This article can also be found in the Premium Editorial Download "Information Security magazine: The power of SIMs for visibility and compliance."
Download it now to read this article plus other related content.
Corporate VPN administrators will need to carefully examine every application and test to make sure that it works for each client, and under both thin and network extension clients. This is where SSL VPNs are weakest: IPSec products can handle a wider range of applications without any configuration, since they own the entire protocol stack.
We tested a variety of simple and complex applications to see how well they would work on each product. We tried to connect to a Windows file share on the local LAN, to an FTP and SSH server, and view a variety of Web servers that were behind a firewall. We also tried to run Outlook Web Access and connect to a Java-based Avocent KVM over IP server.
With each application, we used a browser-based client to connect to a custom Web portal page linking to each application, and with the network extension client (if it was available for that particular platform).
Juniper had the widest support for applications, and has a nice way to debug URLs entered into its portal configuration screen.
Surprisingly, the biggest issue with our tests was connecting to a Windows file server shared drive. This is a relatively simple task, but it confounded all the products except Juniper and Aventail (See "Trying to Connect," at right).
Certain complex Web applications, such as the Avocent KVM over IP, gave us trouble as well. Aventail was the only product that could support the Avocent KVM session inside a browser, but it only worked with IE. The others required their network extension clients to enable viewing remote desktops over their VPN connections.
While Cisco wasn't alone in its failure to support Mac Intel clients, even its thin client couldn't browse Windows file shares on these Macs, which is a bug. Check Point and F5 also had some issues and couldn't support all the applications as well as Juniper did.
This was first published in September 2006