Remote Access VPN Buyer's Guide: Juniper
MAG Series Junos Pulse gateways unify network access control and SSL VPN to deliver safer mobile access.
When Juniper Networks acquired Netscreen, the SA Series of SSL VPN appliances created by Neoteris came along for the ride. In parallel, Juniper developed the IC Series of Unified Access Control (UAC) appliances to control LAN resource access.
As the gap between remote and local evaporates, enterprises need to enforce policies independent of endpoint location. To deliver more cost-effective, easier-to-manage control, Juniper recently introduced a new MAG Series of Junos Pulse Gateways, described here in EnterpriseNetworkingPlanet's remote access VPN buyer's guide.
Embracing the move to secure mobility
According to director of product management Rich Campagna, Junos Pulse is a reaction to the dramatic shift in device types and ownership sweeping the industry.
"Many [enterprise networks] have gone from corporate-owned and -managed devices to mobile devices owned and operated by users," he said. "This drove us to accommodate devices running iOS and Android. For example, we provide Layer 3 VPN access from iPhones and iPads. We've been doing a good job of staying ahead of this trend."
Junos Pulse also addresses migration from remote (Internet-based) access to local (enterprise wireless) access. "I go between airports and Juniper offices and customer sites throughout my workday, and Junos Pulse helps me move seamlessly," said Campagna. "When I checked email from home this morning, I was prompted to log in and connected to an SSL VPN running on a MAG. I then closed my machine and drove to the office. When I opened it, Junos Pulse transferred my session to a UAC service on a MAG."
Benefiting from platform consolidation
This mobility could be orchestrated by Junos Pulse using SSL VPN and UAC services on separate appliances, but the MAG Series lets enterprises run both on the same platform or redistribute services across platforms based on load or business need.
The MAG Series is a modular architecture, ranging from a fixed appliance that runs just one service to an expandable chassis that runs up to 4 service modules. "The MAG 2600 is small form factor and whisper-quiet, made for locations without data centers, supporting up to 100 SSL VPN users," said Campagna. "The MAG 4610 is similar but sized for a medium or large business with up to 1,000 SSL VPN users."
For large enterprises, the MAG 6610 is a 1U chassis, typically clustered to be managed and react as if it were one appliance for synchronization and load balancing. "The MAG 6610 can run two service modules, so you might run SSL VPN on one and UAC on the other, supporting up to 20K SSL VPN users and 30K UAC users," he said. Finally, the MAG 6611 is a 2U chassis with twice the service/user capacity.
Service modules that can run on each MAG are equivalent across all models; the distinction is primarily scale, as well as form factor and physical redundancy. Although customers can still purchase older SA Series appliances, consolidating VPN and UAC services on a unified MAG platform brings advantages without loss of functionality.
"Say you have an organization with 50K employees. During the business day, all 50K are logged in somewhere -- maybe via UAC at headquarters and SSL VPN from regional offices. We offer converged licensing so that you can break a 50K simultaneous user license into different appliances and modules," explained Campagna. "If you find that the bulk of your VPN users are coming into one appliance, you can shift more licenses there. Buying user licenses in bulk also gets you a volume discount."
This flexibility preserves customer investment as workforce needs evolve. Over time, more licenses can be purchased to accommodate growth. However, because licenses are based on concurrent cached sessions, an endpoint that moves between VPN and UAC consumes just one license, regardless of location, access method, or endpoint type.
Securing remote network access
The Junos Pulse Secure Access Service that runs on MAG Series gateways is a direct descendent of software that powers SA Series appliances. Beyond transparent session handoff (aka NAC-SSL federation) described above, the Secure Access Service delivers authenticated, encrypted VPN connectivity from endpoint to MAG.