Find solution
Where should I install SSL - whole domain or on a subdomain?

Is there a solid SSL VPN out there, or am I crazy?

  • What is your favorite SSL VPN appliance for a mid sized company? A couple years ago the company I work for switched to Aventail SSL VPN appliances. This was partially my fault - I suggested them. At the time, they seemed very easy to administer, supported every platform we had, did the security checks we needed, etc. Plus the cost wasn't Cisco-outrageous. However we've found they're just not working out for us. Now my boss has tasked me with finding 2-3 "best SSL VPN appliances on the market" we can review as potential replacements. Without going into too much detail, I'll say the reasons for getting rid of the Aventails include lack of good support, somewhat buggy OS (their first recommendation to fix any issue is to upgrade the firmware, which is a lengthy procedure we have to do after hours), clients that randomly stop working, and lack of support for Windows 7. We have somewhere around 500 employees. Most are still on XP, but there is a huge push to get everyone on Win 7 pro. We also have somewhat small teams who work primarily in Ubuntu, Centos, and a few on Macs. It needs to be able to do the standard security checks - Firewall, AV, domain, etc, and tie in to AD for authentication. We would prefer a client to a web browser connection. We have several locations around the world, so some kind of central management would be essential. Whatever we use needs to be user friendly enough that people in the non technical teams (sales, finance, etc) can install it and start it up on their laptops. Above all it needs to be reliable. It's not at all fun when you have to explain to your CEO that his laptop has to be reimaged because the VPN client corrupted something vital in his OS. It would also be nice if whatever we use has a "quarantine" zone people would be put into if they don't pass the checks - something customizable, so we can provide them with links on fixing it themselves if possible. Does anyone have any experience with an SSL VPN Appliance they would heartily recommend? My initial research has been tough. I can find a website recommending pretty much everything out there, and it makes me wonder how many of those reviews are solid. If you can point me to some sites that do unbiased reviews of such things, I'd take that as well. Also - if you have experience with brands/products you would recommend avoiding, let me know. I really love my job - I don't want you to do it for me. I just need anecdotes at this point to get me moving in the right direction.

  • Answer:

    I'm very impressed by the Juniper SA series. I deployed a clustered pair of SA4000s a few years ago and a smaller unit in the SA series more recently. The interface isn't cumbersome but it takes a mental adjustment to figure out how they cram the configuration options in the hierarchical menu. Take a look.

routergirl at Ask.Metafilter.Com Visit the source

Was this solution helpful to you?

Other answers

I have to admin Aventail SSL stuff, and I'd kill somebody to be able to use Juniper.

Threeway Handshake

Also very impressed with the Juniper SA series SSLVPN. Surprisingly great design and compatability, and flexibility. We use it from various versions of windows, osx, and linux. (sometimes you have to do a bit of fiddling under the hood with the on-demand linux network-connect component if you aren't on redhat last time I checked -but well documented and easy) Integrates with whatever you have, exports logs if you want, basically does everything and doesn't get in your way. As devbrain said, the interface is a bit cumbersome, but it's also amazingly flexible in it's configuration options. Give them a call - they'll do an onsite demo using their own product's remote meeting feature (like webex).

TravellingDen

The rest of Juniper's security products haven't filled me with the schmoopy, but I loves me some SA series. Juniper's SSL VPNs just work - they're a peach to configure, play nice with a wide variety of auth servers, and I haven't heard of one crashing yet, despite heavy load. The client is pretty reliable, too, and gets along with even the gnarliest desktop configs. Basically, once it's set up, you won't have to think much about it.

Slap*Happy

We have some Juniper products, and I have to say that the support on them has been impressive. I didn't want to mention specific brands for fear I'd sway the responses, but when I was looking, I kept coming back to them. Good to hear people like them. Basically, once it's set up, you won't have to think much about it. I really really like that idea. Anyone know if they work with Network and Security Manager?

routergirl

I work for a system integrator that's deploying Juniper SAs like mad. Seconding all the above. Plus there's a basic web portal thrown in for free. This is a selling point for us, as you have a reasonably secure option for users coming in from an unmanaged workstation. These days you also get tunneled RDP sessions, no VPN install required. I don't think this will do much for you Linux users, but it's fantastic for anyone with an office workstation they can call home to. SO easy to support.

a young man in spats

Another vote for Juniper SA. I have a SA6000. It has a sh*t ton of features and options for ways to allow users to connect. The SA is also in the Gartner Magic Quadrant. I have it working across Windows, Mac, and Linux (Ubuntu, RHEL, Suse). 32 bit Linux works well but 64bit is not supported altough I do have it working using CLI. IPhones can connect using Junos Pulse App (Android Pulse app is worthless). The client install only requires the user have Admin rights and be able to click "Accept" on a couple of applet install boxes. The client software can also be disturbed via .exe,.msi,.dmg, and and .rpm. Box is reliable but support has been flaky. Simple issues with user installs and connect issues have been fixed quickly but some larger issues linger for a very long time with out much feedback from support.

nivekraz

Anyone know if they work with Network and Security Manager? No, and I consider that a selling point. Most of the time when I'm outside and shaking my fist furiously at the heavens, I'm screaming "NSM!!!!!"

Slap*Happy

Obviously Juniper is the winner so far, which isn't super surprising. Thanks to everyone who commented! I'll keep watching this, in case stragglers show up to rave about something else. In the meantime - Slap*Happy, you have me curious about something. What kind of issues have you run into with NSM? We're fairly new to it, but I haven't seen many issues so far. (Oh, and Threeway Handshake - yeah. I'm the SSL VPN admin in our somewhat small team, and I cannot tell you how many times I've thought, "Man, if I could go back in time and warn myself against the Aventails...my life would be all unicorns and rainbows right now." Seriously.)

routergirl

Slowness is a perpetual problem, both UI responsiveness and the time it takes to complete a task, especially with a big team, or a ton of devices going thru a delta or update all at once. A neverending stream of quirky UI issues and glitches. Windows disappearing and re-appearing in odd places - download a freeware utility like Window Seizer to relocate wayward pop-up windows to somewhere you can see them. Upgrading between revs is a nightmare of corrupted databases and weird, unwanted features turning themselves on. (ALGs, most notably.) And it's still so useful in munging lots of giant rulesets at once, most Juniper shops couldn't do without it. So they put on a bitter face, and hope to god it doesn't break anything important today.

Slap*Happy

Load more

Related Q & A:

Just Added Q & A:

Find solution

For every problem there is a solution! Proved by Solucija.

  • Got an issue and looking for advice?

  • Ask Solucija to search every corner of the Web for help.

  • Get workable solutions and helpful tips in a moment.

Just ask Solucija about an issue you face and immediately get a list of ready solutions, answers and tips from other Internet users. We always provide the most suitable and complete answer to your question at the top, along with a few good alternatives below.