We invited seven mobile application gateway vendors to participate in a review at our Syracuse Real-World Labs®. We evaluated IBM WebSphere Everyplace Connection Manager 5.1, ipUnplugged Roaming Gateway 310, NetMotion Wireless Mobility XE and Radio IP Software Mobile TCP/IP Gateway. Broadbeam and Ecutel Systems declined because of revision cycles, and Padcom backed out citing pending patent litigation with NetMotion.

We designed our test bed to measure client and server configuration and management, mobility services, security, performance and scalability (for more on our testing process, see "How We Tested Mobile Application Gateways,"). We also set out to get a handle on cost, but believe it or not, determining apples-to-apples pricing was one of our biggest headaches.

To evaluate pricing, we presented scenarios for both a small and a large deployment. The first scenario outlined a pilot project or a small company with one single-processor server and 100 clients. The second scenario was a larger enterprise deployment with two dual-processor servers and 2,000 clients. Our scenarios also included the first year's maintenance and support. ipUnplugged led the pack in pricing, earning it our Best Value award: The vendor quoted us $123,192 for 2,000 users--less than half the cost of the most expensive entry, NetMotion, which dinged us for $287,500. For more detailed pricing information, see "Gateway Pricing,".

Jacks of All AppsThe biggest challenge for wireless application gateway vendors is to deliver products flexible enough to integrate with a wide range of enterprise applications and network infrastructures. The average mobile worker might need access to a groupware server, a CRM (customer relationship management) application or an in-house database. For the most part, the gateways we tested met that goal admirably. Each let us roam among dissimilar networks. For instance, our clients who were connected to a wireless WAN, such as Verizon's CDMA-2000 cellular data network, and ventured within range of our Wi-Fi hotspot or enterprise WLAN, could roam to the WLAN with only a brief interruption in service. The gateways switched data transmission from the WWAN to the faster Wi-Fi connection without requiring our client to reconnect to any running applications.

Every mobile application gateway approached the task of providing seamless mobile connectivity to enterprise resources differently, but we discovered a few commonalities. First, all the gateway servers were installed in our DMZ or behind the firewall and communicated with test clients through encrypted UDP tunnels. Similar to a VPN, the gateway servers gave our clients IP addresses for network communications. Each product we tested addresses IP mobility using proprietary protocols, with the exception of ipUnplugged, which adheres to the Mobile IP standard.

All the gateways tie into back-end databases, where they store a variety of system information ranging from server configurations to user records and activity logs. All but one rely on an LDAP directory and/or a relational database for this storage; the exception is Radio IP, which stores its settings in the Windows Registry. NetMotion and ipUnplugged provide databases as part of the installation package, while IBM lists both an LDAP server and an ODBC connection as part of its prerequisites.

Each gateway except Radio IP's provides policy-management features for regulating client traffic under a variety of conditions. This is handy for organizations that need to restrict Web browsing on low-bandwidth, high-cost cellular data links or want to allow access to enterprise applications only. Radio IP says its next release, which should be available by the time you read this, will contain this functionality. Unfortunately, no gateway let us require that specific software, like an up-to-date antivirus signature, be installed before granting access.In many environments, providing mobile application access requires a high-availability system design. Every system we evaluated provided some level of redundancy, ranging from cold standby to server pooling and clustering. And, because the success of a wireless application gateway deployment depends on your employees' ability and willingness to use it, we put on our end-user hats to check what the average mobile employee would experience. Mobility XE provided a positive end-user experience overall, though NetMotion lost points because we couldn't dial WWAN connections automatically. Client roaming operations were transparent to our end-user persona, and it was easy to disable the client when we didn't want to connect through the gateway server. IBM, ipUnplugged and Radio IP also provided a good experience for our end-user selves, easily dialing PPP connections as needed and providing transparent network roaming.

When we hear wireless and mobile, we know security won't be far behind. In evaluating the security of mobile application gateways, we considered their adherence to standards, authentication options and the ability to delegate low-level administrative tasks without allowing access to all administrative options.

