Rainbow Connection

iGate provides a means of securing Web-based resources both in transit via SSL and by allowing access to those resources only to authenticated users. Authentication can be configured to accept passwords, tokens (via Rainbow's USB iKey tokens) or both. In addition, iGate's SSL VPN is designed to provide access to non-Web resources through a secured link without the complication of an IPsec implementation.

Brighter Outlook

I tested a beta version of iGate 3.1 within NWC Inc.'s infrastructure, evaluating both its SSL VPN capabilities and its Web access control feature set. Significant improvements have been made to the iGate since I last looked at the product a year ago. The product now supports roles and groups for defining access to applications and resources, offers industry-standard compression (gzip) and has installation/upgrade image management.

There are, however, some weaknesses. If you have many users, set up and configuration using iGate's internal identity store takes time. Furthermore, configuring some aspects of the SSL VPN functionality via the admin console can be confusing: It is not always clear whether options are referencing the VIP (virtual IP) or the back-end servers. It would be advantageous for Rainbow to adopt terminology common to content switches and proxies.

The enterprise version of the product is also priced quite high: $16,995 to enable the SSL VPN functionality--in addition to the entry-level price of $49,995 for a limited number of concurrent users (300). This seems a bit much, especially compared with offerings from competitors, which support a wider variety of identity stores and more users at a lower price. Although I like what is happening in terms of functionality and feature set, iGate's pricing needs to come down to compete.A Real Pro

I tested a 1U 2-GHz processor iGate Pro with a single 10/100 NIC supporting only a one-arm network topology. The unit was designed to be deployed within the DMZ, but I configured and used it in a NAT (network address translation) architecture. The enterprise version is available with dual NICs that support both side-arm and one-arm configurations, and I'd suggest it over the Pro for more flexibility.

iGate Pro supports only DA (direct access) mode for securing Web sites--it's essentially a reverse proxy. IA (indirect access) mode uses a single VIP to represent all sites within the organization. You can configure the unit from the admin console using a wizard or manually. Once the iGate is configured to front a Web site, that site is accessible only via a secure HTTP connection. The iGate accepted requests for NWC Inc.'s Web site on Port 80 (clear text), but it sent out a 301 (Moved Permanently) redirect to force the browser to use an SSL connection on Port 443.

I configured iGate to use passwords or tokens to authenticate users accessing the NWC Inc. Web site. User configuration is a tedious process, and you must use Rainbow's ACM (Access Control Manager) to assign tokens. ACM is a Java client, requiring JVM 1.3.1 or higher, that communicates with iGate to download and upload access-control configuration of the device. After assigning tokens and passwords to several users, I accessed the site using both.

Rainbow has improved its USB-based token, the iKey, on the client side. Driver and iGate plug-in installation has been automated, and installation is completed automatically for Windows 98, 2000 and XP. When I plugged in the token and tried to access the NWC Inc. Web site, I was brought to an authentication page that required a PIN for the token. After I entered the PIN, I could access all assigned resources without further identification. PIN management is not as automated as I'd like, however. Users cannot change or reset their PINs without the assistance of the system administrator.

VPX Tunnel

SSL VPN functionality--VPX in iGate language--is a local proxy provided by a Java applet. A VPX connection sets up a single SSL-encrypted tunnel between the client and the iGate. A VPX application can be configured to use client DNS, which modifies the hosts file on the client desktop and directs requests for a specific host to the Java applet. All application traffic is routed through the tunnel, just as with an IPsec VPN. I set up VPX applications to VNC (virtual network computer) to an internal server as well as IMAP to our internal NWC Inc. Exchange server, both configured to use client DNS.I accessed www2.gblab.nwc.com/igateportal and was prompted to insert my iKey or enter a user name-password combination. After being authenticated, I was presented with a list of applications to which I had been assigned access rights. Clicking on the link launched a Java applet on my desktop that provided connectivity to the iGate.

I clicked on the VNC link, and my hosts file showed an additional entry: 127.0.0.4 vnc.gb.nwc.com.

I fired up VNC and entered the desired host as vnc.gb.nwc.com. It took just a moment to successfully connect to the internal server. IMAP connectivity worked as well, with little degradation of performance via the encrypted tunnel. An alternative configuration requires that DNS entries be added to your name server. I much preferred the automatic modification of the local hosts files, which is cleaned up after logging out. My tests with passwords and tokens was successful for both apps.

Lori MacVittie is a Network Computing technology editor working in our Green Bay, Wis., labs. Write to her at [email protected].

Post a comment or question on this story.