Price: $7,995 with SSL hardware accelerator
Outlook e-mail is the killer app for business productivity. But, getting road warriors access to it can be a headache. Sure, there's the IPSec VPN with access to the company network, but tangling with the configuration and heavy support footprint makes it tough to manage. Integration with Active Directory also can be hit or miss, depending on the type of VPN you select.
Celestix is providing a way out of this dilemma with a Windows Server 2003-based VPN appliance that's as easy to integrate as adding a server to the Windows domain. Plus, it talks to your AD servers for all user account information, so there's no need to add RADIUS or any other authentication solution.
There's even better news for Outlook 2003 users: RAS3000's use of native Outlook 2003 support for RPC over SSL works like a charm. It enables Outlook 2003 to connect to an Exchange collaboration server from any remote client machine that can access an HTTPS Internet site. It allows use of the full Outlook client, rather than the more limited Web client, without establishing an IPSec VPN tunnel. Connectivity isn't affected by NAT. However, the SSL VPN function isn't a broad connectivity option; you'll need to use the IPSec option on the box for wider VPN protocol and services access.
Then there's the added bonus of only needing a single account to access the VPN and your e-mail; we enabled an Exchange
Tapping the built-in IPSec client in Windows 2000/XP/ 2003 to work with non-Microsoft VPN appliances can be difficult, particularly when vendors complicate integration with features that deviate from the IPSec standard. Instead, RAS3000's native use of Microsoft's TCP/IP stack smoothly connects the IPSec client. On Windows XP, we clicked on "Start Menu/All Programs/ Connect To," selected "Open" and ran the connection wizard. We added the device's IP address and our login information and, in 30 seconds, configured the VPN client.
The small exposure surface of the hardened, stripped-down version of Win2003 reduces the risk of "rolling your own" Windows IPSec remote access system.
RAS3000's clean admin GUI makes extensive use of common Windows icons and functions (such as a Help menu) to simulate a browser-based version of Windows XP. Celestix also provides a "connectoid" (its version of a remote network connection profile) to automate configuration for end users. The connectoid is created in RAS3000's Web-based user admin console with a wizard interface that produces a small client with a preset VPN connection profile. This feature eliminates the need for end users to access the Windows-based VPN connection wizard.
RAS3000 allows you to establish policy for verifying endpoint security before systems connect to the VPN, checking for updated antivirus signature files and an active personal firewall. This isn't robust as other COTS endpoint solutions, but it provides a rudimentary level of protection.
RAS3000's Windows-like browser interface, with its recognizable logging format, uses native Microsoft event types (application, system and security) and logs everything, so you don't miss a beat. The browser interface even provides a link to Terminal Services for system-level remote access to administer the appliance. You can launch a Terminal Services session via an ActiveX Terminal Services client -- this is over-the-top usability. For instance, you can use your Web browser to remotely connect and administer the embedded Win2003 OS.
Each appliance supports up to 1,000 concurrent connections and provides clustering capacity for up to 32 units. An optional SSL hardware accelerator is a must-have for ensuring quick connection during peak traffic.
Celestix dispels all skepticism about a Win2003-based VPN implementation by providing transparent IPSec and Outlook 2003 remote access while easing integration into NT domains and AD environments. Its user interface is the best we've seen on a security appliance. RAS3000 rates "fives stars" as a remote access solution in our book.
MORE INFORMATION ON ENDPOINT SECURITY:
- Join us for a live interactive webcast on Thurs., July 29 at noon ET with Christopher King on policy compliance for end-point devices. (Webcast will be available on-demand after July 29.)
- Learn more about network device compliance in this Security Tool Shed column.
- Attend Information Security Decisions Oct. 6-8 in Chicago and learn more about the latest developments in network and endpoint security.
This was first published in June 2004