex.
VPN Gateway 3050 is a great all-around performer that needs a little work on end-point security. I don't like that it requires IE for its heavy lifting, but the SSL control and IPSec client support help make up for these deficiencies.
The Connectra will fit in well at shops invested in Check Point's products. Its strong integration with SmartCenter is a bonus. Nortel's 3050 scales well and comes with very granular security, and it's a great choice for enterprises that have a heavy IPSec installed base and want a graceful migration path to SSL. Both systems rely too much on IE, but overall, both are worthy security solutions.