Celestix

HOTPin Two-Factor Authentication

Introduction

Celestix HOTPin is a tokenless two-factor authentication solution that enables organizations to empower their mobile workforce while ensuring industry leading protection of digital identities and protecting against unsolicited access to corporate resources, a primary reason for the loss of data.

Celestix HOTPin enables organizations not only to mobilize their workforce but allows them also to leverage the remote workers smart device, PC or tablet to act as a token capable of generating an event based one-time password (OTP).

How it works?

HOTPin-how it works-graphics

One Time Passwords

ATM cards provide two-factor authentication in the tightly controlled environment of ATM machines, where each machine is equipped with a special card reader. It is not feasible to equip every laptop, desktop or tablet with a special device to read a card. That would be cost-prohibitive, time-consuming and extremely impractical.

To provide two-factor authentication for computer services and sites, users rely on a One Time Password that is generated on a device that is uniquely assigned to a user. One Time Passwords (OTP) provides security in a number of ways.

Always Changing

The OTP changes after a fixed interval of time, commonly every 60 seconds. Even if an unauthorized user noted the OTP, they won’t be able to use it since it would have changed for the next session.

Tied to a device

OTPs are generated using a seed that is uniquely associated with a device. Thus, every user’s OTP will be different. Since the device is assigned to a user, the OTP uniquely authenticates a user and a PC desktop client. By leveraging smart devices or text messaging, the OTP is delivered ‘on demand’ to the user. And, of course, HOTPin easily integrates with AD.

QR Login

HOTPin client now supports QR codes.  Users can scan the QR code and will be instantly logged in to the application in a secure manner.  The integration of this function to any web services is simple. The latest HOTPin 3.7 includes API with the samples that helps to simplify the integration into your existing server architecture.

Licensing

Server License

HOTPin authentication server is available at a fixed priced and requires the procurement of an annual maintenance fee.

Subscription

User licensing is per registered user and is enforced on the server. One major benefit of HOTPin is that the per license price is fixed, regardless of the token form factor. For instance, the hardware token is priced the same as the soft token. This addresses a key issue in the authentication market which is the complexity of pricing for various token types.

HOTPin licenses are available on a renewable basis for terms of 1, 2 and 3 years.

Next steps hotpin

HOTPin Features

 hotpin_two_factor_authentication_features

Simple Deployment

HOTPin is tokenless, providing OTP generation via soft token, Instant Messenger or SMS. User provisioning can be offered in multiple methods, from app store download or through a simple to navigate self-service portal. User adoption is high because the technology is simple to use and requires no additional hardware.

HOTPin authentication server includes an instance of RADIUS server on board, providing organizations with simple deployment and easy connectivity with any standard perimeter access gateway device. With a simple management console and a multitude of reporting options as standard.

Low TCO

Traditional two-factor authentication solutions rely on the use of physical hardware tokens as the form factor for generating a dynamic One Time Password (OTP). The management overhead associated with administering and supporting such tokens can be very high because tokens not only have an inherent cost to procure, they also need to be issued securely to workers who, by definition, are working remotely. This introduces a cost of provisioning that must be factored into any budget for deployment of such a solution. The provisioning process can lead to frustrating, time consuming and costly works being required.

Provisioning a hardware token to a remote worker first involves setting the user up in a repository. Next, the token must be assigned to the user and finally it must be dispatched. The dispatch process will likely involve the use of a secured transit such as courier or registered mail service. This process could take an average of two hours and the transit service alone could cost up to $50 per user, doubling the cost of the hardware token itself.

HOTPin lowers the cost of authentication when compared with traditional hardware solutions. Initial investment is low because there are no hardware tokens to procure and issue. The renewal process is also low cost because there are no hardware tokens to renew and replace. HOTPin licensing model is simple, with a single HOTPin license allowing for the use of both soft token and SMS OTP generation.

Integrations and APIs

HOTPin 3.7 now includes an application programming interface (API) and software development kit (SDK) that allows an enterprise to integrate two-factor authentication into its existing web applications. This API allows administrators to modify their existing web applications to include an option on the authentication screen from which a user can choose the method of login.

  1. Login via QR code – HOTPin agent on the server will generate a QR code on the login screen.  A user then scans the code using client software installed on a smart phone with network access.  The login process is then negotiated.
  2. Login via OTP -  Passcodes can be sent to the user via text message or by instant message service that has been previously registered. This provides full, out-of-band, two-factor authentication without the need to purchase additional tokens.

The HOTPin Authentication API is the simplest way to implement two-factor authentication into your existing web applications. With SOAP and REST interfaces, the authentication API is rich in options, examples, and sample code.

HOTPin Authentication API SDK contains the following:

  • .NET and COM libraries, sample applications and documentation
  • Java client libraries, sample applications and documentation
  • Windows Phone and Android client libraries, sample applications and documentation
  • Sample HOTPin Agent authentication web service for implementation of a secure proxy authentication server
  • API/SDK documentation

Click here to download the HOTPin Authentication API.

Self-Enrollment

With the HOTPin User self-service portal, End users can provision themselves, import their own keys and reset their PIN if required, without having to go through IT helpdesk. Users who want to use their smart phone as a token can also import the token keys by scanning a QR code from the self-service portal.

  • Reduce IT help desk costs
  • Enhanced user experience
  • Higher adoption and user satisfaction

Choice of Authentication Methods

HOTPin allows for choice and flexibility, creating an authentication solution that works for everyone in your organization.

authentication method

HOTPin supports iOS, Android, Blackberry and Windows 7/8 mobile phones as well as hardware tokens for users who prefer them.

Powerful Admin Management

HOTPin web-based administrative interface lets you easily revoke credentials, disable users, and audit access by users and groups. Extensive reporting tools are also provided and audit trails are maintained for regulatory compliance.

HOTPin-1

Quick Response (QR) Code Login

HOTPin client now supports QR codes.  Users can scan the QR code and will be instantly logged in to the application in a secure manner.  The integration of this function to any web services is simple. The latest HOTPin 3.7 includes API with the samples that helps to simplify the integration into your existing server architecture.

Comprehensive Reporting

Comprehensive reporting engine provides complete visibility.

  • Provide visibility to management
  • Enforce and monitor compliance
  • Automated report generation and delivery

HOTPin_Dashboard

Simple Price Model

User licensing is per registered user and is enforced on the server. One major benefit of HOTPin is that the per license price is fixed, regardless of the token form factor. For instance, the hardware token is priced the same as the soft token. This addresses a key issue in the authentication market which is the complexity of pricing for various token types.

