Celestix WSA 3200 Series Unified Access Gateway

Overview:

Remote users often need to access network applications from private and public endpoints and through intermediate networks. Unsecured remote access threatens enterprises with the unauthorized disclosure of sensitive information left on endpoints and intermediate servers as well as with malicious attacks against the network and its applications from infected endpoint connections.

WSA™ SSL VPN appliances from Celestix™ with Microsoft® Forefront™ Unified Access Gateway 2010 (UAG) deliver secure, anywhere-access to messaging, collaboration, and other resources with granular control and world-class ease of deployment and management.

Control Access

Forefront UAG acts as a consolidated gateway from a diverse range of endpoints and locations to provide access through a single portal or multiple portals for different classes of users. Remote users—employees, partners, and customers— can access Web and non-Web applications and gain full VPN access to corporate networks including internal file shares and client/server applications. Strong, reliable authentication of all users keeps hackers out and speeds access for authorized users. Reliable authentication enables fine-grained control of access to network resources.

Comprehensive Secure Access

The WSA appliance provides SSL VPN, DirectAccess (always-on VPN), Application Optimizers, a Web application firewall, and endpoint security management that enable access control, authorization and content inspection for a wide variety of applications. These technologies provide mobile and remote workers with easy and flexible secure access from a broad range of devices and locations including kiosks, PCs, and mobile devices.

Enhance Compliance

Ensure that remote users comply with corporate security policies including endpoint configuration, user access, and accounting. Enforce compliance of different access policies for different user groups including classes of employees, business partners, and guests.

Protect Assets with Application Optimizers

WSA appliances host multiple intelligent Application Optimizers. Application Optimizers are integrated software modules that Microsoft designed to allow intelligent publishing of widely used business applications. This means you can choose to expose all or only selected areas of an application to all or subsets of users at your discretion. Application specific wipers check all interactions with the application for a wide range of threats and exploits. Application Optimizers amply support Microsoft client/server applications including Exchange Server, SharePoint Portal Server and Internet Information Server. Application Optimizers also support many third-party applications such as Citrix, SAP, IBM Domino, WebSphere and Lotus Notes.

Connectivity

WSA has four connectivity modes to provide the exact access your users and security standards require.

Web Applications
You can publish applications that provide a web user interface directly through WSA. The gateway can present a single application site, or offer a portal that lets users select multiple applications from a menu. The gateway offers the benefit of single sign-on and intelligent scanning of traffic to exclude malware. Secure Sockets Layer cryptography protects all applications.

Client/Server
Client/Server applications operate transparently through the UAG gateway with the added protection of an SSL VPN connection to prevent exposure of confidential information to the Internet. The UAG gateway maps internal addresses and ports so that no information about the internal network can leak out. UAG also provides intelligent application optimizers that scan for application-specific attacks. Strong authentication, single signon and fine-grained access policies ensure that only authorized users are allowed controlled access. You can set access control based on endpoint type and location as well as by user type. For example, a policy may dictate different access rights from a corporate PC than from a smart phone or public kiosk. Session cleanup with cache purging ensures that no confidential information will remain on a public computer after the authorized user logs off.

DirectAccess
Progressive businesses that want to provide their remote users with “always on” access should consider DirectAccess. The Windows® 7 and Windows Server® 2008 R2 operating systems include DirectAccess, which allows remote users to securely access enterprise shares, Web sites, and applications without connecting to a virtual private network (VPN). DirectAccess treats all endpoints as if they are on your internal network. The benefit is that Active Directory group policies, security updates and patch management can all be enforced directly on the connected client. DirectAccess support is built-in to Celestix WSA appliances and can bridge the transition between traditional SSL VPN remote access and fully DirectAccess-enabled networks. The WSA enhances Direct Access by extending support to older legacy business applications and non-windows clients within your network.

Network Connector
Some users and applications require unencumbered access. Network Connector provides network-level connections to the entire internal network or to a restricted subnet defined by the access policy. Network Connector supports all Microsoft resource sharing protocols such as CIFS, NET-Bios, and LDAP.

An SSL VPN without Vulnerabilities
Many SSL VPN implementations tunnel past the corporate firewall and expose the internal network to external threats. WSA incorporates Microsoft Forefront Unified Access Gateway 2010 and Microsoft Forefront Threat Management Gateway 2010 into a single integrated security appliance. By combining SSL VPN and firewall functions, the WSA appliance ensures that the VPN cannot be a backdoor past the firewall and into the enterprise network. All SSL VPN sessions must also pass all firewall rules.

A single WSA appliance can present multiple gateways to the external world. You can implement logically separate gateways for E-mail, partner extranets, and any number of other functions in a single WSA appliance. WSA provides the most cost effective implementation in terms of the number of appliances required and in ease of management since you can manage multiple gateways from a single console. You can also configure a single WSA appliance to present a portal with multiple applications to the user. You can configure WSA gateways to meet your enterprise’s specific secure access needs.

Securing the Perimeter
UAG, with Intelligent Application Optimizers, provides network separation and full control of inbound and outbound content. The integrated WSA appliance provides the most advanced edge security protection to address a broad range of Internet threats. Combining stateful packet filtering, circuit filtering, application-layer filtering, Web proxy, and endpoint security into a single appliance affords the administrator the broadest range of options to enable policy-compliant access to applications and network resources.

Control Access

Secure, web-based access to business critical applications and data:

• Differentiated and policy-driven access to network, server, and data resources. 
• Flexible application-intelligent SSL VPN from any device or location.
• Highly granular access and security policy enforced at the session, application, and function levels.
• Comprehensive basic and form-based authentication through Active Directory®, RADIUS, LDAP, and SecurID®.
• Customizable, identity-based web portal with single-sign-on (SSO).
• Handles embedded browser applications.
• Connectivity and control for client/server and legacy applications.
• Management features for DirectAccess VPN. 

Protect Assets

Integrated application protection helps ensure the integrity and safety of network and application infrastructure by blocking malicious traffic and attacks:

• Application-layer firewall blocks non-conformant requests, such as buffer overflow or SQL injection, on application protocols.
• Comprehensive protocol validation and deep content inspection with both positive and negative logic rulesets.
• URL cloaking and full functionality for remote users through dynamic URL rewrite and HTTP parameter filtering.
• Application Optimizers provide out-of-the-box protection for high value applications such as SharePoint® Server, Microsoft® Outlook® Web Access, SAP®, and WebSphere®.
• Comprehensive monitoring and reporting; integrates with third-party risk and policy management platforms.
• Extensible infrastructure and tools for custom application publishing and scripting.

Safeguard Information

Comprehensive policy enforcement helps drive compliance with legal and business guidelines that require information usage criteria to limit exposure and liability when accessing sensitive corporate data:

• Ensures network integrity by restricting client access based on endpoint security profile.
• Strong endpoint security management and verification helps ensure endpoint health compliance and session control.
• Enforces policy controls over actions within an application.
• