Recommendations for SSL VPN Appliance?

Posted on 2006-04-13
Last Modified: 2012-06-27
We've got two VPN solutions we're looking to consolidate and refresh on.  One is Nortel Contivity IPSEC VPN - a 2600 and 1600.  Most of the company (1000 users) uses it with a Contivity client.

Other one is V One Smartgate (now AEP) - which is sort of a reverse proxy VPN which also requires a client - but can do access control lists and tunnel via 443.  It's server based.


Consolidate onto standardized appliance platform with 2 appliances at main site, 1 in a lab, 1 at DR site.  All 4 to be sized the same.  Desire SSL VPN capability with minimal client - or java/activeX client download once which can either be deleted or left in place.  Also need IPSEC capabilities - namely branch office tunnel capability.

Question by:pseudocyber
    LVL 19

    Expert Comment

    If you definitely want SSL over IPSec then check this out:

    I do tons of work with Citrix and their other products; this is one I have always wanted to try.  Citirx is a market leader in Server Based Computing, secure remote access, and whatnot.  
    LVL 27

    Author Comment

    We have Citrix servers here already.  Is this different than "standard citrix"?
    LVL 19

    Assisted Solution

    ---This is an appliance that is more for policy based protocol filtering I think; here is a blurb from Citrix:

    The best SSL VPN to use with Citrix Presentation Server
    Citrix Access Gateway can be deployed with or without Citrix Presentation Serve™. Customers using Presentation Server can deploy the Access Gateway to emulate the secure gateway feature, allowing direct connection from Presentation Server clients. Using the Access Gateway with Citrix Presentation Server delivers the benefits of a hardened appliance-based universal SSL VPN, increasing security and extending user access.

    Enhance SmartAccess to Citrix Presentation Server by delivering advanced policy-based control of Presentation server applications and individual features, such as print and save. SmoothRoaming™ enhancements allow users to move seamlessly between access scenarios and devices, automatically adapting access to the configuration policy settings.

    ---Here is some info from their FAQ:

    How is the Access Gateway different from other SSL VPNs in the market?
     A The Citrix® Access Gateway provides users and IT administrators with all of the advantages of both IPSec VPNs and SSL VPNs, and none of the shortcomings.  This means users do not have to think about starting, stopping, reconnecting or different modes, and administrators do not face the significant IT burden of a typical SSL VPN deployment.  
    SSL VPNs use a complex and confusing mixture of four essentially inoperable technologies — Web proxying, application translation, port forwarding and network extension — to attempt to accomplish secure remote access.  However, because each of these technologies has different benefits and limitations, the administrator and user must decide which technology to configure and use in different situations.  This leads to a great deal of complexity, maintenance and management.  In addition, many organizations continue to maintain an IPSec VPN deployment for applications that are not supported by any of the four SSL VPN technologies, further increasing the administrative burden and costs.  

    In contrast, the Access Gateway combines into a single product the functionality of all four SSL VPN technologies and the benefits of IPSec VPNs as well, simplifying secure remote access for both administrators and users without compromising security.
    LVL 4

    Assisted Solution

    Before you go saying 'the best SSL VPN is XXX'.... you really must check out Caymas products...
    They rock.
    I have installed these in various types of places (gov agencies, ecommerce companies, banks, etc) and everyone loves them...
    True simple SSL VPN, with superb accounting capabilities (because you want to know what the users are doing, and prove it)...

    Also easily integrates with Radius, Active Directory, RSA keys, etc etc...

    And as far as security, trust me.... several gov agencies you never hear about in the news are running Caymas boxes...

    They used to have a FREE TRIAL program...
    where the engineer would bring a caymas box, install it, setit up with you, and leave it for a month...
    I never had a company not buy it.

    Oh also, does java/activex... also does do IPsec for tunnel to branch sites.
    Really a great appliance all the way around.
    LVL 9

    Accepted Solution

    I would NOT use Caymas for sure, I did a comparison of the Caymas products vs the F5 and the Juniper and the Caymas didn't hold a candle, even though their Reps where telling us how they where the best/first etc in the SSL field. That was not the case.  However the Juniper and F5 where both very good.

    but you might want to look at these
    AEP - Networks Netilla Security Platform
    Array Networks - SPX5000
    Aventail - EX-1500
    CheckPoint - Connectra
    F5 Networks - FirePass 4140
    Fortinet - Fortigate 3600
    Juniper Networks - Secure Access SSL VPN Appliance 6000
    Nokia - Secure Access System 500s,8189,vpn,00.html
    Nortel - VPN Gateway 3070
    SonicWall - SSL-VPN 2000

    here are some reviews
    Independent reviews - (Many) (11) (FirePass vs. Aventail)
    LVL 27

    Author Comment

    Thanks guys.  Sorry for forgetting about this question.
    LVL 9

    Expert Comment

    no sweat Pseudo :)

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Suggested Solutions

    Title # Comments Views Activity
    PC and VOIP network issues 1 38
    good comptia a+ teacher? 4 51
    Reducing the size of certificate chain 2 19
    Arista Switches 2 12
    This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
    If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now