Authentication Methods

Authentication Methods Phone-as-a-token OTP via SMS OTP via Instant Messanger Hardware Token Virtual Keyboard
pic_phone_opt pic_phone_sms pic_phone_im pic_token  
Description Use your smart phone as a token by installing a software token app on the mobile device to generate One Time Passwords. tokens. Users can receive One Time Passwords via text message or email for true Out of Band (OOB) authentication. Users can receive One Time Passwords via Instant Messenger for true Out of Band (OOB) authentication. Use the passcode generated on your hardware token. Use virtual pinpad on the screen to enter your PIN number.
Benefits If the device is lost, re-provisioning is simple and fast, lowering helpdesk costs and increasing employee productivity Leveraging the SMS text network or email provides simple to use and efficient delivery of the OTP to users, regardless of the cell phone device they use. It is also of benefit to organizations with deployments of devices that they do not manage directly. Leveraging the Instant Messenger provides simple to use and efficient delivery of the OTP to users. It is also of benefit to organizations with deployments of devices that they do not manage directly. Celestix Touch Tokens have a long battery life, are OATH compliant and extremely durable. To protect against shoulder surfing and keystroke logging, the pinpad randomly generates numbers in a grid at each log on, and the user enters their PIN number with mouse clicks instead of typing it.
Platforms iOS, Android, Blackberry, and Windows Mobile All phones with SMS All phones with Instant Messenger. Currently only support Yahoo Messenger and Google Talk. Celestix Mobile Touch or any OATH-compliant tokens Any web browser
AdditionalCost Free download SMS messages use your account’s telephone credit No cost Buy from Celestix or import your own tokens Free Download

Solutions

hotpin_two_Factor_Authentication_Solutions

HOTPin uses RADIUS to integrate with any remote access gateway solution like Juniper SA series, Microsoft TMG, UAG, SSH/UNIX or Citrix XenApp.

After integration, users have to enter their username, PIN and OTP to authenticate. OTPs are generated on smart phones, hardware tokens (like Celestix Touch) or received through text messages.

Here is the sample screenshot of the integration with Citrix XenDesktop.

Xendesktop_login_page

For Microsoft UAG specifically, Celestix provides a custom agent that ensures users’ credentials are properly passed on to applications, providing true Single Sign-On.

HOTPin integration SSL VPN Partner Logos2

VPN

Microsoft

Cloud Services

Web

SSH & Unix

Citrix

HOTPin integrates with all major SSL VPN vendors to protect remote access.

HOTPin integrates with Microsoft DirectAccess, Threat Management Gateway and Microsoft Unified Access Gateway.

HOTPin integrates with Office 365 Online, Salesforce.com and Google Apps via Microsoft ADFS.

Use our SDK to add two-factor-authentication to your web application.

Protect local and remote logins with HOTPin

HOTPin integrates with XenApp and XenDesktop to protect your virtual environment.

 

Here are the HOTPin integration guides

Frequently Asked Questions

  • 1. What is an OTP?

    A one time password or OTP is used in addition to a static PIN number to form the two factors of two-factor authentication. An OTP is typically generated by a token which is in the possession of a user and it generally has a time to live (TTL) of one usage or limited to a period of time.
  • 2. What authentication standard does HOTPin use?

    Celestix HOTPin is based on IETF RFC 4226.
  • 3. How does HOTPin ensure integrity of the OTP generation and log in process?

    HOTPin users authenticate themselves to the system by proving that they possess a shared secret. This shared secret is the key used in the HOTP algorithm. The key is a 128 bit random number generated by the server when a client token is created. It is downloaded to the client software application when the client is provisioned. Only the server and the client software know the key and keys are unique among all of the registered users so proving that one possesses the key is equivalent to proving that you are the user assigned to that key. The key itself is never divulged even to the user or server system administrator, what the user is proving is that they possess the key not that they know the key's value. The authentication trick is that you must prove that you have a shared secret without transmitting the secret itself across the network. HOTPin does this by using the secret key to encrypt a counter. The result of this encryption is a block of apparently random bits. The HOTP algorithm extracts some of these bits and creates a unique One-Time Password (OTP). It is this OTP that is transmitted across the network to prove that the user possesses the shared secret. The server also knows the key and the counter value so it too can generate the same OTP. If the server and client both generate the same OTP value then they must share the same key and counter.
  • 4. Does the client software communicate the OTP to the server?

    No, once the client software is provisioned with a key it operates autonomously and does not communicate with the server. To log in using HOTPin, the user must start the client application and generate an OTP. The user then copies the OTP manually into the login portal page along with a personal identification number (PIN). The two factors of the authentication are the PIN and the OTP which prove that the user possesses the HOTPin key.
  • 5. What form factors are available for HOTPin authentication server?

    HOTPin consists of two components, the server and the tokens. The server side deployment consists of either a purpose built appliance or a software version that can be deployed on Windows Server 2008 R2.
  • 6. What form factors are available for HOTPin tokens?

    HOTPin provides organizations the ability to select the broadest range of token form factors. These are listed as follows In client mode HOTPin generates an OTP via a soft token that can be installed and run on all major smart device, tablet and PC end points. In clientless mode, HOTPin leverages the GSM network to issue an OTP as a text message that is sent to the user. This option provides true out of band (OOB) authentication. The system is capable of issuing OTP in advance which can be stored on the device for subsequent use even if the user is out of network coverage. In hardware mode, HOTPin offers a physical, event based token that generates an OTP when initiated by the user.
  • 7. What authentication directories can be integrated?

    The HOTPin server can import and synchronize users with and from Active Directory. In addition, HOTPin allows for the administration of a local user repository, independent from AD.
  • 8. How is HOTPin different from RSA SecurID?

    HOTPin and SecurID both meet the need for two-factor authentication, but they do it in different ways. HOTPin is an event based solution, meaning that the user has to initiate an OTP each time they wish to authenticate. With SecurID the token is always on and generates a new OTP every sixty seconds. This causes three potential issues.
    1. Lifespan of the token and the need to reprovision users with a new token every time the battery expires.
    2. Potential for the clocks on the authentication server and the token to fall out of synchronization, resulting in failed authentication and increased helpdesk costs.
    3. If the SecurID token is stolen, then there is no challenge to the thief on generating the OTP. If they can hack the PIN number then the security is breached.
    HOTPin addresses these key concerns. By providing the ability to deploy both soft tokens and leverage the GSM network for OTP delivery, there is no need to deploy hardware tokens. This reduces initial costs of procurement and provisioning to users in the field. Ongoing costs are reduced because HOTPin does not rely on hardware tokens with a finite battery lifespan. HOTPin is an event based solution and so can still fall out of synchronization with the server. However, the system allows for a customizable grace period to accommodate such instances. In addition, a self-service portal is available as standard to allow for user resetting and account management. HOTPin can prevent unauthorized users from generating an OTP by enforcing the input of a PIN number before the soft token can present the OTP on screen. An added benefit of running HOTPin as a soft token is that users typically realize quickly if they have lost their device. This allows for a more rapid response to the instance of a lost token and so reduced any window of vulnerability. RSA stores the seed and device serial numbers in a master database. In the event of a breach as happened in March 2011, an attacker might gain access to the database allowing them to masquerade as a legitimate user because they hold both the user ID and the algorithm for generating the OTP.
  • 9. Can I use my current hardware tokens in parallel with HOTPin and migrate users over time?

    It is possible to integrate any OATH compliant, event based token with the HOTPin server. This requires the import of the hardware token PSKC files into HOTPin. In this instance HOTPin is able to operate as the primary authentication server for both HOTPin and non-HOTPin authentication requests.
  • 10. I want the most convenient authentication solution; does HOTPin provide a true tokenless option?

