|
RAS3000 remote access VPN appliance is the first to support the virtual private network (VPN) features of SSL VPN for Microsoft Exchange Server 2003. The enhancements allow remote corporate users to connect to their corporate Exchange Server by using Outlook clients to access emails and folders without a VPN connection. Any remote users with a notebook computer can launch Outlook at work, pick up email, take the notebook home, plug it in, and get new email without adjusting any settings.
RAS3000 has been enhanced to:
• Leverage full power of Exchange Server 2003 email and collaboration features for remote users.
• Eliminate invocation of VPN client or downloading of Java applet.
• Save support costs by ending the need for modification to the client computer.
• Reduce deployment to 15 minutes.
• Integrate seamlessly with Active Directory for authentication.
Problem Definition
SSL VPN access is being requested by more and more customers in order to complement traditional PPTP and L2TP/IPSec offerings for remotely accessing corporate Microsoft® Exchange Collaboration Services.
For Microsoft® Outlook 2003 to communicate with Microsoft® Exchange Server, the Outlook 2003 client performs Remote Procedure Call (RPC) over HTTP on TCP port 135, a common target for external security breaches. RPC employs a weak form of encryption that is generally not suitable outside the enterprise. RPC is also a common target for external security breaches.
The benefit of using the Celestix SSL VPN is that Microsoft Outlook 2003 can connect to the MS Exchange collaboration server from any remote client machine that can access an HTTPS (secure) Internet site. There is no VPN client to be invoked or additional firewall ports that need to be opened. In addition, unlike L2TP/IPSec VPNs, SSL VPN connectivity is not affected by Network Address Translation ( NAT ).
With PPTP or L2TP/IPSec remote access VPNs, a user receives an IP address directly on an internal network and then can generally access any available application on the system that worked on the LAN . With an SSL VPN, the user never has direct access to a resource on the internal network. The only mechanism to access the Exchange Server collaboration services are via Web proxying of MAPI (Messaging API that uses Remote Procedural Call - RPC) traffic over HTTPS.
Using the Celestix SSL VPN and user accounts configured for Exchange cache mode, Microsoft Outlook users can continue to work with their mail and contacts data even when disconnected from the network. Outlook periodically check for network connectivity and automatically reconnects and synchronizes the information when the network connection becomes available.
Technology Details
For Outlook 2003 to communicate with Microsoft Exchange Server, the Outlook 2003 client performs RPC on a specific TCP port. RPC employs a weak form of encryption that is generally not suitable outside the enterprise. In addition, RPC is a common target for external security breaches.
Fortunately, RPC can be redirected to use HTTPS as the transport mechanism. Outlook 2003 has a native proxy that intercepts RPC requests and transmits it over HTTPS to the proxy located within the enterprise which in turn communicates with the Exchange server. To provide remote connectivity via Outlook 2003, the proxy located on the enterprise needs to be running as an edge device with simultaneous connectivity to the Internet and the enterprise LAN . The RAS 3000 will provide this proxy function for Outlook 2003 clients.
Market
A majority of SSL VPN appliances being deployed by enterprises are used to provide access to mail services for their employees. These SSL VPN appliances are expensive and cumbersome to deploy. Also, since SSL VPN cannot solve all problems such as access to many kinds of applications using non-web protocols like Windows Terminal Services, vendors like Cisco, NetScreen, Nortel and Checkpoint have started incorporating SSL VPN features into their traditional VPN products.
With the SSL VPN enhancement to the RAS 3000, enterprises with Microsoft back ends will have a robust and simple solution that satisfies nearly all remote access requirements. Power users can still utilize full PPTP or L2TP/IPSec access, while novice users and upper management can have just SSL VPN access. This will drastically decrease security and support costs.
With RAS 3000 SSL VPN access, users can have access to all Microsoft Exchange Collaboration Services directly from their Outlook 2003 client. Most other SSL VPN vendors utilize Outlook Web Access (OWA) for providing email access to remote users. OWA is a slimmed-down version of the Outlook client that uses a web interface. The Celestix approach (RPC over HTTPS) is far superior to OWA in terms of speed, ease of use, flexibility, and provides the customer with full access to all Microsoft Exchange Collaborative Services such as Calendar coordination etc..
The value of the SSL VPN increases as more and more enterprises deploy the Microsoft CRM solution because of its strong integration with Microsoft Exchange. With Microsoft CRM deployed in the enterprise remote users can easily get access to their customer contact information stored in the Microsoft CRM database from their Outlook client.
Authentication Method
The SSL VPN implementation provides smooth integration with Active Directory. The administrator has many options when configuring user-level or group-level VPN access, they include:
- Allow PPTP or L2TP/IPSec access only
- Allow SSL VPN access only
- Allow both PPTP or L2TP/IPSec and SSL VPN access
When a user is allowed both SSL VPN and traditional VPN access, the user can pick and choose the type of access based on need.
Users are authenticated via userid/password for SSL VPN. In a future release, users can be forced to use 2-factor one-time password token for authentication.
Advantages of deploying RAS3000 SSL VPN for Exchange
Increased Security - The RAS3000 is system hardened and optimized for remote access. The appliance incorporates a stateful firewall which also only permits RPC over HTTPS to pass through. With one wrong registry setting, your whole enterprise could be exposed to the Internet; why risk it?
Performance - The RAS3000 utilizes hardware-based SSL acceleration to ensure the highest level of performance. In addition, RPC over HTTPS settings are optimized to increase throughput by default.
Real-time Connection Monitoring - User connections can be monitored in real-time to determine the number of concurrent users.
Historical User-Level Reporting - The embedded database provides extensive auditing possibilities. Built-in report templates allow administrators to run reports in ad-hoc fashion. User reports, daily summaries, and authentication failures are all available for security scrutinization.
Reduction in Deployment Time - Purchasing the RAS3000 appliance will drastically reduce your deployment time. There is no need to evaluate/purchase a hardware platform, install the operating system, configure RPC over HTTPS, and lock the server down. In fact, wizards will walk you through a deployment of the RAS3000.
Single Contact for Support - This is an often overlooked advantage of purchasing a hardware-based solution. In a do-it-yourself software solution, it is often hard to determine who to contact - software vendor, OS vendor or the hardware manufacturer. With Celestix, our support technicians are focused on security and have probably experienced your issue before.
One-button Rollback - Problems with your RAS3000 deployment? Just use the knob on the front panel to reset your appliance back to a factory default state.
Build for datacenter deployment - 1U rackmount with LCD that displays useful information such as machine name, IP addresses, number of current connections, etc. |
