Microsoft lands a winning SSL VPN in Whale

SSL VPNs provide access to all the enterprise applications that fat client methods do, including Web- and TCP-based apps; they also provide network-level access such as that found in IPSec VPN clients. SSL VPNs don't require a permanently installed client program to allow users to connect. Instead users connect to the corporate network via their Web browser and if a special "helper" program is necessary for access, it is downloaded on-demand to the remote user and destroyed on disconnect.

Not one to be left out of an emerging technology space, Microsoft is now shipping IAG (Internet Application Gateway) 2007, an SSL VPN solution based on technology acquired from Whale Communications  in 2006. IAG allows admins to explicitly define the who, what, and when of remote access: who can access what particular resource, and when the resource is available. Not only that, but IAG uses application-specific rule sets to monitor an application's behavior to make sure the users' level of access meets the current security policy. End point inspection is built in, and the client allows does a good job of determining the trust level of a specific remote device.

A Whale of a VPN

Only available as part of an appliance bundle, IAG sits on top of Microsoft ISA (Internet Security and Acceleration) Server, adding a full-featured firewall and threat management platform into the mix. My test unit was provided to me by Celestix. The WSA (Whale Security Appliance) 4000 comes with six Gigabit Ethernet ports and is recommended for as many as 2,500 concurrent users.

Click for larger view.

The initial configuration of the IAG is helped along through the liberal use of wizards, and begins with the definition of a trunk, Whale-speak for a grouping of applications. Three types of trunks are available: basic trunk, portal trunk, and Webmail trunk. The Webmail trunk provides access to a single Webmail application and a basic trunk only allows access to a single application. The most flexible method is to use a portal trunk. This type allows a single Web portal to provide access to multiple applications. This is the trunk I used in my tests.

Like other high-end SSL VPN appliances, IAG supports authentication server stacking, supporting nine popular methods, including ACE, Active Directory, Netscape LDAP, and Novell Directory. Admins can even define custom authentication schemes to meet a specific need, and support for single sign-on is built in.

When it comes to end point policies, the sky is the limit with IAG. The software comes with an extensive list of predefined policies, and admins can edit existing ones or create their own policies as necessary. The end point compliance engine uses ActiveX to do a deep inspection of the remote device to determine its security posture and into which policy bucket it falls. IAG can check for the presence of anti-virus (upward of 30 types), personal firewalls, version, and signature levels, as well as NetBIOS name, the existence of toolbars, files, and Registry entries.