The EX-1500 is the larger of two SSL VPN servers from Aventail. It's a 1U appliance based on PC hardware running Debian Linux, with 10/100/1000Mbit/sec Ethernet adaptors and the ability to pair with another similar unit to provide resilience. The smaller EX-750 has the same functionality but has only 10/100Mbit/sec interfaces and doesn't include the clustering capability.

Taking licence
Licensing is on a per-user basis, but is paper-based – that is, you pay for the appropriate licence but the box doesn't actually know what your limit is. We suspect that this is because Aventail has a history of providing SSL VPN technology as a managed service – so they've never had to worry about enforcing licence restrictions on their own servers, but have merely phoned the client and suggested increasing the licence count!

There are three different ways to access your applications through the EX-1500. The most basic approach is "clientless access", which makes Web-type resources (e.g. your company intranet) and Windows fileshares available to anyone with an SSL-capable browser. The filesharing interface uses HTTP's PUT/GET/POST capabilities to download and upload files, so there's no need for any technology that's not already built into the average browser.

The next step up the access ladder is "on demand" access, which requires the remote user to download a Java applet that enables client-server applications to work through the SSL VNP gateway. The applet sits between the client part of the application and effectively "tunnels" the packets through an SSL-encrypted connection into, and through, the EX-1500 – thus freeing the user from the constraints of the basic browser-only interface.

The final approach to connectivity is to install the Aventail Connect client application onto each user's machine. This is a Windows executable rather than a downloadable Java applet, and it provides a wad of extra functionality, including the ability to define connections into multiple VPN gateways across the organisation; run scripts to run when a connection is made; and produce organisation-wide sets of connection information which the client package can download automatically so you don't have to keep adding and changing connections as the network evolves.

Because a sensible system admin will be concerned about the security of the client machine itself, restrictions can be applied such that connections are only allowed if the client is running one of a particular set of anti-virus products, or a particular personal firewall product.

The server itself is configured via the obligatory Web (HTTPS) interface. As with the rather laid-back approach to licensing, you can tell that the GUI was designed for a managed service rather than end users, because although it's not all that hard to get to grips with, it can be a bit clunky. For example, initial configuration is done in seven consecutive stages which ought to be done in a wizard, but which instead require you to click back to the "home" page after each section.

Apart from such minor usability niggles, though, you soon get the hang of the unit, and behind the GUI, the core functionality is well done. User authentication is handled via the usual range of options (everything from an internal user database, through Windows directory services to SecurID tokens and the like) and setting up the various services people can access is pretty straightforward. Once services have been set up, each user logging in is presented with the various facilities available to them via the login screen (or, if they're using the Connect application, they'll be configured into the client manually or via an auto-update). As you'd expect, access to services can be restricted by user ID, time/date and source IP address, and even by SSL key length ("Only 128-bit users can access the Accounts package").

The final bits worthy of a mention are the extra client-side functions ("endpoint control") that the EX range works with. One is Aventail's own Cache Control function, which is aimed at clients accessing the network from a machine they don't own (e.g. an Internet café workstation), and which blows away all traces of your session from the cache of the PC you're using. A more complex application is Secure Desktop, a co-branded product from Sygate, which goes a step further and confines each SSL VPN session inside a "sandbox" on the local client, which can be configured to restrict access to resources on the local machine and which will, when a session ends, delete any files that you've downloaded during an SSL VPN session.

The EX range is functionally interesting, and the three-pronged approach to access gives reasonable flexibility (basic access requires no download, full access requires Administrator rights on the local machine, and the middle ground is a downloadable applet). The main drawback with the system is that the management GUI hasn't yet evolved properly from its long history in service providers; let's hope the next version is more friendly to the average system manager.


This type of device is more attractive than IPSec VPNs where either the clientless setup or Java applet suit your needs best. If you need something more like permanent tunnelling, look at both SSL and IPSec offerings and choose the one that most closely matches your needs.