Your end users might like the new SSL VPN Module 1000 that slides into Nortel's Contivity IPSec VPN boxes because it provides easily navigable remote access to a wide group of LAN-based applications at decent speeds. But administrators won't like the lagging management interface and lack of detailed access control and endpoint security features.

The SSL VPN Module 1000 blade plugs into Contivity 1740, 2700 or 5000 Version 5.0 systems. A dedicated co-processor running Alteon's tried-and-true Secure Sockets Layer accelerator code, Version 4.2, and a poorly designed configuration and management system are its base.

The blade performs pretty well (see "A decent SSL performer"), and Nortel's portal page is easy to use and navigate. And the SSL VPN code works well with a range of applications, including Exchange's Outlook Web Access; JavaScript programs; and HTML, FTP and Common Internet File System servers.

But when we tested the product with Java- and Flash-based applications, we ran into interoperability issues. Nortel's prescribed fix is a downloadable Java applet that runs on the workstation and serves as a proxy to tunnel traffic to the Contivity system. This fix gave us access to applications, but hampered our access to the rest of the Internet and required a complex, manual rewrite of the browser's proxy configuration file.

Nortel offers some rich application translation and proxy features. It detects and fills out form-based authentication processes on Web pages the way most browsers do. However, this single sign-on implementation works only if the username and password are the same for the SSL VPN device and for every Web site.

Click to see:

Nortel implements a unique dimension to its user profile, letting you create multiple types of users within the same user group that then affects the appearance of the portal to those users.

Contivity users can choose from standard browser-based SSL VPN applications or a true network extension client, using IPSec or SSL transport, all nicely bundled together. But this bundling belies the lack of underlying coordination. Nortel describes its SSL VPN as "tightly integrated" with IPSec, but the only thing tight about the integration is that they share the same power cord.