Each product uses the AES algorithm to secure client communications. IBM's WebSphere Everyplace Connection Manager is the only product we tested that is FIPS 140-2 certified, putting it a notch above the others, which are FIPS 140-2 compliant. End users must authenticate on all the products, with the exception of Radio IP, which doesn't require authentication by default. IBM, ipUnplugged and NetMotion also allow for delegated (or role-based) administration.

NetMotion's Wireless' Mobility XE earned our Editor's Choice award, thanks to its superb features. Server and client deployment were a breeze, and the management interface was the best we tested. Policy control was flexible, providing a number of methods to manage client network traffic. On the other hand, the product's limited OS support--it's Windows-only on both the client and server--could be a deal breaker for some organizations.

IBM finished a close second, with strengths in network integration, broad client support and end-user experience. However, its management interface couldn't compare with NetMotion's, and the policy feature didn't provide the granularity we would have liked. ipUnplugged's product is a price leader, an impressive feat given that the bottom line includes a hardware appliance. However, its policy control is minimal, and there is no support for link optimization.Radio IP's Mobile TCP/IP Gateway, as the company name alludes, has strengths in mobilizing IP applications for non-IP private radio networks, such as Motorola DataTAC. However, its deployment and management are unwieldy, and its architecture lacks sophistication.

With its quick and painless deployment and strong management, our Editor's Choice is a good option for environments where users regularly roam across wired and wireless networks, suspend applications and resume work hours later.

Mobility XE is a Windows-based product that has a server component to manage client sessions and a Sun LDAP warehouse for storing configuration information and client policies. We housed both components on the same server, but in an ongoing deployment we would opt to divide and duplicate them among multiple servers for redundancy and scalability. Servers can be pooled and load-balanced to make the most efficient use of hardware resources. With minimal effort, we configured the server to authenticate clients against a global domain group in our Windows 2003 Active Directory repository. The product's architecture is designed to ensure scalability and availability using multiple pooled servers that provide mobility services and failover capabilities.

Although its device support is not as broad as that of IBM's product, Mobility XE should meet the needs of most organizations with its support for Windows desktop and mobile (CE and PocketPC) platforms. The only parameter we had to enter during install was the IP address of our Mobility server, and even that could be configured over DHCP. The server applies the user profile during the log-on process, rather than requiring users to download their profiles manually.

Mobility XE's Web-based management console is intuitive and inclusive, yet flexible. We managed settings for each server on an individual basis or across all servers to provide a uniform environment. This granularity to tailor settings for a subset of users would be useful in our pilot-test scenario. User and device management were straightforward yet powerful; we especially liked being able to quickly lock out lost or stolen devices.

Mobility XE's policy-management features were the most flexible. In addition to IBM's filters based on network interface and port number, Mobility XE applies policy on bandwidth thresholds and can restrict traffic from Windows executables and for specific destinations.Mobility XE, like its competitors, did a good job of facilitating client network operations by providing our test clients with fast internetwork roaming and optimized low-bandwidth, high-latency connections. But unlike the competition, Mobility XE maintained client connections with other servers when the client became unavailable--for instance, if the device suspends or wanders out of coverage range.

Mobility XE was the most expensive product in both pricing scenarios, but it's worth the cost because the product delivers in all critical areas. And unlike IBM's offering, there are no prerequisite software packages.

Mobility XE. NetMotion Wireless, (206) 691-5500, (206) 691-5555. www.netmotionwireless.com

WECM should be on your short list of products to evaluate, particularly if you manage a fleet of diverse mobile devices on platforms such PalmOS or Symbian because it's the only gateway we tested that supports non-Windows handhelds.

Although we found its management interface cumbersome and its policy-control options minimal, WECM grabbed the second-place spot by providing features unavailable in other products--for example, the ability to send SMS messages to mobile devices.IBM's is the only product we reviewed that doesn't have a server component available for Windows, opting instead for old standbys AIX, Solaris and Linux. Like NetMotion, all our configuration information was stored in an LDAP directory, and WECM relied on access to a relational database for storing logs and accounting records. This architecture makes it possible to design for high availability.

Client deployment was straightforward; when we configured server connections, we were reminded to set up Windows Dial-Up Networking. WECM also can function as a messaging server for mobile clients using WAP (Wireless Access Protocol) and SMS (short messaging service).

