Policies for both ExtraWeb and ExtraNet are managed through the ExtraNet Center. What makes Aventail unique in this market is the bundling of Socks-5 and SSL for Web applications. The ExtraNet Socks-5 client is used to redirect and, optionally, encrypt traffic bound for protected resources, while the ExtraNet server matches incoming traffic against the access policy and dispenses traffic accordingly. The Extranet Connector doesn't interfere with VPN software, so it can be run alongside existing VPN clients.

Unfortunately, the Socks-5 client we tested didn't support UDP, a serious problem because our BMC Patrol client uses UDP for communication. At press time, however, Aventail said that UDP is now supported.

The ExtraWeb server is an HTTP/ HTTPS proxy that terminates HTTP and SSL connections, authenticates users and can optionally forward user credentials to the target application. ExtraWeb (which would be a helpful addition to Aventail's extranet service) also controls access down to the page level and can be used for Web-based single-sign-on to the Web applications it protects. However, passing user credentials to the existing application is not always straightforward. We had a problem when trying to authenticate to eRoom Technology digital workplace. Aventail developed a fix for inclusion in the next release. A custom patch typically takes two to three weeks to develop, test and deploy.

The management portal provides a wealth of options to configure the service and request changes. There is a second portal, access to which can be delegated, where you manage users. Through a browser interface, you can manage user groups, build client packages and run status reports.

Like Fiberlink's, Aventail's NOC is fully redundant, and the company has a three-tier problem classification system. However, a Level 2 issue, analogous to Fiberlink's "high" classification, will have resolution within 24 hours rather than six.

Aventail's solution contends with Fiberlink's on all fronts except for price--in fact, Aventail's package was the third costliest offering, in front of only OpenReach.

Aventail.Net Managed Services, Aventail Corp., (206) 215-1111, (877) 283-6824. http://www.aventail.com

AT&T Managed Services

AT&T Managed Services is another IPsec-based VPN service using, in our tests, Nortel's Contivity 2600 and AT&T's own bundled modem/VPN dialer. Like Fiberlink, AT&T also offers a bundled dial-up service, but we chose to review only the managed VPN service to level the playing field.

At $42,440, which included EFTel Netgate VPN appliances for our two remote locations with non-Windows systems and a Contivity 2600, AT&T Managed Services is less than half the price of Aventail's offering but still way costlier than Fiberlink's. On the plus side, the Netgate appliances also support extended LAN functionality, enabling remote sites to connect to the central Contivity 2600 and allow routing of traffic to the remote locations.

AT&T's reporting capability, judging from the sample reports we viewed, is outstanding, showing details such as successful and failed connection attempts, the number of failures after the VPN was established and the user names with the most failures.

Like Fiberlink and OpenReach, AT&T provided NOC-to-NOC support, while we handled first-level support. The AT&T client uses the bundled AT&T dialer and VPN client. User configuration is easy--just enter user information, and the client queries the AT&T policy server containing client configuration data and attempts to contact the available VPN devices. End users don't need to keep track of anything beyond their credentials.

AT&T Managed Services, AT&T, (908) 221-2000. http://www.att.com

OpenReach with Platinum Support

The OpenReach managed VPN service was the only offering tested that split management between us and the vendor. OpenReach managed and monitored the boxes and could perform configuration, software updates and other maintenance functions. Device, user and VPN management and provisioning were in our hands. OpenReach can make configuration changes if needed, but that shouldn't happen without your knowledge. Even though we asked for a wholly managed service, we liked the split-management functionality.

Unlike Aventail and Fiberlink, OpenReach has multiple, geographically dispersed NOCs and can fail over among them within 30 minutes. OpenReach's service is comparable with Aventail.Net featurewise, with the exception of client support, which is limited to Windows. As for price, it tops out at a whopping $110,940.

Like Fiberlink's and AT&T's, the OpenReach service is a managed IPsec VPN. While the OpenReach gateway can work with other IPsec clients, we didn't test this, and in the real world IPsec interoperability is still spotty. OpenReach has automated the configuration of the SafeNet Soft-PK client for those on Windows. For non-Windows users and small offices, OpenReach also has a gateway that can traverse NAT routers and work in split-tunnel mode.

OpenReach offers two options for the remote gateways: We could have the software sent and install it on our own hardware, which would have dropped the installation fee by $1,500 per location, or we could have a preinstalled, preconfigured gateway drop-shipped to each location. We chose the latter because that off-loads all maintenance to OpenReach. The gateways did require some minor routing changes to our remote office infrastructure.

Management of VPNs across multiple sites was straightforward; we could even customize access policies further using firewall rules. VPN construction was drag and drop. The color-coded map shows status information, and further data is available through the reports page. Should the gateways lose contact with OpenReach's NOCs, users will still be able to connect to their VPNs, but change control will be lost until connectivity is restored.

OpenReach with Platinum Support, OpenReach, (781) 933-7580, (888) 783-0383. http://www.openreach.com

Mike Fratto is a senior technology editor based in Network Computing's Syracuse University Real-World Labs®; he covers all security-related topics. Mike has also worked as an independent consultant in central New York. Send your comments on this article to him at mfratto@nwc.com.