Print Full Article Print This Page Download the PDF E-Mail This URL

Nortel clearly spent a lot of time polishing its Web-based user interface. Not only does it have a "notebook" (reduced graphics) mode, but it also offers setup wizards and a guided configuration. The config gives information about each of the gateway's functions, outlining goals, time spent, information needed and tips for each config area. It's similar to a tax-form instruction sheet, though not nearly as complex. The 4600 also provides a superior management interface, simple user and group management, bandwidth provisioning, and extensive operating system support.

This box supports many different WAN interfaces, including T1, HSSI (High-Speed Serial Interface) and modems. The only other vendor to offer WAN connectivity is Check Point. Because Check Point VPN-1 runs on a standard PC, you can use any Linux- or Windows NT-compatible WAN card with VPN-1. The gateway also can ping and traceroute, and see the ARP (Address Resolution Protocol) table right from the GUI.

Nortel's solution works on a hierarchical inheritance model. Users are managed in groups, with each group member having the same access privileges and settings. You start with a base group that contains global settings applying to everyone. You can create groups from that main group, and changed settings override the base settings. And you can do this for multiple levels; Cisco's offering, in comparison, allows inheritance for one level only. Contivity's flexibility in this area makes it very easy to create broad configurations and form specialized overrides for small groups of people.

Nortel's client support is strong, with its Contivity client supporting multiple operating systems. However, only the Microsoft Windows clients are included in the base price; for all others you need to buy separate licenses. You can also use the built-in Microsoft Windows 2000 and XP VPN clients instead of the Contivity client.

The Contivity 4600 is also the most expensive product we tested, at $50,000 per box. Keep in mind that the product is licensed to support 5,000 simultaneous users; you may want to use a smaller device for the backup unit. At 8U tall, the Contivity is also a lot larger than the other devices we tested. To make a custom client for the Nortel solution (as well as for Cisco's and Avaya's), you must configure a text file and bundle that with the distribution. However, if you don't want to use a custom configuration, a user can enter his or her group ID and password (assuming there is one), and the IP address of the VPN gateway.

High availability is done through VRRP (Virtual Router Redundancy Protocol) on the internal interface and via OSPF on the external one. You can integrate the Contivity in an existing OSPF domain even without the HA. The system also supports RIP and multicast relay, and integrates with RADIUS and LDAP for authentication, accounting and address assignment.

The most distinctive feature of this product is its bandwidth-management capabilities. You don't want users connecting from high-speed remote networks to saturate your pipe, so with the 4600 you can set bandwidth utilization of individual users in a group and give them committed and peak rates. We tested this by limiting the peak rate to 128 Kbps and doing an FTP transfer. The transfer speed was only 114 Kbps, showing that even a user with a 100-Mbps link to the gateway won't flood it. Nortel is the only vendor to offer this protection from bandwidth-hogging users.

Nortel Contivity VPN 4600 running Contivity VPN Client 4.0, Nortel Networks, (800) 466-7835. www.nortelnetworks.com or infor@nortelnetworks.com

Cisco VPN 3030 Concentrator Running Cisco VPN Client Version 3.5

Cisco's solution came close to winning this review, partly because the 3030 and Nortel's product are almost identical in interface and features. The 3030 is also significantly less expensive, but it can support only 1,500 simultaneous users, while the Contivity 4600 supports 5,000. You can add encryption cards that each supports up 5,000 simultaneous users for $20,000 per card (this upgrades the unit to a 3060). The front panel of the 3030 is the most informative of all the devices tested; it let us see failed interfaces, fans and power supplies at a glance, as well as CPU, sessions or throughput loads. The 3030 also supports a large number of operating systems, with only the Palm and Windows CE versions outsourced and available under separate license.

However, Cisco's offering is still a bit short on the features and management fronts, lacking, for example, the bandwidth-provisioning capabilities of the Nortel 4600. The 3030 also allows only one level of group inheritance. Finally, the management interface is a bit cluttered, though we liked this product's management capabilities better than those of the Avaya and Check Point products. Neither Avaya nor Check Point offers inheritance in groups.

The 3030 has an easy-to-read live log viewer, which made troubleshooting the device a breeze. Still, like all the products we tested, the device's client-side troubleshooting is weak, offering the end user precious little guidance. Packaging a custom configuration isn't very pretty either -- you need to configure a text file and include it with the installer.

The device's HA features were easy to set up. The 3030 uses VRRP on both the internal and external interfaces. Each Concentrator is assigned an internal and external IP address. You then pick a virtual IP address for the Concentrator cluster, set one to master and as many as five others as backup, and you're good to go. When we failed one of the Concentrators, another one took over immediately. However, the user's tunnel dies without notification, and he or she must reconnect. The client also supports launching programs when a tunnel is brought up. We set the client so Netscape would launch when we logged on. This is a handy feature for end users.

Cisco VPN 3030 Concentrator running Cisco VPN Client 3.5, Cisco Systems, (800) 553-6387. www.cisco.com or cs-support-us@cisco.com