Network Computingwww.networkcomputing.com

Instant Extranet Click here to enlarge

Instant Extranet uses Flatrock's TruTunnel technology to work out IP addressing conflicts dynamically in cases where the local and remote networks have overlapping IP address ranges. From the points of view of the client and the server at each end, they are both talking to local hosts, an advantage that resolves many routing issues when integrating a VPN into a routed environment.

Client connections originating behind the SAR to the servers and services published by the PAR come from the PAR's IP address, much like a NAT (Network Address Translation) connection. On the subscriber network, the SAR publishes its configured services using addresses from the local network. The clients on the subscriber network need no configuration to work. Just as easily, the SAR IP addresses can be assigned local WINS (Windows Internet Name Service) accounts, and DNS names can be integrated seamlessly. TruTunnel does not proxy connections; rather, it manipulates IP addressing within the tunnel between the PAR and the SAR.

Instant Extranet provides an encrypted VPN between two sites for each application, protecting the transmission between clients and servers on a destination per-port basis. Instant Extranet does not provide access control on the SAR network, meaning any client that can connect to the published service IP address on the SAR can access the protected service. When publishing an application, three levels of encryption are available, and all traffic between the SAR and the PAR is authenticated using the IPsec Authentication Header protocol regardless of the encryption selected. Encryption might not be used in cases where some other transport encryption, such as SSL or SSH, is assigned, or if encryption is deemed unnecessary. Traffic encryption uses IPsec, 3DES or Blowfish-128.

Start the Clock!

Both the PAR and the SAR are simple to install. For the PAR, I used its LED panel and entered a basic networking configuration. Once I rebooted the PAR, I used its Web interface to create a new SAR object. If you don't know the IP address of the SAR, just leave it blank. As soon as the SAR is created in the PAR, a one-time password is generated, which will be entered into the SAR during its initial configuration. The one-time password, which is good for eight days, is used to authenticate the SAR and the PAR and should be sent separately from the SAR to prevent unauthorized access to your network.

Publishing Applications Click here to enlarge

Publishing an application requires three steps,all handled through the management GUI on the PAR. First I created an "application template" that defined the protocol parameters for our application. I could compress the data stream before encryption (if needed) and allocate upstream and downstream bandwidth. I created several templates for HTTP, DNS and NetBIOS file sharing. In the next step I created the application server offering the resources by defining an IP address and giving it a name. Finally, I assigned an application to a site.

Flatrock defines four basic application types that simplify template definition. The Citrix application simplifies support for Citrix WinFrame. The file-share application type simplifies support for FTP, Microsoft Windows and Novell NetWare file shares. The Web application type simplifies Web deployment.

Finally, the client/server application type lets you define any TCP/UDP-based application, and limits the source and destination port numbers available to this application.

30 Minutes Later

I wanted to use Windows file sharing, and I needed to use both NetBIOS and WINS so I could resolve share names (see "Publishing Applications"). I created an application template for Windows file sharing from the management console, and defined the directory path that would be accessed. I also wanted to encrypt and compress the traffic so I selected IPsec's 128-bit encryption and compression.

Next, I defined the server on the provider network that contained the shared files. Finally, I published the application to the SAR by assigning the application template and application server to the SAR.

During deployment, the SAR assigns the next available IP address, and clients use the local address when connecting to the file share. I followed similar steps when publishing the WINS, but I specified the WINS ports and the client-source ports in the application template.

Unfortunately Instant Extranet has no real-time logging. The event logs must be downloaded manually prior to use because both boxes are Linux-based and the logs are in syslog format. The lack of real-time logging makes troubleshooting difficult, and the inability to log data to external log hosts is a problem where logs are regularly processed. The management console has a few graphs for monitoring traffic, latency, and CPU and memory usage on a per-application basis.

Flatrock's claim that the Instant Extranet is easy to set up and manage is well-founded. Flatrock's engineers have removed many of the complications found in traditional VPNs while providing more granular policy definition based on applications rather than networks. But Instant Extranet is not a firewall or a client VPN and doesn't support client-access control. Keeping in mind these limitations, I think Instant Extranet should be on your radar if you are deploying applications to remote locations.