We loaded WECM's Java management interface on Red Hat Linux and Windows XP, though it can be loaded on virtually any platform that supports Java. The Java interface is unwieldy for certain tasks, such as viewing a list of active sessions, and we wouldn't relish the thought of spending too much time in front of it. Luckily, most admin tasks can be accomplished at the command line.

WECM's policy options are about average, primarily because its focus on restricting port-specific traffic, not application-based traffic, didn't give us enough flexibility.

WECM's link-optimization capabilities were very good; this is important because it supports public and private radio data networks. When we handed off applications during a network roam, event performance was solid, though, unlike NetMotion, this product doesn't sustain connections during client network unavailability.

IBM offers several pricing models. For small deployments, it licenses starter editions for a fixed number of clients. At the upper end, though, it licenses based on the number of processors per server, which should appeal to administrators who dislike tracking client numbers.WebSphere Everyplace Connection Manager 5.1. IBM Corp., (877) 426-3774. www-306.ibm.com/software/

The aggressive price structure and standards adherence of the Roaming Gateway are sure to be draws for some. This 1U rackmountable box, the only appliance we tested, grew out of a carrier-operator model and, though it serves nobly as a mobile application gateway, it also supports billing based on time and volume usage and lets enterprises offer guest access to the Internet on their WLANs without exposing their internal networks. This is accomplished through integration with the provided RADIUS server and the product's Internet Access Control features.

We connected the ipUnplugged appliance to our management server, which stored configuration information in MySQL. Given that system scalability is reliant on multiple Roaming Gateway hardware appliances and cannot be pooled, this architecture is not as flexible as NetMotion's or IBM's. Test users were assigned a primary and, if available, secondary gateway, but there were no options for client load balancing. In addition, to authenticate users to Active Directory, we had to extract the user information and import it through a Python script.

The device's Tomcat Web management interface is simple and straightforward, giving options for managing hardware appliances and users, all in one place. Despite excellent capabilities for user management, we found that our ability to manage devices was essentially nonexistent, though the company says it's exploring that capability for future releases. Policy control was minimal as well, providing or limiting our access to specific network resources; we couldn't restrict traffic by type.

The device performed well in our roaming tests, but it's the only product that doesn't provide link optimization and compression; ipUnplugged refers clients to third-party providers, such as Venturi Wireless, for that.

Roaming Gateway 310. ipUnplugged AB, +46 8 725 5900. www.ipunplugged.com

This gateway is new to enterprise environments, having its roots primarily in law enforcement. The product functions on a variety of IP and non-IP networks, including public and private radio, and delivers excellent mobility services, but it's light on some of the features that enterprises value, such as robust management and availability.

The Mobile TCP/IP Gateway is a Windows-based system that stores the bulk of its configuration information in the Windows Registry, in stark contrast to rivals, which rely on databases and directory services.

We administered the system from a Windows server, which requires local or Terminal Service access. The product authenticated against AD without any trouble, but overall, management is focused on devices rather than users. For example, we could configure the system so that clients aren't required to authenticate at all, which we did, just for fun! Radio IP doesn't offer any policy-control features in this release but the company says the next version, due out by the time of publication, will provide policy control based on port numbers and app names.

Radio IP's development road map, including expanded authentication options and a migration to the Microsoft Management Console for administration and policy-management features, has us convinced that the company is committed to refining its offerings to meet enterprise needs.

Mobile TCP/IP Gateway. Radio IP Software, (877) 717-2242, (514) 890-6070. www.radio-ip.com

Dan Renfroe is a technology associate focusing on wireless and mobile technologies with the Center for Emerging Network Technologies at Syracuse University. Write to him at [email protected].Want to be a hero to your mobile end users? Let them roam freely--from 3G wireless WANs to 802.11 Wi-Fi APs (access points) to home broadband links--while you transparently maintain secure, persistent connections to their mobile applications. Then sit back and rake in the baked goods and adulation.

We tested four mobile application gateways--IBM's WebSphere Everyplace Connection Manager 5.1, ipUnplugged's Roaming Gateway 310, NetMotion Wireless' Mobility XE and Radio IP Software's Mobile TCP/IP Gateway--and rated them for client and server configuration and management, mobility services, security, performance, scalability and price.

