Microsoft lands a winning SSL VPN in Whale
Internet Access Gateway 2007 allows secure access with plenty of app support
IAG's end point control engine is one of the most capable I've reviewed, but it does come at a price. Because of its dependence on Internet Explorer and ActiveX, non-Windows platforms will not be able to participate in the deep inspection available in IAG. For non-Windows clients, end point detection will be limited to only what IAG can detect via the browser.
The heart and soul of IAG is the access control policy engine. IAG uses a "positive logic rule set" to define each exposed application, and every aspect of the exposure is carefully detailed and managed. IAG comes with a large list (more than 60) of known applications admins can choose from to build their access policy on, such as Web applications, legacy applications, and file access. These exposed applications are wrapped in end point access control policies, upload/download polices, and URL scrubbing to ensure only valid paths are available to the end-user.
Click for larger view.
But more than that, IAG can block specific transactions within an application based on end point security posture. As in our Starbucks example, IAG can block specific portions of the Web application, such as company contact lists, simply based on where the client is located.
For power users who need network layer access, most methods of connecting require IE and ActiveX. IAG does include one method that uses either ActiveX or Java but it is basically an SSL wrapper. It creates a one-to-one mapping of application to local port, but this isn't true network-level access.
IAG's Network Connector requires ActiveX but provides a more traditional network-level access with routable IP addresses assigned to the virtual adapter. Users have access to any resource on the network (as allowed by policy) just as if they were logged on to the local network.
Reporting and logging in IAG covers the basics: system usage, user access, and session information. The Java-based Web Monitor provides a graphical view into user, application, and system activity, with easy-to-read, customizable graphs. Also included in Web Monitor is an event query tool to help admins dig out a specific error or status message. During my tests, I found the Web Monitor a handy tool for seeing the status of each connected client.
Microsoft made a good move in acquiring the Whale technology and merging it with ISA Server. The total package makes for one flexible yet secure solution for remote access to the enterprise. The end point control is one of the best going, but full functionality is limited to Windows and Internet Explorer clients. Same thing for network-level remote access -- it’s available for non-Windows platforms, but to get the total package it requires IE and ActiveX. I like the appliance form factor, and my test unit from Celestix is first rate. Along with Juniper and F5, admins should give Microsoft IAG a look when SSL VPNs come knockin' at their door.