ipUnplugged and NetMotion grant wireless users room to roam

When you weigh just the benefits of mobility, flexibility, and productivity, going wireless is a no-brainer. But factor in roaming issues, spotty coverage on the corporate campus, and security vulnerabilities, and the decision can get complicated.

I looked at roaming solutions from ipUnplugged and NetMotion designed to solve these problems. Although the products take slightly different tacks, they share the same goal: to provide secure, continuous connectivity to corporate applications over inherently insecure and disparate wireless networks.

Both solutions appear equally matched when it comes to meeting subnet roaming expectations, enabling wireless sessions to move across router boundaries without breaking the connection. Both have components that can be deployed on pretty much any Intel-based hardware; both require a software client.

However, they also share a couple of major flaws. They support only a Windows-based mobile infrastructure and are limited to networks that can transport IP.

Overall, NetMotion Mobility 5.01, a software-only solution, has a larger array of authentication infrastructure support to manage users and groups. However, it’s also much more expensive than a similar deployment with ipUnplugged’s combined Roaming Gateway, Server, and Client offering.

ipUnplugged

ipUnplugged leverages standards-based MobileIP and IPSec technology to create a solid, seamless roaming solution using what is truly a mobile wireless VPN. Most interesting is that moving over different media types appears truly seamless. Although ipUnplugged does not offer application persistence to the degree that NetMotion does, it is still a serious and reliable WLAN mobility solution.

A typical deployment of ipUnplugged consists of a Roaming Gateway appliance, the Roaming Server —both of which are managed via a Web-based interface —and the Roaming Client.

During my tests, I didn’t have a problem with roaming as much as I did with application persistence. Unlike NetMotion, ipUnplugged doesn’t proxy for a client, so when a client application is cut off from its server, the client’s virtual adapter is still up, but the session is no longer there. Depending on the robustness of the application, it may several minutes before it terminates.

Getting up and running with the Roaming Server was a fairly quick process. The server is the central location for network configuration, security, and client management via a Web-based interface. Annoyingly, ipUnplugged requires at least an SMTP infrastructure to function properly.

During installation, the Roaming Server installs its own RADIUS (Remote Authentication Dial-In User Service) server where users and groups are managed. Although I could have also tied my RADIUS server to that of the Roaming Server’s to support guest users, the ipUnplugged installation provides all subsequent authentications. Unfortunately, ipUnplugged supports only RADIUS and SecureID but no other authentication methods.

The Roaming Gateway forwards traffic from app servers to the Roaming Client over whatever transport media may be present, including GPRS, and CDPD (Cellular Digital Packet Data). The gateway, which typically sits between the enterprise network on either the Internet or on a DMZ (demilitarized zone), has a built-in stateful firewall. The server automatically generates the firewall rules during the process of creating the gateway.

I was up and running fairly quickly on the Roaming Gateway. The gateway provides a portal or a walled garden for users not using the client software. The walled garden restricts WLAN guests to specific Web sites and can limit other protocols via the firewall.

After the Roaming Gateway is installed, the Roaming Server sends an e-mail to each user with information on how to log on and download the Roaming Client. This client software installation method is not ideal for an enterprise deployment. The vendor did provide me with a command-line workaround.

The Roaming Client is unobtrusive and virtually transparent to the end-user. It manages both the security and type of media connection to the corporate infrastructure. When on the corporate LAN, the client connects via unencrypted connection. When on insecure media, such as a public hot spot, the client encrypts the connection and maintains a solid roaming connection back to the corporate landscape.

There is no way to create reports of any kind regarding clients except via RADIUS accounting, nor is there a way to gather client statistics via the Web-based interface. The RADIUS server can provide client information on session tine and byte/packets information. However, the Roaming Server does provide detailed logs of server statistics.

This version of ipUnplugged is quite attractive for providing a solid, secure mobility solution wherever clients may roam, at a decent price. However, some client deployment issues and limited authentication methods detract from an otherwise solid product.

NetMotion Mobility

NetMotion Mobility creates an encrypted tunnel between the NetMotion software client and the NetMotion network infrastructure. Interestingly, the secure client is invulnerable to almost all wireless security attacks, and the client is seen by corporate app servers as being a constantly connected LAN device, supporting seamless subnet roaming and application persistence.

I tested roaming and persistence with several different applications, and the software worked quite well at maintaining session communication. A very small percentage of application failures occurred during protocol transitions from Wi-Fi to LAN to GPRS. NetMotion also has best bandwidth routing where the client automatically chooses which media type has the highest bandwidth connection.

This always-on connectivity is accomplished with two components: a NetMotion Mobility Server (managed via console or Web interface), which acts as a proxy for the wireless client via Mobility Client software.

I installed the Mobility server software on a Windows Server and was up on the server management interface in short order. I would have liked the ability to test to ensure proper RADIUS authentication for the Mobility clients.

The server itself doesn’t store a local user access list, relying instead on being transparent to the network and using Active Directory, RADIUS, Kerberos, Windows 2000/NT Domain, or other PKI to provide the user and group authentication components. I would have liked to have a separate wireless access list maintained on the Mobility server but went with using my existing RADIUS authentication infrastructure to manage users and groups.

Organizations deploying NetMotion for use across the Internet will want to harden the Windows server. Unfortunately, NetMotion offers no tools or documentation to help in doing so.

NetMotion Mobility requires that DHCP is enabled on the deployed network to properly support roaming for the clients. Once a DHCP address is used for the Mobility server, the server dishes out a virtual DHCP address to the clients. The DHCP pool can easily be configured from the Mobility management interface.

Mobility server’s management interface is too fragmented. The single management interface is for all primary server functions, including authentication, server fail-over, NAT, and encryption. Unfortunately, there’s a second application for monitoring client activity, and another Web interface where policies and rules are managed, along with remote monitoring. A single Web administration console is slated for a future release.

Deploying clients is fairly straightforward, but NetMotion relies on an organization using SMS or another deployment method for getting the client software on each piece of client hardware. There are also two potential pitfalls. First, clients, by default, can select to bypass the Mobility client software completely, leaving the mobile device insecure and unconnected to a Mobility server. Further, you can’t hide the Mobility client agent from an end-user.

The variety of client-tunnel-encryption methods supported by the Mobility server is impressive, including DES, Twofish, and 128-bit AES (Advanced Encryption Standard).

New to Version 5 of the Mobility server is policy-based management, which is accessed via a Web-based front end and is fairly straightforward. I was able to manage client properties such as filtering certain Web sites and blocking high-bandwidth applications.

NetMotion doesn’t create reports on use or deployment of its client software, but a plethora of statistics is available in real time from the Mobility Status Monitor.

I was impressed with how each product fared. Making a choice will depend on your deployment strategy and how much you want to spend. Subnet roaming and application persistence is easier and works better with just one NetMotion server installation, but the less-expensive ipUnplugged works just as well as NetMotion when it comes to seamlessly moving outside the confines of the enterprise to VPN over different wireless technologies.