    Celestix does not recommend convenience over security but we do recognize the need for some organizations to offer a simplified log in experience for certain user types. To that end, HOTPin offers a virtual keyboard option that can be integrated with the remote access gateway. This solution allows the user to input their PIN into an on-screen keypad and so prevents the need to carry a distinct token of any type.
  • 11. How easy is it to integrate with my gateway solution?

    HOTPin server includes an embedded RADIUS server, allowing for simple integration with any RADIUS based access or perimeter technology. Celestix has published integration guides for all major gateway solutions. If the gateway solution is Microsoft UAG 2010 then HOTPin includes an agent that can be installed on UAG to provide an even easier integration process. In addition, the HOTPin agent for UAG also supports web-SSO for seamless login to Outlook Web Access and other Microsoft applications.
  • 12. Does the user licensing apply to the clients or server?

    HOTPin authentication server is available at a fixed priced and requires the procurement of an annual maintenance fee. User licensing is per registered user and is enforced on the server. One major benefit of HOTPin is that the per license price is fixed, regardless of the token form factor. for instance, the hardware token is priced the same as the soft token. This addresses a key issue in the authentication market which is the complexity of pricing for various token types. HOTPin licenses are available on a renewable basis for terms of 1, 2 and 3 years.
  • 13. Does the user licensing apply to total users, concurrent users or assigned users?

    User licensing is for registered users. This is equivalent to the total number of entries in the user data base on the HOTPin server.
  • 14. Can user licenses be reassigned?

    Yes, so long as the total number of registered users does not exceed the number of licensed users, registered users can be added or deleted at will. In addition, it is possible to switch between soft token and clientless token providers for a registered user without incurring additional cost. How will user licensing be enforced? Is there something on the HOTPin server that will "stop authenticating" when the customer's term expires? Yes there is a license key file that encodes the number of users and the expiration date.
  • 15. Will Celestix have audit rights for verifying number of users at any particular customer?

    Yes the End User Software License Agreement for HOTPin stipulates that users must make their systems available for audit upon request.
  • 16. Can a potential customer obtain evaluation licenses? How do evaluations work?

    HOTPin can be downloaded via www.celestix.com There are two primary options, a 100 user 30 day trial license and a 25 user license valid for 12 months. Customers wishing to evaluate the product should select the first option. Customers who wish to use the product for a longer duration or for a small user base are welcome to use the 25 user license. This license is free of charge for the first year only and use becomes chargeable at the anniversary date. For assistance during the evaluation process please contact info@celestix.com
  • 17. Are evaluations also available for channel partners & do they vary in any way?

    The same conditions apply to channel partners and prospective customers.
  • 18. Can customers add users to HOTPin? If so, are they prorated for the length of the original contract or does a new contract apply?

    Yes, customers can add on to the number of users licensed for HOTPin at any time. The additional users will be pro-rated so that all licenses have the same renewal date.
  • 19. Are customers entitled for any upgrades to HOTPin?

    Customers deploying v3.5 and who have a valid support contract will be entitles to receive all updates to v3.7 for the duration of its lifetime. Upgrades between major release of the product are not included and will require an upgrade fee. How does high availability/failover work with the HOTPin HOTPin supports active/passive high availability. All user data is continuously replicated to a second instance of HOTPin (if purchased). The databases on both servers will replicate continuously however the failover process will require administrative intervention.
  • 20. Do we recommend any particular SMS gateways to use in conjunction with HOTPin?

    Celestix does not recommend any specific SMS gateway providers. It is possible to integrate hardware SMS modems with HOTPin server, however most organizations will use a web gateway for issuing SMS. Both options are supported by HOTPin.
  • 21. What training materials are available for HOTPin?

    HOTPin has extensive user documentation. Client software includes contextual help. HOTPin server includes online help, installation guide and a quick start guide. Supporting documentation can be found on the support pages of www.celestix.com
  • 22. Can a user use both a software client and clientless access?

    Switching between client and clientless modes of operation can be achieved by the system administrator or alternatively it can be completed by the user through the self-service portal. There is no impact on licensing or cost if a user switches between soft token and clientless options. In the event that a user needs to switch to a hardware token, this would be a chargeable option.
  • 23. What additional costs do I need to consider?

    None, other than the cost associated with having a service provider to send out SMS messages.

 

Deployments

hotpin_platform

HOTPin authentication service is available as software or appliance form factor for on premise deployment or as a managed service with pay as you go price model.

Software

HOTPin Authentication Server software is a stand-alone software that can be installed on any Intel based server running Windows Server 2008 R2 with minimum 2GB RAM and minimum 1 GB free disk space.

HOTPin is also Citrix Ready and it can be installed on Windows Server 2008 R2 Virtual Machine.

Appliance

The Celestix HOTPin appliances built for rapid deployment, simplified management and high performance. The Celestix HOPTin Web Administration provides an intuitive and feature rich web UI that allows for advanced configuration for both HOTPin Two-factor Authentication and the appliance.

Two versions of Celestix HOTPin Appliance are offered:

  • HSA 3200 – Designed to satisfy the requirements for simple and cost-effective two-factor-authentication deployments.
  • HSA 6200 – Designed with dual power and redundant hard drives for organisations that require high available deployments. 

Celestix HOTPin MSP Edition

Celestix HOTPin MSP Edition has been designed specifically with the MSP in mind and provides simple and secure two-factor authentication services that can be integrated with MSP specific provisioning workflows. Setup, installation and configuration are designed to be simple allowing you to offer two-factor authentication services to existing customers rapidly and with no upfront capital expenditure. Find out more.

Technical library

HOTPin Integration Guides

HOTPin Server Software

HOTPin Clients

HOTPin Appliance

 

Try it for free today!

Download HOTPin Client

HOTPin Client Software Instructions QR Code

icon_iphone

HOTPin for iOS Version 3.7

You need to install a QR Code Reader on your iPhone.
  1. Run the QR Reader.
  2. Point your phone at the barcode here and scan.
iPhone

icon_andriod

HOTPin for Android Version 3.7

You need to install a QR Code Reader on your Android phone.
  1. Run the QR Reader.
  2. Point your phone at the barcode here and scan.
GooglePlay

icon_bb

HOTPin for BlackBerry Version 3.7

Open BlackBerry World on your device. Do one of the following:
  1. On a device running BlackBerry Device software 7.1 or older, press the Menu key. Click Scan a Barcode.
  2. On a BlackBerry 10 device, swipe down from the top of the screen. Click Scan a Barcode.
BlackberryAppWorld

icon_windowsphone

HOTPin for Windows Phone Version 3.7

You need to install a QR Code Reader on your Windows Phone.
  1. Run the QR Reader.
  2. Point your phone at the barcode here and scan.
WindowsMarketPlace


HOTPin Client for Mac OSX

HOTPin Client Instruction for Mac [Download] Download

HOTPin Client for Windows 7/8
HOTPin Client Instruction for Windows 7/8 [Download] Download

Case Studies

Literature

Whitepaper

Unified Remote Access

Celestix is committed to continue servicing the market for Microsoft UAG 2010 until 2023, allowing existing customers to continue depending on the product with peace of mind. It also enables new customers to depend on UAG without any concern about the lifecycle of the product.

