I ran the SmartGate server in my tests on a Dell Optiplex GX1 running Windows NT. The impressive part of this software is the number of supported client operating systems. SmartPass (the client software) runs on Windows 95/98/NT/2K/ME, WindowsCE, PocketPC, MacOS, Solaris, Linux and some versions of the Palm OS. In a cross-platform environment, this is quite an important feature, especially if some of your users run Macs or Linux at home or at work.

As expected, this product is similar to other VPN products on the market. It supports SecurID, RADIUS, IPSec (IP Security) and x.509 PKI (public key infrastructure) certificates. SmartGate also supports 3DES, DES, MD5 and SHA. Site-to-site connections use a shared secret IPSec key, rather than IKE (Internet key exchange). V-One says that site-to-site connectivity isnıt really this productıs strength, and I agree. The client/server connections work a bit better. While the client/server tunnels also do not support IKE, they do use V-Oneıs own proprietary key exchange protocol. Here, keys are updated every 15 to 120 minutes, as set by the administrator.

SmartGate 4.2's interface (screen view) Click here to enlarge

Management is handled via SmartAdmin, a Windows-only management program. It has a rather simple, no frills interface. The online help system is present everywhere, and thatıs a good thing; it explains all the options available on a particular screen. (V-One essentially uploaded the print administratorsı guide and displays the appropriate pages on the screen.)

Unfortunately, the administrative interface still leaves a bit to be desired. You canıt see the status of the tunnels or which users are connected from the management interface. To check the status of a tunnel, you need to ping the remote side. If ıhost not respondingı comes back, the tunnel is down. If you get an echo, the tunnel is up -- not an elegant solution. This particularly annoyed me as I set up the tunnels, because I couldnıt easily check their status.

Although the software does have some reporting capabilities, theyıre limited. Failed authentications, administrative access, number of bytes transmitted and a few other statistics are available via daily, weekly, monthly and annual Perl scripts. Of course, to take advantage of these features you need to have Perl installed.

The OLR (online registration) is a pretty neat feature. I found this part a bit fun to test. Users point their web browsers at the VPN device. From there, they download the client software. In my test case, my client machine was a Windows 2000 box. After installation, users reboot and go to the OLR page again to register. The OLR page is customizable, allowing users to select what kind of information they need to enter. Some options include name, passwords, and social security number. Users submit this information and wait for the administrator to approve them.

In SmartAdmin, under the list of users, new registrants appear in red text. You just have to right-click on each, enable them and theyıre enrolled. Itıs very quick, very simple. You can also create a text file to automatically approve users by matching up registration criteria. For example, if someone registers with the name Mike DeMaria and SSN 111-22-3333, he is automatically enabled.

Another look at SmartGate 4.2's interface (screen view) Click here to enlarge

You can also enable NAT (network address translator) for packets that pass through the SmartGate Server. SmartGate uses a 1:1 NAT translation. Users can be given an unroutable IP address, such as something on the 10.0.0.0 network. In this setup, every user gets his or her own IP on the internal network, instead of sharing a single address. The reason for this, according to V-One, is so that remote users can share hard drives via the Network Neighborhood. You cannot do one-to-many addressing with their implementation of NAT.

One quirk exists with this NAT implementation: When a user connects and is assigned an IP address that address is not returned to the NAT pool until the server is rebooted. In other words, if you have 100 users, you must set aside 100 IP addresses -- even if you have, at most, 10 users connected at any one time. V-One describes this as not a perfect implementation, and itıs looking to fix it. We agree that this is poor.

Another unique piece is a Java client. This applet is launched in the Web browser and acts like a proxy. The idea behind this setup is that you do not need to install IPSec or VPN software. The user name and password are authenticated using a third party, such as LDAP, RADIUS or SecurID, so you need one of those systems in place to take advantage of this feature.

The applet is pushed down to the client machine through a Web browser, from which you can either view Web pages or an intranet Web site, or run Citrix thin-client programs. Granted, it doesnıt allow for as much flexibility as the client software, but it gets the job done. You need to be able to set the proxy settings for this to work, however. So, for example, if a user is at a friendıs house, he can change the http proxy to localhost, authenticate with the Java client, VPN into the network, check his Web-based e-mail and then log out, without leaving any tokens behind.

This product isnıt too bad for client/server VPN tunnels. The OLR makes adding a new user simple, which can be handled by the interns or your loyal PFY (pimply faced youth ı see http://bofh.ntk.net/Bastard.html). However, itıs a bit weak on site-to-site, and it really shouldnıt be deployed for this purpose.

Pulling strength from its client/server capabilities, this product will support more than just Windows users (so your loyal Mac telecommuters can now justify requesting a Titanium PowerBook over a ThinkPad), and it can even handle secure connections with handheld Palm computers.

A demo version is available on V-Oneıs Web site, so doing your own testing and exploration is cheap and easy.