PortWise 4

While IPSec VPNs are still the more prevalent method of providing secure remote access to the corporate network, they're losing out to SSL VPNs in many areas. Initial costs of implementation may be lower, but a criticism of IPSec VPNs is that they're overly complex to deploy and manage. This makes them a good choice for fixed site-to-site secure tunnels, but not so clever for mobile clients. This is where SSL VPNs are a better bet, as they require minimal client configuration, allowing users to securely connect to the main network remotely using a standard web browser.

The majority of SSL VPN solutions are appliance based, but Swedish company PortWise offers an interesting software alternative: PortWise 4 takes a modular approach. It comprises a number of components that can run on a single system or be distributed across multiple servers for improved performance when dealing with large numbers of users. It's made up of four main services, with an access point acting as a gatekeeper that handles all incoming user connections. The three other components are an authentication service, a policy service that determines authorisation to use network resources with sets of access rules, and an administration service that melds everything together and provides remote management access. The support for an unlimited number of access points is particularly useful, allowing PortWise to provide backup for the main access point.

Authentication methods range from support for Active Directory to LDAP, while PortWise's own web authentication runs either a Java applet or ActiveX control on the client system. The stronger Synchronised and Challenge methods require a small utility to be loaded on the client system. Mobiles are also catered for: if a user logs on using directory services, their number can be taken from their user profile, allowing PortWise to send a one-time password via SMS.

General configuration is handled by the simple but well-designed web management interface. Your first task is to create access rules that define an authentication or membership type. The former can use any number of PortWise's own methods, while the latter can be anything from an AD group, part of an IP address range, a specific device or the date and time when the user logged on. End-point security policies also come in here. The client system can be scanned for OS versions and service packs, required anti-virus and firewall software, Registry entries, specific files and even the device type. When a user session has finished, PortWise can clean up afterwards by deleting cookies and removable files, clearing caches and URL histories and removing Registry entries.

Application portals and resources come next. These determine what the user is allowed to access and can range from applications such as Outlook or Lotus Notes to a simple file share or web server. Adding multiple resources and portals into a PortWise domain also allows you to implement an SSO (single sign on) system, as users can provide one set of credentials and access everything defined in the domain.

Companies with a small mobile workforce will find appliance-based SSL VPN solutions such as WatchGuard's FireBox offer better value. However, move up to a user base in the high hundreds and PortWise looks more capable of handling their demands.

Author: Dave Mitchell