Network Computingwww.networkcomputing.com

ADI's strength is foolproof VPN construction within ADI Management System (AMS). Once the ADI-4500s are defined, located and authenticated by the AMS, the bulk of the work is done. All that's left is to configure the specific security requirements for each VPN. Within the AMS, ADI devices such as ADI-4500 and ADI-100 clients are placed into administrative domains. This makes up a logical grouping of devices that share a common VPN. Normally devices can't exist in more than one domain, but the ADI-4500 can. We placed our ADI-4500 in the same domain, created a VPN using 3-DES encryption and MD-5 authentication, and we were finished. The AMS updated the ADI-4500s with the new configuration. No stress, no mess. There are additional options unique to the ADI-4500, including setting a default VPN route and forwarding DHCP requests across the VPN.

The ADI-4500 is an all-or-nothing proposition in regard to VPN. Traffic is either tunneled or it isn't. There is no provision for passing traffic in the clear through a ADI-4500 and when we asked ADI representatives about that, they wanted to know why we would ever want to do that. In many cases there's traffic, within an intranet or extranet, that needs to be secured through a VPN and some traffic destined to the Internet should pass in the clear. More important, any services used by any of the ADI-4500s needs to be accessible to all of them. This became a notable problem when we tried to certify our gateways because our Entrust CA was installed on the protected network. We couldn't pass traffic in the clear, so we couldn't certify both devices. We would have had to move our CA. That's certainly not a task you want to undertake in an enterprise setting.

By the same token, we had to install our AMS on the unprotected network because all the ADI-4500s need to communicate with it as well. In some cases, you need to have your management station on the Internet if you want to protect your entire network.

We did certify one ADI-4500 with our Entrust CA. Oddly enough, this is such a new feature that we had to do it on the command line, which will become a feature in the future, though ADI is making it available to installations who require it. Like TimeStep's Permit/Gate 7520, the ADI-4500 has a client that can request Entrust certificates online. With a few commands we were done. Currently, certificate-based IKE VPN configuration is still accomplished on the command line as well.

Client support is very good. The client isn't intimidating from a user perspective. Managing users with AMS is equally straightforward. Before users can begin using the ADI-100 client, the administrator has to extract individual licenses from a set of licenses supplied by ADI.

Here's how the extraction process works: The AMS inserts ID and addressing information for the designated ADI-4500, generates a client license file, and encrypts it with a password you will supply to the user to unlock the file. Once that is complete, the client disks and ID file are ready for installation. You have the option to configure ADI-100 devices individually, though bulk management is more efficient in large user populations. If you are migrating users from modem-pool remote access, the ADI-4500 can authenticate them against your existing RADIUS server. We added RADIUS support in minutes.

ADI-4500, $9,995, Assured Digital, (888) 234-8767, (978) 486-0555. fax (978) 486-3772. www.assured-digital.com