Aventail EX-1500

The battle for secure remote access to the corporate network is dominated by two contenders – in one corner are IPsec VPNs and in the other SSL VPNs. IPsec VPNs are frequently included with general-purpose security appliances and so are relatively cheap to implement. But they can be complex to operate and this is where SSL VPNs win out; a key feature is the minimal client configuration – users simply connect via a standard web browser.

Aventail moved into the SSL VPN market two years ago and now offers a pair of appliances. The EX-1500 on review is aimed firmly at enterprises and supports up to 1,000 concurrent connections.

In hardware terms, the EX-1500 does not disappoint. It is built around a good-quality Intel rack server package comprising an SR-1300 chassis and SE7501WV2 server motherboard. Processing is handled by a single 2.4GHz Xeon module, partnered by 1GB of PC2100 memory. You also get a fast Ultra320 SCSI storage sub-system and a triplet of Intel Gigabit Ethernet ports.

Aventail's well-designed administrative browser interface is simple enough to use and provides easy access to functions including configuring commercial or self-signed certificates, encryption methods and network parameters.

The EX-1500 determines how users are authenticated and the type of access they are allowed via realms. Each realm requires an authentication server; during testing, we used a Windows Server 2003 domain controller, which worked fine with the appliance. Adding users simply required us to use the search facility from the web interface, select our Active Directory users and groups and import them into our realm.

You can use multiple realms, in which case users will be asked to select one from the client interface before logging on. Administrators can also hide realms so that only users with prior knowledge of the realm names can log on to them.

All resources that are to be made available to clients must be first declared to the appliance as network objects. These can be anything from a web URL, IP address range or domain. You need to provide a full UNC path if you want to offer shared files or folders on a server. The EX-1500 requires specific application profiles when you declare resources, but it can pass user's details directly to an application via a single sign-on feature.

Alternatively, administrators can use static credentials that pass on the same details to an application for all users. The EX-1500 also requires access control rules to be set up for each user or group – the appliance defaults to denying access to all declared resources.

The EX-1500 runs Aventail's latest ASAP 8.0 operating system, a key feature of which is Smart Access. This determines the most secure access method for the user by scanning the user's system and checking for specific software components or applications. If the user is within a secure environment, Smart Access will permit basic web browser access. If a user is logging on via a Pocket PC, for example, then Smart Access will prompt the download of Aventail's lightweight OnDemand Java agent to use instead. In even less secure environments, the Aventail Secure Desktop can be used.

The Aventail VPN uses End Point Controls to check security requirements are being met before it will allow access. System administrators can create device profiles containing attributes such as personal anti-virus or firewall software, specific applications, a directory or file or even a registry key. When it has authenticated a user, the appliance scans the user's system to determine whether the user is allowed simple web browser access or requires an agent to be deployed.

For standard browser access, users will find Aventail's ASAP Workplace simple to use and administrators can provide shortcuts to all permitted resources. If required, the OnDemand component can be fired up from within Workplace, while closing it will automatically log you out of any active applications.

Using the Connect utility requires a little more work because this must be installed on a user's system before a connection is made. However, we found this simple enough because Aventail provides plenty of assistance.

Another handy feature is Cache Control, with its time-out function that closes inactive connections after a certain time. It can also clean out locally-stored temporary files, history, cookies and passwords.

While it's true that the initial outlay for SSL VPNs is higher, we have always found them a lot easier to set up and manage than most IPsec VPN solutions. Aventail's EX-1500 is fine example of SSL technology and it brings into play an impressive range of new security features that make SSL VPNs even more versatile and desirable in the enterprise.

Product title
Aventail EX-1500
Product info
Name: Aventail EX-1500 Description: Price: $9,495 US / $10,445 US in EMEA for 25 users
Easy installation and configuration, good hardware specification, powerful security measures, client scanning capabilities.
More costly to implement than IPsec VPNs.
A very powerful SSL VPN solution offering an impressive range of network access controls and minimal client configuration.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.