Rainbow's SSL VPN is a good start

SSL VPN appliances continue are gaining momentum in the minds of IT administrators, as evidenced by the growing number of vendors catering to the market. Secure Sockets Layer encryption, the same technology used to keep personal and financial information safe across the Internet, is quickly making SSL VPNs the preferred way to provide remote users with secure access to back-end Web services.

Unlike IPSec VPN tunnels, SSL VPNs do not need a special client on the remote user device, making them easier to deploy and requiring less administrative maintenance. (See our special report on VPNs.)

The NetSwift iGate Pro from Rainbow Technologies provides the core SSL VPN functions -- TCP-based IP traffic and a wide range of authentication options. It does not, however, have all of the enterprise-level features found in other competitor’s products, such as the Neoteris Access 3000 Series or the Netilla Security Platform (NSP) Release 4.0. Among its shortcomings, iGate lacks an IPSec tunnel, cache cleaning, and host-checking technologies. Software releases due over the next few months will address many of these issues.

Based on Rainbow’s CryptoSwift 200 SSL encryption cards, the iGate Pro can handle up to 1,000 concurrent users while securing Web-based applications and any TCP-based service, as long as you specify the proper ports. For my tests, I used Windows 2000 Server as the host application server, running Active Directory, IIS 5.0, Exchange 2000, Outlook Web Access, and a custom, home-grown ASPX application. For file-level access to the server, I used SMB/CIFS (Server Message Block/Common Internet File System). The iGate can also handle native secure access to an Exchange server from a client running Microsoft Outlook.

To assist with setup, the iGate incorporates two simple wizards to help you get things going right out of the box. The Net Wizard guides you through the initial network configuration and the Site Wizard shows you how to create a new protected site. Although effective, the wizards only cover the basics, leaving you to finish configuration using the advanced portion of the user interface.

The iGate has a clean and easy-to-navigate Web-based user interface to help you manage the appliance. It also has the Windows-based Access Control Manager for user management and resource association. Although there are arguments for separating user functions from resource policy management, I found jumping between the two applications burdesome, with each UI requiring you to apply your changes before they would take effect.

In order to create the SSL sessions between client and server, the iGate maps the address for the published resources to different localhost addresses in your PC’s hosts file. A Java applet rewrites the hosts file on your PC to match the resources’ addresses. Despite the advantages of this procedure, I ran into some trouble with it during my tests. It seems that each SSL-protected resource must have a FQDN (fully qualified domain name) that resolves to a unique address in your hosts file. Because I was running multiple services (Exchange, Terminal Services, and Outlook Web Access) on the same server with the same FQDN, I, with the help of Rainbow support, had to play tricks with domain names and DNS in order to make everything work. If all of your resources are on different machines, you should have no trouble.