Organizations of all sizes rely on UAG 2010 to deliver comprehensive, secure remote access to corporate resources for employees, partners and vendors on managed and unmanaged PCs and mobile devices. UAG strength lies in its reverse proxy and application based SSL VPN comprehensive functionality combined with its relative simplicity of utilizing a combination connectivity options ranging from SSL VPN to DirectAccess. The technology is widely deployed in the market and is a trusted component of many thousands of networks worldwide.


Providing network services to remote users is a challenge. Different classes of remote users have differing needs and will have different levels of authority to view sensitive data. Users may also utilize multiple endpoints when accessing corporate resources and these may have varying levels of security, making the threat of infection and security breach extremely high.  Unsecured remote access can disclose sensitive information and if left unchecked, infected endpoints can be vectors for cybercrime.

diagram-wsauag-ai9

Celestix WSA appliances deliver Microsoft’s Forefront Unified Access Gateway 2010 (UAG) to provide policy based, granular and secure anywhere access to corporate resources. WSA supports multiple connectivity options including SSL VPN, DirectAccess, SSTP and RDP, allowing organizations to publish a broad range of applications and resources and providing users with granular levels of access in line with their level of trust.

UAG’s ability to interrogate the endpoint and determine levels of health and trust prevents endpoints that don’t comply with corporate health and security standards from connecting to the network. Further, UAG lets administrators expose only the applications, or parts of applications, to only the users or user classes they wish to authorize. For instance a trusted user logging in from an endpoint that does not fully comply with corporate policy may just be allowed read-only access to email or limited access to sites or zones within a SharePoint site.

Sessions through the WSA are encrypted, preventing unauthorized access to any sensitive information left on intermediate servers, while session wipers remove data from endpoints when a sessions ends.

The WSA appliance range is the award winning, market-leading deployment platform for Microsoft UAG 2010. WSA appliances are built for rapid deployment, simplified management and high performance. The COMET software engine provides an intuitive and feature rich web UI that allows for advanced configuration for both UAG and the appliance.

WSA powered by Microsoft UAG, secure remote access from Celestix business anywhere solutions.

WSA Features

Celestix provides numerous additional features that complement and enhance the use of UAG. Automated update services provide prescreened alerts and patches through the COMET web UI, and multiple backup and restore options provide solutions for disaster recovery.   Celestix appliances are the de facto platform for the secure and risk-free deployment of UAG 2010, just ask the readers of Computing Security who voted WSA the Network Security Product of the Year 2011.

Secure, anywhere access

Secure, web-based access to business critical applications and data.

  • Differentiated and policy-driven access to network, server, and data resources.
  • Flexible application-intelligent SSL VPN from any device or location.
  • Highly granular access and security policy enforced at the session, application, and function levels.
  • Comprehensive basic and form-based authentication through Active Directory®, RADIUS, LDAP and HOTPin
  • Customizable, identity-based web portal with single sign-on (SSO).
  • Handles embedded browser applications.
  • Connectivity and control for client/server and legacy applications.
  • Management features for DirectAccess VPN.

Protect IT assets

Integrated application protection helps ensure the integrity and safety of network application infrastructure by blocking malicious attacks.

  • Application-layer firewall blocks non-conformant requests, such as buffer overflow or SQL injection, on application protocols.
  • Comprehensive protocol validation and deep content inspection with both positive and negative logic rule sets.
  • URL cloaking and full functionality for remote users through dynamic URL rewrite and HTTP parameter filtering.
  • Application optimizers provide out-of-the-box protection for high value applications such as SharePoint® Server, Microsoft® Outlook® Web Access
  • Comprehensive monitoring and reporting; integrates with third-party risk and policy management platforms.
  • Extensible infrastructure and tools for custom application publishing and scripting.

Simplified provisioning and management

Celestix WSA appliances provide a single platform through which to deliver and manage remote access. With built-in policies and configurations for common applications and devices, you can gain more control, more efficient management, greater visibility, and lower total cost of ownership.

  • Multiple server array deployment provides high availability and failover capabilities.
  • Supports Windows Server 2008 R2 (64-bit) operating system.
  • Simple application publishing tools for core applications such as SharePoint.

Built for purpose appliance platform

Celestix WSA appliances provide an award winning, hardened turnkey platform for the deployment of UAG 2010. Celestix optimizes both the hardware and software on the WSA appliance to ensure a risk-free “right first time” deployment. Celestix helps to lower the cost of ownership through reduced deployment timescales and increased hardware reliability.

  • Rapid deployment with jog dial, LED display and intuitive interface.
  • Simplified administration with COMET user interface.
  • Automated patching and updates for application, OS and firmware.
  • Out of band management.
  • A range of appliance form factors for enterprises of all sizes.

WSA powered by Microsoft UAG: Secure remote access for a business anywhere solution from Celestix.

Celestix WSA and DirectAccess

Celestix WSA Unified Access Gateway delivers comprehensive, secure remote access to corporate resources for employees, partners, and vendors from a diverse range of endpoints and locations, including managed and unmanaged PCs and mobile devices. Building on the secure remote access capabilities in Microsoft Intelligent Application Gateway 2007, Celestix WSA UAG draws on a combination of connectivity options, ranging from SSL VPN to Windows® DirectAccess, as well as built-in configurations and policies. These enable Celestix WSA to provide centralized and easy management and thereby reduce management costs. In addition, Celestix WSA integrates a deep understanding of the applications published, the state of health of the devices being used to gain access, and the user’s identity to enforce granular access controls and policies.

Seamless and secure remote connectivity with DirectAccess

Celestix WSA DirectAccess Diagram

With DirectAccess in Windows 7 and Windows Server® 2008 R2, mobile workers can seamlessly and securely access the entire corporate network—file shares, intranet, and line-of-business applications—wherever they have an Internet connection. Celestix UAG works with DirectAccess to:

  • Extend these benefits to legacy applications and resources, and support down-level and non-Windows clients through integrated SSL VPN capabilities and other connectivity options.
  • Limit exposure associated with connecting unmanaged, down-level, and non-Windows clients through granular access controls and policies.
  • Protect the DirectAccess gateway with a hardened edge solution and built-in firewall.
  • Simplify deployment using built-in wizards and tools.
  • Support scalability and ongoing administration through built-in array management and integrated load balancing.

Celestix WSA and SharePoint 2010

Collaboration has become an essential force in the workplace as groups of colleagues work together to solve problems, complete projects and perform other essential day-to-day business operations. Using products such as Microsoft Office SharePoint Server 2010 and Windows SharePoint Services 3.0, information workers throughout a company can work jointly on documents as well as post files, participate in threaded discussions, link to dynamic Web content, and generate tables based on information in corporate databases. In addition, companies can use these tools to collaborate with partners and customers around the world.

Unfortunately, this collaborative environment is often limited to on-network use or is accessible only via cumbersome virtual private network (VPN) schemes from fully managed client machines. Wouldn’t it be great if you could safely access your SharePoint portal from anywhere at any time?

Celestix has the tools to make that happen. By combining the Celestix WSA running Unified Access Gateway 2010 with Microsoft Forefront Security for SharePoint, you can:

  1. Increase productivity: Allow users to access SharePoint resources from any Internet connection.
  2. Enhance the end-user experience: Maintain the familiar look and functionality of the SharePoint site while working off the network
  3. Bolster security: Help ensure that access to resources is secured and document content is clean and free from malware and inappropriate information.

