Juniper is upgrading its remote access platform to support IPSec or SSL sessions, deciding on the fly which technology is better suited for the existing connection.

This is the first time a remote access vendor has incorporated both IPSec and SSL transport in an agent that is downloaded to a remote machine at the time of connection. The agent overcomes the objection that IPSec requires a separately installed client on remote machines. Juniper says it first tries IPSec because that technology has less inherent delay than SSL and so provides better performance.

As remote users try to connect over the Internet to a Juniper SSL VPN box at the edge of a business network, the device sends down a dual agent. If the IPSec connection is blocked, as can occur across network devices that swap private IP addresses for public ones, the software will fall back to an SSL connection, which can generally get through these network address translation devices.

"This way you can have your choice of the better one to use, but the end user doesn't have to figure out which connection to make," says Zeus Kerravala, an analyst with The Yankee Group.

Nortel and other vendors have gateways that support SSL and IPSec but require a pre-installed client on remote machines for IPSec connections.

In addition, Juniper is adding XML rewrite capabilities to the platform to make it possible to reach applications with XML-based content.

The company is upgrading its host-checker software that scans remote computers before allowing them to connect to a VPN to make sure they meet security policies. If an end-user machine fails a policy, the software can specify to the user why the machine failed and redirect it to a site where the problem can be fixed. The host checker then re-evaluates the machine. Before, the software just told the end user where to go to download fixes.