The FireBox SSL (FSSL) is WatchGuards implementation of an SSL-based VPN server. The idea behind this type of device is not just that its simpler to get up and running than a full-blown VPN-capable firewall, but also that by using SSL instead of, say, a full IPSec client, you can connect to your office resources from Internet cafes and the like that is, computers that youre unable to plonk a VPN client application on to.
Unsurprisingly for a WatchGuard product, the FSSL is a bright red rack-mountable appliance with a number of flashing lights, ports and buttons on the front, and with a Unixesque feel underneath. Starting at the left-hand side you have an LCD status screen with some buttons beside it for switching between the various items. Then is a console port with a little cover over it, which is useful for configuring the devices IP address if (as was the case with our review kit) someones set the address to something other than the default. Next is a set of Ethernet ports, with associated status/traffic lights, and finally theres a flap concealing the removable (though not hot-pluggable) hard disk.
The basic requirement for getting up and running is the three-page Quick Start guide (which is fortunate, because the main admin guide is a PDF that you download from the appliance once its humming and connected). There are two ways to run the device: as a lollipop with just one interface connecting into the LAN (so youd put it inside the firewall and make just an HTTPS hole through the firewall for it); or as a straddle (one interface outside the firewall to accept connections, and another inside the firewall to connect to the actual services). We chose the lollipop approach.
To configure the unit, you make an HTTPS connection with your Web browser on port 9001 to the WAN connection. This is an odd concept to anyone whos nervous about configuring security devices from outside, but sensible when you realise that in a lollipop setup, this is the only active interface. If you have a straddle installation, you can turn off the management capability of the external port, so its not a big problem.
First port of call is the network configuration, and then you need to go to the WatchGuard Web site, register the unit, and download the licence file. The site says that this can take a couple of hours to appear, but it only took five minutes or so for ours. Once you have the licence file, you upload it via the browser-based GUI and youre sorted you can now get to the unit and set it up properly.
What appears to be the config application is actually an X-Windows desktop tool that connects to the FireBox. The config application itself is actually a program that runs on the device itself a slightly surreal concept, but it works, so who cares? The config tool is a multi-tabbed application that gives you all the tools youd need setting up users, pointing the device at a remote authentication (e.g. RADIUS) server, configuring custom options for the VPN service (though the defaults seemed to work OK), and so on. Once youve configured authentication (either via the internal user list or a separate server) you define what they can do. As youd expect, you can define groups and attach access profiles to them, then simply drop users into those groups.
Users can access resources in either (or both) of two ways, depending on how youve configured their access rights. For those with their own PCs, you can provide full access to network resources via a VPN client that downloads and installs automagically on to the client PC. This works like a traditional VPN client that is, packets are tunnelled through the VPN client into the host network so you can share folders and whatnot just as if the PC were on the corporate LAN. By default, all packets get tunnelled (so Internet access and the like will all go through the VPN) though one of the admin features is the ability to split the tunnelling so that stuff addressed to the office LAN goes through the VPN and the rest doesnt.
Where users are out in the field and have to use restricted-access PCs, resource access is achieved via the Citrix-based client. So the users arrive at a portal page (theres a default one, but you can craft your own theyre just HTML) and are provided with access to shared folders, a VNC client (for remote-controlling an office, PC, for instance) and other tools such as WebMail clients and the like. Obviously the user doesnt get the flexibility with the portal-based approach that they would with the full VPN connection, but this is a limitation of the client end, not the FireBox.
I have to be honest and say that my first impressions of the FSSL were negative. After all, I got the device out of the box and turned it on to discover that half the buttons beside the LED panel dont actually do anything (seems a waste why not let the user set the IP addresses or something?); of the six Ethernet ports, you only seem to use two; and the removable hard disk seems a bit pointless. The more I used it, though, the more I got to like it and if theyve kept the cost down by re-using an existing appliance chassis instead of making a new one, thats not a bad thing.
The FireBox SSL is easy to use, and in its default configuration it takes little or no effort to get the unit running. Yet there are plenty of advanced features in there (failover capabilities, loads of the usual VPN concepts such as certificates and single-sign-on, and so on. I had both kiosk-based (browser) and full VPNs working within half an hour of getting the device out of the box, and thats not something you can say for many VPN servers. Okay, its perhaps not quite as clever as our other favourite, the Aventail EX-1500, but as the WatchGuard unit is 70% cheaper, its perhaps an unfair comparison. If youre an SME looking for a clever, flexible VPN server, buy a FireBox SSL
Although one of the nice features of SSL VPN is the concept of browser-based access for remote users in Internet cafes, the FireBox is actually an attractive option, thanks to its ease of use, for people wanting full VPN access for remote users with their own PCs.