Celestix WSA Unified Access Gateway delivers comprehensive, secure remote access to corporate resources for employees, partners, and vendors from a diverse range of endpoints and locations, including managed and unmanaged PCs and mobile devices. Celestix WSA integrates a deep understanding of the applications published, the state of health of the devices being used to gain access, and the user’s identity to enforce granular access controls and policies.

Seamless and secure remote connectivity to SharePoint

Celestix WSA and SharePoint Diagram

With SharePoint and Celestix WSA, mobile workers can seamlessly and securely access the entire corporate site wherever they have an Internet connection. The organization can benefit from UAG’s ability to control access dependent on user profile, access rights and security posture of the endpoint.

  • Protect the SharePoint deployment with a hardened edge solution and built-in firewall
  • Simplify deployment using built-in wizards and tools
  • Publish SharePoint natively without any unnecessary user interaction with UAG
  • Publish SharePoint through a portal along with other applications
  • Support scalability and ongoing administration through built-in array management and integrated load balancing.

Compare WSA models

  wsa3200 wsa6200 wsa8200
WSA Models WSA 3400 WSA 6400 WSA 8400
Type of Business Designed for Small to mid-sized enterprises Designed for large and multinational enterprises Designed for large and multinational enterprises
Recommended Users 500
concurrent users
3,000 to 6,000
concurrent users
up to 15,000
concurrent users
CPU Intel i5 Intel E3 2 x Intel E5
Memory 8 GB 16 GB 16 GB
Cache 6 MB 6 MB 15 MB
Hard Drive SATA-II Hard Drive 2 x SATA-II hot-swappable hard drive 4 x SATA-II  hot-swappable hard drive
Disk Mirror RAID - RAID 1 RAID 6
Gigabit Ethernet Ports 6 6 8 (with 10 Gbe ports option)
Power Supply 220W power supply with universal AC input Redundant 250W+250W power supplies with universal AC input N+1 Redundant configuration 500W power supplies with universal AC input
Dimensions 1.75″ x 17.3″ x 13″ 1.75″ x 17.3″ x 21.5″ 3.5″ x 17.4″ x 23.25″

* Performance Guidelines Only, Actual performance may vary depending upon networking and application environment.

Technical library

Hardware Documentation

Software Documentation

Contact us

Literature

Whitepapers

"Always-on" Remote Access

With DirectAccess, users can experience the full corporate environment from any location through any internet connection. All assets from intranet websites to line-of-business applications are accessible for the user in less than one click, reducing connection problems, productivity bottlenecks, and IT support cases. “Always-on” remote management also ensures that all devices are updated and in compliance with group policy at all times. The remote workforce is growing, and simplified solutions for remote users are in high demand. The Celestix DAX DirectAccess appliance platform with Microsoft Windows Server 2012 DirectAccess increases productivity by enabling remote workers to seamlessly and securely connect to the corporate network without VPN – anytime, from anywhere.

directaccess_quickquide

The DAX DirectAccess appliance provides a purpose built, reliable and preformat platform to ensure rapid deployment and easy management of the DirectAccess gateway, for compatible versions of Windows 7 and 8.  DAX is a hardened and secure appliance platform, optimized for a secure Windows deployment right out of the box. Configurations can be quickly applied, eliminating the administrator’s time spent hardening the operating system.

Powerful Admin Management

The Celestix COMET Appliance software engine provides an intuitive and feature rich web UI that allows for advanced configuration for both DirectAccess and the appliance.

DirectAccess

DirectAccess

DirectAccess

How Does it Work?

DirectAccess overcomes the limitations of VPNs by automatically establishing a bi-directional connection from client computers to the corporate network. DirectAccess is built on a foundation of proven, standards-based technologies: Internet Protocol security (IPsec) and Internet Protocol version 6 (IPv6).

DAX Diagram

DirectAccess uses IPsec to authenticate both the computer and user, allowing IT to manage the computer before the user logs on. Optionally, you can require a smart card for user authentication.

DirectAccess also leverages IPsec to provide encryption for communications across the Internet. You can use IPsec encryption methods such as Triple Data Encryption Standard (3DES) and the Advanced Encryption Standard (AES).

Clients establish an IPsec tunnel for the IPv6 traffic to the DirectAccess server, which acts as a gateway to the intranet. The diagram above shows a DirectAccess client connecting to a farm of DirectAccess servers across the public IPv4 Internet. Clients can connect even if they are behind a firewall.

The minimum requirements in general for Celestix DAX DirectAccess are: 

  • Active Directory 
  • Client running Windows 7 Enterprise/Ultimate or Windows 8/8.1 Enterprise 
  • Workstations must be part of the domain 
  • Windows 2012 (for the Direct Access Server Installation) 
  • Windows 2008 R2 or above Domain Controller 
  • Certificate Authority that is capable of deploying custom templates 
  • Workstation Firewalls must have the service enabled and the public profile=ON 
  • A single IP address (it can be NAT’d) with port 443 and IP Protocol 41 forwarded 

For more information about DirectAccess prerequisites, please click here.

Why Use an Appliance?

Quick Installation

Appliances are shipped with the Windows Server 2012 and Remote Access pre-installed and configured, to eliminate time and effort spent on installation. DAX arrives fully integrated and ready to use straight from the box. 

Simplified Management

No additional staff time is required to configure and manage DirectAccess with the DAX appliance, and the hardware is fully packaged to minimize the burden on your IT staff.

Sophisticated Appliance Features

An optimized operating system and configuration options specifically for the Remote Access solution allows DAX appliances to provide several unique features that aren’t found on traditional hardware servers, such as:

  • Jog Dial and LCD display: enables fast, easy setup, management, and monitoring
  • Web User Interface: simplifies setup, remote configuration of network settings, and management tasks
  • Disaster Recovery: one-button rollback to factory pre-sets

 Single Source Procurement and Tech Support

Celestix supports every layer of the solution, eliminating problems with hardware compatibility or operating system patches. From hardware and operating system to programs like Advanced Hardware Replacement, customers benefit from the power of one vendor.

Ideal for Large Deployments

Organizations with large remote workforces spend too much time and resources managing a farm of multiple units of servers. Celestix provides a pre-configured and standardized platform to reduce time of deployment and lower cost of ownership. Easy appliance replacement is available as organizations grow, without interrupting the Remote Access deployment.  

DirectAccess with 2FA

Strong_Authentication

With an increasingly widespread and mobile workforce, enterprise organizations need a way to offer affordable remote network access while ensuring security and mitigating risks. While protecting network access might be as easy as a username and password when users are within the organization’s walls, remote environments require more advanced security. Integrating Celestix HOTPin two-factor authentication into DAX provides an easier solution to complex password requirements and maximizes security to prevent identity theft.

