Few things have given us more trouble than explaining the differences between the Mobile IP and VPN standards. NetMotion Wireless' Mobility XE throws this discussion a welcome curve: it goes beyond Mobile IP, addressing wireless roaming needs with more effective security, control, and bandwidth optimisation.

Both the Mobile IP and VPN standards handle remote users and provide encryption of the data stream. Both provide a way to access the remote user via a locally assigned address. The bottom-line difference becomes apparent only when users suddenly break their connection and attempt to reconnect later.

A VPN user in this situation has simply lost his network session; any work in progress is most likely gone and the user has to re-authenticate to the network when he logs on next. Mobile IP does something different: The standard's HA (Home Agent) software keeps the session open and handles the reconnection process when the mobile user returns to an Internet connection.

This feature is all the more impressive because the HA manages reconnections even if the user logs on again using different media. For example, the initial session may have started as a remote connection and then restarted from that user's local desktop connection in the office. None of this matters to a Mobile IP user. It's all in the background.

Beyond the basics of Mobile IP
Here's how Mobility XE takes the concept and intent of Mobile IP several steps further: The user logs in to a "mobility" server on the enterprise network and is authenticated against the RADIUS or NTLM (NT LAN manager)/Active Directory that guards network access. Each user or group is assigned a VIP (Virtual IP) from a set of specific IP addresses or from a pool of addresses through DHCP. Because hosts talk to the VIP, not to the hotspot address assigned to the mobile user, the session will be kept open as long as permitted by admin rules.

Mobility XE works for both wired and wireless connections, but given that its focus isn't on point-to-point connections, you're probably still better off employing a VPN for site-to-site tunneling applications.

Server and client software installs easily
Mobility XE server is the heart of the product. We installed our copy on an HP ProLiant DL360 running Windows 2003 Server in less than 10 minutes thanks to a smooth configuration wizard. Real-life users will see a slower installation only if they decide to import a large number of users from an existing RADIUS or Active Directory store.

We configured the Mobility XE server to pull addresses for its VIP store from our test network's DHCP server. We added our small number of test users through the Mobility XE console; integration into NTLM (Windows authentication) and RADIUS are point-and-click options. One feature we found particularly useful for legacy applications allowed us to configure a specific VIP for a specific user, so the legacy application would lock usage only to that IP.

Client installation is managed locally or via network push, and installation on Windows PCs is just as simple as on smaller clients such as Pocket PC 2002, which we had running on an iPaq. We also installed the NetMotion Mobility software on an HP Tablet PC using Sierra Wireless 750 and 755 wireless PC Card modems (we swapped between the two during testing), as well as on a Dell Dimension desktop machine running Windows XP Professional. This machine acted as a telecommuter, logging in to the Mobility XE server via a cable modem connection.

Broken connections come right back up
We concentrated our testing on the reconnection feature. We started a file transfer via FTP, then walked into an elevator, breaking our connection. When we entered a Wi-Fi hot spot and authenticated, the file transfer picked up where it left off. Just for grins, we also tried this with a Web page on the Pocket PC and got the same result: smooth, immediate reconnection with no lost work.

NetMotion's compatibility with NAT devices helps make these session connections so seamless. This compatibility let us connect securely using a local wireless connection or via the network firewall from an external connection while maintaining the same secure session.

Load balancing for multiple users
For enterprises with lots of remote users, Mobility XE has excellent support for load balancing between multiple XE servers, which is managed directly through the Mobility XE software. It is based on server-hardware monitoring as well as network and application bandwidth thresholds.

Mobility XE management is browser-based but has role-based security privileges that can be extended to or from the Active Directory store as well. The whole thing is not only flexible but fairly intuitive for new users.

What's missing?
Our wish list for Mobility is pleasantly small. We'd love to see the policy management module extended to security compliance, similar to Cisco's NAC (Network Admission Control) technology. It's an obvious next step for NetMotion.

Our other concern is a bit more immediate: We need more than Windows. We can live with the fact that the Mobility XE server runs only on Windows 2000 or Windows 2003 servers. What we can't live with for long is that client support is restricted to the Windows platform as well. With new PowerBooks hitting the enterprise, OS X support is critical for NetMotion, and embedded Linux support should be there, too.

Remote access is a headache every IT manager eventually faces. We've seen many products that address this problem, but Mobility XE's implementation is one of the smoothest so far.

OUR VERDICT

NetMotion Mobility XE combines remote access, wireless client management, and roaming into a seamless package that's almost too smooth to be true. You won't lose data if your connection breaks because Mobility XE keeps your session open until you reconnect.