When we reviewed the Aventail EX-1500 in August 2004, with version 7 of its software, our verdict was pretty much that it was a functional box, but the user interface just wasn't intuitive enough for those not familiar with the unit. This wasn't a surprise, given that Aventail's history is as a managed service company (so usabilitiy didn't matter all that much, as only trained datacentre techies would have to use it) but we thought it a definite drawback for a device that the company wants to sell to the world at large.

A few months on, Aventail produced version 8 of its EX-1500, and brought one along for us to look at.

As with its predecessor, the unit is fairly noisy when it starts up, but the fans are soon calmed down and the sound is bearable. As before, you manage the device through a Web browser – and the interface has changed significantly since the last release. Not only has the look and feel been standardised across the GUI (unified icons and such like) but some key functions such as software updates and system shutdown are now part of the GUI interface (in the old version, you had to use a command line, which was a fag). They've also added some shortcut features to the management GUI. Hence you can jump more easily between the various sections, and you'll see new buttons such as "Save and add another", which save shedloads of clicking if you're bashing in a lot of policies or zone definitions.

The makers have also decided that the previous version, in which you had three separate sections in which you could define access policies, was too complicated – and so everything's been brought together into a single section for handling access control. Judicious use of GUI gadgets that let you show or hide gory detail on request helps the interface stay sane despite everything being brought together in this way. You can now import and export device configurations, or part thereof. Why part configurations? Easy: you may want to have the same policy set on each device but different IP addresses, digital certificates and such like. The management GUI also lets you monitor active sessions and/or kill sessions on demand.

Another comment we made last time was that although the device was licensed based on user counts, the licences weren't actually enforced – another throwback of a managed service operation. Version 8 brings with it proper licence enforcement – though the system quite sensibly gives you a 10 percent "grace" facility instead of simply locking you out when you inadvertently hit your user limit.

Along with usability changes, the new version does have a couple of important new features too. First is the introduction of the concept of "zones" – collections of policy rules that can be allocated to connecting users. So you could, for instance, define one zone for remote users that have suitable AV and firewall software on their computers, and another for those that don't. An obvious thing to do, we're sure you'll agree, but it's good to see that they've done it at last. The second improvement is to the SSL VPN mechanisms themselves. So the OnDemand tunnel can now run multiple applications (you could only run one thing at a time in the old release); the downloadable components used by the Browser Access function now persist on the client PC (so they're not downloaded every time you connect over a potentially sluggish link) and the functionality of the Browser Access facility has been altered to deal with some problems with applications that weren't happy in the previous incarnation of this proxy-like environment.

We think it's fair to say that version 7 of the EX-1500 was an attractive product but lacked usability. It's reassuring to see, then, that in version 8 the company has addressed pretty much all of the problems with the GUI; not only this, but they've also added some new functionality and expanded the existing functions in response to problems that their users have reported. This is exactly the way an equipment vendor should behave, and Aventail is to be applauded for getting there in the end.


As we said before, this type of device is more attractive than IPSec VPNs where either the clientless setup or Java applet suit your needs best. For permanent site-to-site tunnelling, you'd probably look at traditional IPSec systems, though.