 

DAX Models

  3400_w_o_background 6400_w_o_background 8400_w_o_background
 DAX Models  DAX 3400 DAX 6400 DAX 8400
 Type of Business Designed for small to mid-sized enterprises Designed for large and multinational enterprises Designed for large and multinational enterprises
 Recommended Users Below 1,000 concurrent users 1,000 to 3,000 concurrent users Up to 5,000 concurrent users
 CPU  Intel i5-355OS Intel i5-660 2 x Intel E5-1620
 Memory 8GB 16 GB 16 GB
 Cache  6MB 6 MB 15 MB
 Front Side Bus DMI DMI QPI
 Hard Drive  SATA-II hard drive 2 x SATA-II  hot-swappable hard drive 4 x SATA-II hot swappable hard drive
 Disk Mirror RAID - RAID 1 RAID 5EE
 Gigabit Ethernet Ports 6 6 8
 Power Supply 220W auto-switching universal 110/220V AC power supply Redundant hot-swappable power supply – 2 x 500W Redundant hot-swappable power supply – 2 x 500W
 Dimensions (H x W x L)  1.75″ x 17.3″ x13.0″ 1.75″ x 17.3″ x 15.7″ 3.5″ x 17.4″ x 26″

Technical Library

Hardware Documentation

Literature

Whitepaper

The world’s most deployed platform for Microsoft TMG 2010

Celestix is committed to continue servicing the market for Microsoft TMG 2010 until 2023, enabling businesses to continue deploying this market leading perimeter security platform.Celestix MSA™ security appliances deliver Microsoft’s Forefront Threat Management Gateway 2010 for unmatched multi-threat protection with industry-leading ease of use and value. Performance, reliability, and ease of management backed by expert Celestix customer support have made MSA the world’s best-selling Microsoft security appliances.

 

Microsoft’s Forefront Threat Management Gateway 2010 (TMG) puts fortified layers of best-in-class security functions throughout your network to block, detect, and thwart attacks from beyond the edge, at the edge, and inside your network.

MSA appliance range is the world’s most deployed platform for Microsoft TMG 2010. MSA appliances are built for rapid deployment, simplified management and high performance. The COMET software engine provides an intuitive and feature rich web UI that allows for advanced configuration for both TMG and the appliance.

Celestix provides numerous additional features that complement and enhance the use of TMG. Automated update services provide pre-screened alerts and patches through the web UI, and multiple back-up and restore options provide solutions for disaster recovery.

Because of Celestix’ purpose-built appliance hardware and Comet™ appliance engine software, MSA appliances have earned an international reputation for great performance and reliability. We engineered our 6th generation hardware platforms to optimize the performance of TMG using the latest high-speed components and architecture optimized for 64-bit operations. We harden our appliance hardware platforms by eliminating all hardware components not needed to run TMG. Eliminating extraneous hardware and drivers removes security vulnerabilities and potential points of failure. Simplified hardware also reduces power and cooling requirements for cost savings on energy.

MSA powered by Microsoft TMG, web based protection from Celestix business anywhere solutions.

MSA Appliance Features

Celestix provides numerous additional features that complement and enhance the use of TMG. Automated update services provide pre-screened alerts and patches through the COMET web UI, and multiple back-up and restore options provide solutions for disaster recovery.   Celestix appliances are the de facto platform for the secure and risk free deployment of TMG 2010, just ask the readers of isaserver.org who have voted MSA the reader’s choice award winner consistently for the last three years.

Superior security gateway functionality

  • EAL4+ certified application firewall secures your network  with layer 2-7 traffic inspection
  • Market leading proxy and caching engine includes reverse proxy for application publishing and forward proxy for secure web browsing
  • IPSec VPN delivers secure remote user access and site-to-site connectivity
  • Web (URL) filtering blocks users from visiting infected websites and lets administrators control users’ access to enforce corporate web policies.
  • Web anti-virus/anti-malware security functions inspect files, scripts and all other forms of portable code to block sophisticated Web-based attacks
  • HTTPS inspection examines encrypted traffic to detect and stop encrypted malware
  • Network Inspection (intrusion detection/prevention) thwarts suspicious activity inside the firewall
  • Windows Server 2008 R2 (64-bit) operating system

Built for purpose appliance platform

Celestix MSA appliances provide an award winning, hardened turnkey platform for the deployment of TMG 2010. Celestix optimizes both the hardware and software on the MSA appliance to ensure a risk free “right first time” deployment. Celestix helps to lower the cost of ownership through reduced deployment timescales and increased hardware reliability.

  • Rapid deployment with jog dial, LCD display and intuitive interface
  • Simplified administration with COMET user interface
  • Automated patching and updates for application, OS and firmware
  • Out of Band management
  • A range of appliance form factors for Enterprises of all sizes

MSA powered by Microsoft TMG, multi-function perimeter security from Celestix.

MSA Proxy

Unlike competing products that provide web proxy services only, the Celestix MSA featuring Microsoft ForeFront TMG 2010 is an enterprise-class firewall that also supports proxy services (forward and reverse). Because the firewall performs stateful packet inspection and deep application layer inspection, deploying the Celestix MSA as a forward proxy is inherently more secure.

Deploying the Celestix MSA as a forward proxy server improves your organization’s overall security posture in several ways. The first positive benefit is that a proxy provides network isolation. Internal clients are completely segregated from the public Internet and are not allowed to make direct socket connections to remote hosts. Requests from internal clients to external resources are terminated at the proxy, and the proxy creates a new connection to the remote host to retrieve the requested content on behalf of the internal user.

As a forward proxy server, the Celestix MSA also has the ability to authenticate user traffic; it enforces access policies based not only on source, destination, protocol, and port, but on Active Directory user account and group membership as well. This is compelling because it allows security administrators to accurately identify individual users and the sites they visit. When combined with the ISA Firewall Client, the Celestix MSA can also proxy all TCP and UDP based communication. It is not limited to web-based protocols or a small subset of TCP and UDP protocols like other competing products.

You can add additional enhanced security features such as content filtering, anti-virus and anti-malware detection and prevention, and Data Loss Prevention (DLP) utilities when using the MSA as a forward proxy. You can even employ forward SSL inspection utilities that allow the ISA firewall to inspect SSL encrypted communication. Integrating these technologies with the Celestix MSA is an effective way to defend against emerging threats and to provide regulatory compliance.

UTM

Forefront Threat Management Gateway (TMG) 2010 is an integrated edge security gateway that functions as an enterprise-class firewall, caching proxy (forward and reverse), and VPN (remote access and site-to-site) server.

URL filtering, malware inspection, intrusion detection/prevention, and HTTPS inspection can enhance and complement your existing endpoint protection strategy.

URL Filtering

With integrated URL filtering capabilities, TMG firewall administrators now have the ability to apply reputation-based access controls to web-based traffic. URL filtering is the first line of defense in a modern secure web gateway, and by assessing the reputation of web sites being accessed the administrator can prevent users from accessing known malicious sites.

Malware Inspection

Since no URL filtering solution is 100% effective (it is impossible to categorize every web site on the Internet) it is inevitable that users will visit a site that contains malicious software. To address this, TMG includes a gateway-integrated scanning engine to prevent virus and malicious software downloads

Network Inspection System

Malicious software authors will often attempt to exploit vulnerabilities that might exist in Microsoft operating systems, applications, or networking protocols. To address this, the TMG firewall includes the Network Inspection System (NIS). NIS is a new vulnerability-based intrusion detection and prevention system that performs low-level protocol inspection to detect and prevent attacks against these vulnerabilities.

