Netgear ProSafe SSL VPN Concentrator SSL312
December 01, 2006
Netgear's SSL-based VPN appliance is less expensive and easier to set up than most conventional IPSec-based remote-access products.
Price: $545 (MSRP)
Pros: Inexpensive and easy-to-set up SSL-based VPN; no client software required.
Cons: Requires Internet Explorer for remote clients.
About a decade ago, when a company wanted to provide remote access to employees, the customary method was to employ a group of phone lines connected to banks of dial-up modems. This not only offered limited user capacity and slow connection speed, it was also quite pricey due to phone-related charges.
The modern Internet brought forth a new remote access technique called the Virtual Private Network, or VPN. With a VPN, organizations can use the Internet to provide secure remote access to many more employees at much higher speeds without the recurring costs of multiple phone lines and long distance charges.
Netgear offers a solution to both of these shortcomings with its $545 (MSRP) ProSafe SSL VPN Concentrator, Model SSL312. The SSL312 is a VPN appliance that forgoes IPSec in favor of the SSL (Secure Socket Layer) protocol, the standard form of encryption used by Web browsers. The SSL312 is not only inexpensive to buy, but we also found it quite easy to install as well.
The main benefit of the appliance's SSL-based virtual private network is that it uses a Web browser as a client instead of requiring you to have a special VPN application for access. Eliminating the dedicated VPN client application saves both configuration hassle and cost, as it means no additional charges for user licensing. Separating a VPN from client software has another benefit namely, it doesn't tie remote employees to systems running the VPN software. When the browser is the remote client, workers can gain access not just from their own PCs, but also from virtually any available computer with a browser and Internet connection.
The SSL312 lets you create customized VPN portal layouts, and even set up different portals for specific groups of users. (Click for larger image).
The SSL312 uses Netgear's familiar compact and low-profile blue metal chassis, with a pair of 100 Mbps Ethernet ports on the front. Depending on your network's configuration, you can install the SSL312 either behind or alongside your firewall. Choosing the latter option although less secure reduces the traffic load on your router/firewall and saves you the trouble of having to configure the firewall to forward all SSL traffic to the SSL312. We set up our test unit using the former (and more common) method, so we had to create a firewall rule to send any incoming SSL traffic (port 443) to the SSL312's IP address.
Installation and Configuration
After first connecting the unit directly to a PC to configure it's default IP address and a handful of other settings (such as selecting an administrator password and specifying DNS servers and a default gateway) we plugged the SSL312 into a free Ethernet port on our switch, and within about a minute it was ready to be configured for use.
The SSL312 can accommodate up to 25 concurrent connections (workers online simultaneously), but there's no practical limit to the total number of user accounts you can create. You can opt to set up user and group accounts directly on the SSL312 or have the unit connect to one of various external sources (including Active Directory, LDAP or RADIUS servers) to authenticate users.
In order to create secure SSL-encrypted connections between the SSL312 and your remote workers, you must first obtain a digital certificate for your company. These can be had from third-party providers like Verisign or Thawte, or you can instead create your own "self-signed" certificate. Both procedures are outlined fairly well in the SSL312's documentation, which is overall quite well written and informative it will be especially useful for organizations without in-house IT personnel.
The next step is to customize a portal layout for your remote workers, which determines what they'll see when logging into the SSL312. A default portal layout is already included for you to modify, but you can create additional layouts as well. By setting up multiple layouts and organizing user accounts into different VPN domains, you can create customized portals for various employee groups (e.g. sales, marketing, accounting, etc.). Helpfully, you can launch a portal from within the SSL312's administration console to easily view the effects of the configuration changes you make.
When setting up a portal, you can pick and choose the features and type of connection you want to make available to your employees. One option is a tunneling VPN connection, in which the remote system becomes a member of the local company network (the VPN connection even gets its own IP address from the SSL312). You can also opt for port forwarding, which will only redirect traffic for specific applications through a secure connection. This lets remote employees use certain applications as if they were on the company LAN (for example, using Microsoft Outlook to access an Exchange server), without the need to route all of the system's network traffic back through company network.
Remote workers can connect to their office PCs using the SSL312's remote access feature. (Click for larger image).
The SSL312 supports a host of standard remote services, including FTP, shared network folders (e.g. My Network Places) and support for remote desktop using either Microsoft's RDP (Remote Desktop Protocol supported by XP Professional) or VNC (Virtual Network Computing used on Mac/Linux systems). If your company hosts applications via Microsoft Terminal Services, you can provide links to them through the SSL312 as well.
Remote User Access
There is one thing to be aware of before installing the SSL312 because ActiveX-based browser plug-ins provide so many (most, in fact) of the appliance's functions, remote workers must use Internet Explorer to access it in order to take advantage of the full range of features. (The appliance also supports the MacOS Safari Browser.) You can still use non-Microsoft browsers for administrative tasks, and Netgear says it's in the process of developing a set of Java-based plug-ins that will allow remote access via alternative browsers like Mozilla Firefox.
You can add welcome text and/or a custom image to your SSL312's login screen. (Click for larger image).
When you log into the SSL312 using the browser, you're presented with your customized portal page from which you can easily choose your connection type and the services you want to use. When creating a portal layout, you can also bookmark services to simplify access.
Accessing secure information from a public computer (indeed, any non-company system) can be a concern, so the SSL312 employs methods to ensure that residual data isn't accessible to workers who subsequently use the system. One is a Web cache cleaner that prompts people to delete data like temporary Internet files and cookies when logging out of the SSL312 (we noticed, however, that it doesn't seem to run if you simply close the browser without logging out first). You can also enable HTTP meta tags on the SSL312, which will prevent browsers from caching VPN pages in the first place.
The Bottom Line
The SSL312 isn't the only SSL-based VPN device on the market, but it is the least expensive by a considerable margin (most cost well over $1,000). And although it lacks advanced features such as load balancing and failover that you'd find in more expensive enterprise-class devices, these features are unnecessary luxuries for most small firms.
Any small organization looking to provide secure remote access to its workers with minimal cost and deployment-related grief would do well to take a serious look at the Netgear ProSafe VPN Concentrator SSL312.
Joe Moran spent six years as an editor and analyst with Ziff-Davis Publishing and several more as a freelance product reviewer. He's also worked in technology public relations and as a corporate IT manager, and he's currently principal of Neighborhood Techs, a technology service firm in Naples, Fla. He holds several industry certifications, including Microsoft Certified Systems Engineer (MCSE) and Cisco Certified Network Associate (CCNA).
Story courtesy of Small Business Computing.