Our Editor's Choice is NetMotion Wireless' Mobility XE, whose rich feature set and ease of management outweighed its high price and limited OS support in our tests. IBM held its own and will be a favorite in companies with diverse fleets of mobile devices. Meanwhile, ipUnplugged's budget-conscious appliance earned our Best Value award. Even our last-place finisher, Radio IP's Mobile TCP/IP Gateway, has some strengths. We'll be keeping our eye on this market.

We presented two scenarios to help us understand the vendors' pricing models:

1. A pilot or small-enterprise project comprising one single-processor server and 100 clients.2. An enterprisewide deployment with two dual-processor servers and 2,000 clients.

Both scenarios include the first year's maintenance and support but estimate server capacity.

In response to the first scenario, IBM gave us pricing for two copies of its WECM Starter Edition, each supporting 50 users. Note that IBM's pricing does not include the required LDAP server and ODBC connection. ipUnplugged submitted pricing for its Roaming Gateway 310 hardware appliance plus licensing for one Roaming Gateway server and 100 simultaneous client connections. NetMotion supplied pricing for one server and 100 devices, plus its policy module. Radio IP gave us pricing for one server and 100 clients.

For the second scenario, IBM supplied pricing based on the number of processors per server, rather than the number of clients. ipUnplugged provided pricing for two Roaming Gateway 310s, 2,000 simultaneous client connections and two Roaming Server licenses. NetMotion gave pricing for its Enterprise Edition, which includes 1,000 devices and an unlimited number of servers. Radio IP likewise submitted its enterprise option, which includes 900 clients and unlimited servers, plus pricing for the remaining 1,100 clients.We put four mobile application gateways through their paces at our Syracuse University Real-World Labs®, testing management of servers and clients, and evaluating their mobility services, performance, scalability and security models.

We installed each product on its own server; each box had dual 1,000-MHz Pentium III processors and 1,024 MB of RAM. The ipUnplugged product relies on a unique configuration of a hardware appliance and a back-end server, for which we used one of the Windows machines. We installed all products on Windows Server 2003, with the exception of IBM's WebSphere Everyplace Connection Manager, which we installed on Red Hat Enterprise Linux ES 3.

We placed these products behind our firewall, then made the appropriate changes to let them communicate with the outside world. To test integration, we configured them for authentication with Windows 2003 Active Directory.

We tested the link compression and optimization provided by the products over low-bandwidth, high-latency links using public WWAN links and in a controlled environment using Shunra Storm STX-100. For the controlled tests, we simulated a 250-Kbps WAN link with 300-ms round-trip latency. We used VeriTest's i-Bench 5.0 to evaluate the speed of loading HTML pages. The i-Bench test provided data on the total load time for 30 Web pages with text and graphical elements that we averaged over multiple iterations.

The link compression and optimization provided by IBM, NetMotion and Radio IP were very good, with reasonable improvements over the base statistics. Although the ipUnplugged product does not provide native compression and optimization, it didn't suffer a noticeable performance penalty from the encrypted traffic either.We forced each product to roam between LANs, WLANs and WWANs. WWAN access was provided by Verizon on its CDMA2000 1xRTT network using the Audiovox PC 5220 PC card and Cingular on its GPRS network using the Sony Ericsson GC83 card.

All Network Computing product reviews are conducted by current or former IT professionals in our Real-World Labs® or partner labs, according to our own test criteria. Vendor involvement is limited to assistance in configuration and troubleshooting. Network Computing schedules reviews based solely on our editorial judgment of reader needs, and we conduct tests and publish results without vendor influence.

R E V I E W

Mobile Application Gateways

Sorry,
your browser
is not Java
enabled

Welcome to NETWORK COMPUTING's Interactive Report Card, v2. To launch it, click on the Interactive Report Card ® icon above. The program components take a few moments to load.

Once launched, enter your own product feature weights and click the Recalc button. The Interactive Report Card ® will re-sort (and re-grade!) the products based on the new category weights you entered.

Click here for more information about our Interactive Report Card ®.