HTTPS Inspection

HTTPS communication presents a special challenge to many firewalls. Often referred to as the “universal firewall bypass protocol”, HTTPS encrypts application layer data which prevents even the most advanced application layer firewalls from inspecting this communication. For many years, virus and malware authors have used HTTPS as a way to move malicious or infected payloads through secure web gateways without being detected. Malicious users have been using HTTPS as a channel to circumvent access control with proxy avoidance software.

HTTPS inspection closes this loophole. With HTTPS inspection enabled, the TMG firewall copies the originally requested SSL certificate and issues the user a duplicate. The TMG firewall can now terminate the SSL session at the Internal network interface and decrypt and inspect all outbound HTTPS communication. With HTTPS inspection enabled the TMG firewall has access to unencrypted application layer data which has many positive effects. The TMG firewall now has access to the full request path, not just the IP address of the site. With this additional information it can more accurately enforce URL filtering. The TMG firewall can now also enforce HTTP policy and inspect content for viruses and malicious software.

Compare MSA

 
wsa3200
wsa6200
wsa8200
MSA Models MSA 3400 MSA 6400 MSA 8400
Ideal for Medium sized businesses requiring an affordable, integrated security appliance with unmatched ease of use Medium enterprises/main offices that need strong security and a solution that offers business continuity. Main offices/headquarters with up to 5,000 users that need high availability, enterprise grade performance & security.
Recommended Users* 100 – 500
users
3,000 – 6,000
users
up to 10,000
users
Microsoft TMG 2010
Edition
Workgroup Edition
Branch Edition
Standard Edition
Branch Edition
Enterprise Edition
Enterprise Edition
CPU Intel i5 Intel E3 2 x Intel E5
Memory 8 GB 8 GB 16 GB
Number of Processor 4 cores 4 Cores 12 cores (hyperthreading)
Cache 6 MB 6 MB 15 MB
Hard Drive SATA-II hard drive 2 x SATA-II hot-swappable hard drive 4 x SATA-II hot-swappable hard drive
Disk Mirror RAID - RAID 1 RAID 6
Gigabit Ethernet Ports 6 6 8 (with 10 Gbe ports option)
Power Supply 220W power supply with universal AC input Redundant 250W+250W power supplies with universal AC input N+1 Redundant configuration 500W power supplies with universal AC input
Dimensions 1.75″ x 17.3″ x 13″ 1.75″ x 17.3″ x 21.5″ 3.5″ x 17.4″ x 23.25″

* Performance Guidelines Only, Actual performance may vary depending upon networking and application environment.

Technical library

Hardware Documentation

Softwarte Documentation

Contact us

Literature

Whitepapers

Ready-to-deploy BMC BladeLogic patch management repeaters, comprehensive security management and compliance for client devices.

Keeping software updated in large pools of client devices such as laptops, PC’s, ATM’s, and kiosks is very time consuming and costly. The time it takes to manually deploy software patches and updates to vast numbers of clients impairs productivity. Clients that don’t have the latest patches are active security threats and hurt compliance. In large enterprises, automating client software management to improve speed and economy is a necessity.

bmc-diagram

BMC Series appliances from Celestix are the most cost-effective solution now available for providing the repeater function large enterprises need to deploy the BMC BladeLogic Client Automation system. Repeaters ensure that all managed client devices have current and compliant software. Celestix BMC Series appliances are the fast, easy, and economical way to insert repeaters into a BMC BladeLogic Client Automation infrastructure

Automated Patch Management

The BMC BladeLogic Client Automation Patch Management Module that resides in Celestix BMC Series appliances is an extension to the BMC BladeLogic Client Automation (formerly Marimba) solution, which automates the entire lifecycle management of client devices. This system helps organizations:

  • Provide patch and security compliance by detecting vulnerabilities and performing auto-remediation
  • Dramatically lower maintenance and support costs
  • Maximize productivity via continuous patch management regardless of client location or access
  • Automatically verify and report on the compliance status of any system under management

Simplifying the BladeLogic Patch Manager Repeater

Celestix BMC appliances significantly reduce the time and risk of deploying BladeLogic Patch Manager Repeater nodes. BMC Series appliances come preconfigured with a hardened Linux operating system, appliance engine/UI, and BMC BladeLogic Patch Manager software. In a matter of minutes, Celestix BMC Series appliances are up, running, and connected to the BladeLogic Patch Management network, which greatly cuts the cost and time of deployment.

Celestix repeaters include integrated update, configuration, and management tools embedded in an industry-standard web user interface, which provides a set of commands, reporting, alerting, and other core tools to ease administrators into routine management and use.

Why Use an Appliance?

Procurement – With BMC appliances you purchase integrated solutions from one source that are ready to use straight from the box. Otherwise, you purchase separate hardware, operating system, and BMC components—with each part requiring multiple levels of approval.

Celestix Appliance Hardware - Celestix purpose-builds their 5th generation X4 appliance hardware to optimize the performance of BMC BladeLogic software and to deliver high reliability year after year. The Celestix X4 appliance platform uses high-speed, high throughput architecture and components throughout—without exteraneous components that add cost and complexity. You receive the performance you want with minimal points of vulnerability as compared to generic-server deployments.

COSMOS Appliance Engine – Based on a Linux kernel, the COSMOS engine provides several unique features for ease of use:

  • Jog Dial and LCD display enables headless communication with the network to set up, manage, and monitor the appliance on site.
  • Web UI to manage each BMC appliance for: simple setup, remote configuration of network settings, options to view logs/reboot/receive alerts/updating software, and others.
  • Disaster Recovery – Each BMC appliance includes Last Good Version (LGV) functionality. LGV allows administrators to backup and restore units to predefined recovery points. You can also reset BMC appliance to factory default settings using Celestix’ one button rollback feature.
  • Software Update System – receive pre-screened updates and patches to all appliance software layers—OS, Appliance Engine, and BMC application—from one convenient management interface.

Optimization and Security – Celestix preconfigures each BMC appliance with a transmitter that extends the BMC Configuration Automation for Clients implementation. Celestix has optimized and hardened the operating-system and configuration options specifically for the BMC Configuration Automation for Clients solution.

Time – With the BMC appliance there is no need to dedicate long hours of staff time to configure individual whiteboxes to act as repeaters for BMC Configuration Automation for Clients. Celestix has completed the packaging to minimize the burden on IT staff.

Technical Library

Hardware Documentation

Literature

Secure, seamless access across physical, virtual, and cloud servers.

  • An Integrated platform that delivers comprehensive, consistent and secure connectivity across the datacenter and into the cloud for mobile users, on premise staff and distributed offices.
  • Windows Server 2012 R2 based Unified Remote Access for on-premise traditional connectivity (Traditional RRAS based VPN, DirectAccess, Web Application Proxy) for enterprise devices as well as BYOD application support.
  • Turnkey deployment and a single management interface.
  • Secure remote access to applications in the cloud and on-premises
  • Site to Site VPN access between private and public clouds, or multi cloud
  • Makes your cloud migration journey secure through end to end auditing and monitoring of connectivity.
Microsoft Cloud

Product Overview

Today, with the rise of cloud computing, we have a redefined vision of IT. Organizations are increasingly diversifying their IT infrastructure and moving from physical to a mix of physical, virtual, and cloud environments. This transformation in the datacenter is bringing new challenges in getting secure and consistent connectivity across different IT systems, cloud services, and plethora of devices. In virtualized and cloud computing environments, legacy perimeter security solutions are not fully equipped to provide seamless connectivity, critical for utilizing the benefits from scalable, agile, and cost effective cloud infrastructure.

Cloud Edge Security  

Celestix series of Cloud Edge Security Appliances bring the power of the Microsoft Cloud OS into your datacenter. Cloud operating systems and services are now critical, even within private datacenters. Microsoft’s Cloud OS platform tightly integrates with the Celestix Cloud  Edge Security Appliances. Our dedicated Cloud OS hardware and management experience extends the best of Microsoft’s battle-tested Cloud OS software, based on Windows Server 2012 R2, into a completely integrated hardware and software platform.

 
Celestix E Series Cloud Edge Security Appliance, based on Windows Server 2012 R2, offers dedicated hardware and management software for end to end management of secure access to on premise and cloud resources. This out of the box solution reduces the cost and complexity of tying together diverse connectivity options. It empowers IT administrators to handle datacenter and cloud workloads smoothly; to support employees wherever they work; and to integrate employees’ personal mobile devices into the enterprise fabric.

Features

The tightly integrated features of the Cloud Edge Security Appliance ensures secure and seamless connectivity across datacenter and cloud resources.

  • Unified Remote Access
    Various remote access infrastructure components such as traditional RRAS VPNs as well as Microsoft DirectAccess are consolidated to provide different connectivity options from a single appliance without the hassle of dealing with different cross-vendor solutions.
  • Microsoft DirectAccess provides secure always-on connectivity for Windows 7/8/8.1
    DirectAccess helps users to experience the full corporate environment from any location through any internet connection. All assets from intranet websites to line-of-business applications are accessible for the user without any need to manually connect to the enterprise. This reduces connection problems, productivity bottlenecks, and IT support cases. “Always-on” remote management also ensures that all devices are updated and in compliance with group policy at all times. 
  • VPN – Traditional cross platform VPN for Windows, Android, Mac OSX and iOS access
    Clients using non Windows devices or those not using the enterprise version of Windows 7/8/8.1 can fall back on traditional VPN for their remote access requirements.
  • HOTPin multi-factor authentication integration out-of-the-box
    Celestix HOTPin two-factor authentication integrates with the Cloud Edge Security Appliance to provide a simple solution to complex password requirements and maximizes security.
  • Web Application Proxy for secure on premise website access and identity federation
    Web Application Proxy allows administrators to publish applications selectively for external access. It enables end users to access these applications from outside the corporate network using any device. Web Application Proxy pre-authenticates application access with Active Directory Federation Services. It also provides reverse proxy functionality to provide seamless application access to users. It can also be deployed with VPN in a remote access deployment.
  • Work Folders
    Work Folders that can be used to store and access work files on personal computers and devices from anywhere. For BYOD environments Work Folders can be a very simple and easy way to access important files. 
  • Workplace Join
    With the explosion of smart phones and tablets, organizations have been debating the benefits and security risks of adopting a bring-your-own device (BYOD) policy. Workplace Join enables simplified registration of personal and corporate devices, empowering organizations to provide a seamless sign-in experience to company resources from trusted devices.

    Web Application Proxy works in conjunction with Workplace Join letting users register their personal devices with Active Directory. Organizations can even drive conditional access to applications for these Workplace-Joined devices based on their attributes stored in the directory.

  • Hybrid cloud connectivity between private and public clouds
    Site to Site VPN enables access between private and public clouds, or multiple cloud providers by establishing a secure connection from an enterprise datacenter to the cloud infrastructure. This allows users to access resources across clouds without having to explicitly establish individual VPN connection to them.
  • Remote Desktop Gateway for complete and secure remote desktop connectivity
    Remote Desktop Gateway enables authorized users to connect to remote computers on a corporate network from any computer without creating a VPN connection. It uses the Remote Desktop Protocol (RDP) along with the HTTPS protocol to help create a more secure, encrypted connection. Remote Desktop Gateway allows you to share a network connection with other programs running on your computer enabling you to send and receive data over the remote connection.

Why use the Celestix Cloud Edge Security Appliance

  • Purpose built appliance – does not require the level of expertise that do-it-yourself solutions require, they reduce the time to deploy them while reducing total cost of ownership. Administrators are not required to source and procure all the different hardware components, assemble the device, install and harden the operating system, and install and configure the application. Administrators can achieve higher performance with optimized hardware and software.
  • Improved Celestix COMET software engine is the heart of the appliance. The new and improved purpose built software engine and management console is a single interface to manage appliance and software components. It provides an intuitive and feature rich web UI that allows for advanced configuration of role & feature settings and provides automated updates.
  • Enhanced Resilience – Ability to clone HDD profiles as well as integrated back-up and restore functionality for disaster recovery.
  • Jog Dial, LCD display and front facing ports:  enables fast, easy setup, management, and monitoring.
  • Simple Deployment – provides a pre-configured and standardized platform to reduce time of deployment.
  • Quick Installation – No additional staff time is required to configure and manage Cloud Edge Security Appliance, and the hardware is fully packaged to minimize the burden on your IT staff.
  • Single Source Procurement and Tech Support – Celestix supports every layer of the solution, eliminating problems with hardware compatibility or operating system patches. From hardware and operating system to programs like Advanced Hardware Replacement, customers benefit from the power of one vendor.
  • Out-of-band management – Administrators can monitor the appliance through separate port even while booting up.

Screen Shots

Quick Startup Status Information
Network configurations Maintenance services
Enable and disable Features Network Interfaces
Alert E-mail  

Models

 E-series-logo 3400-reflection-small.200 6400-reflection-small.200 8400-reflection-small.200
 DAX Models E3400 E6400 E8400
 Type of Business Designed for small to mid-sized enterprises Designed for large and multinational enterprises Designed for large and multinational enterprises
 Recommended Users Below 1,000 concurrent users 1,000 to 3,000 concurrent users Up to 5,000 concurrent users
 CPU  Intel i5 Quad Core Intel E3 Quad Core 2 x Intel E5 Hexa Core
 Memory 8GB 16 GB 16 GB
 Hard Drive  SATA-II Hard Drive 2 x SATA-II hot-swappable hard drive 4 x SATA-II hot swappable hard drive
 Disk Mirror RAID - RAID 1 RAID 6
 Gigabit Ethernet Ports 6 6 8
 Power Supply 220W auto-switching universal 110/220V AC power supply Redundant hot-swappable power supply – 2 x 500W Redundant hot-swappable power supply – 2 x 500W
 Dimensions (H x W x L)  1.75″ x 17.3″ x13.0″ 1.75″ x 17.3″ x 15.7″ 3.5″ x 17.4″ x 26″

Contact Us

Literature

Contact Us

Contact Us

Try our Live Chat