SMB IT | Curtis Franklin » Non-Interop Review: Netgear ProSafe SSL VPN Concentrator 25

May 23, 2007 | Comments: (0)

Non-Interop Review: Netgear ProSafe SSL VPN Concentrator 25

TAGS: SMB Hardware

By Paul Venezia (with much more important editing done by Oliver Rist, who is better looking anyway)

Is it possible that a sub-$500 SSL VPN concentrator is worth the price? NetGear's ProSafe SSL VPN Concentrator 25 (code named, the SSL312) certainly appears to be. The staid appearance of the SSL312 is par for the course with NetGear pseudo-enterprise hardware, sporting two 10/100 Ethernet interfaces, a few status lights, and a power connection. On the plus side, there's no wall wart or in-line power converter; but on the downside, there seems to be a very lax attitude regarding updates and support.

The SSL312 was easy to configure, requiring that you set up a system on the 192.168.1.0/24 network plugged into the SSL312, then hit it with a Web browser to do the basic configuration. This amounts to assigning at least one IP address and default route and configuring user and group parameters, which can be either local or bound to a RADIUS server, Microsoft Active Directory, an NT domain, or a generic LDAP server.

In most instances, the SSL312 will be deployed behind a firewall with TCP port 443 forwarded to a single IP address, and VPN connections bouncing into the network from that same point. Alternatively, it's possible to configure the SSL312 to act as a router, routing VPN connections between the two interfaces. This last scenario would be applicable if the SSL312 is placed on a DMZ, with the second interface linked to the internal network. This is a security quandary, however, as neither solution is really as secure as it could be. From there, the SSL312 is pretty much ready to go.

Aside from basic 256-bit AES SSL VPN capabilities, there are a bevy of other remote access methods supported by the SSL312. Various network resources can be advertised to authenticated users based on policies. That means RDP, SSL, and VNC connections can be had for the click of a mouse without requiring a tunnel, although these services require the use of ActiveX and Internet Explorer on a Windows system. Portals can be created and modified to match specific groups of users, allowing custom tailored pages per user group, each advertising a specific set of remote access functions. There's also a Web-based CIFS browser that permits file copies from the internal network to the client via the browser, which is certainly a nice feature for teleworkers.

The SSL312 is built on Linux, which makes it a relatively responsible network device, with an NTP and syslog client, though no SNMP stack. Certificates can be imported, or self-signed certs generated from within the UI, as well.

I configured the unit and updated to the latest firmware in about 20 minutes, as I was traveling the next morning. With my trusty MacBook Pro in hand, far from the lab, I fired up Safari (since the SSL312 doesn't support FireFox on any platform) and connected to the portal. I installed the Mac OS client and started up the tunnel only to find that it “Just Doesn't Work” on an Intel-based Mac. That prompted petulant cries to Oliver, who called Netgear, which promptly zapped over a code update that handled the problem. By the time you read this, Intel-based MacBooks should have no trouble and Vista clients should be fully supported as well. If you bump into an SSL312 that doesn't handle all these, drop petulant comments in the area below and we'll force Oliver to do some real work.

Aside from this hiccup, it seems that the Netgear SSL312 is a solid solution at a decent price--though we could wish for more than 25 clients even with a $500 sticker price.

Posted by Oliver Rist on May 23, 2007 03:48 PM

RATE THIS ARTICLE: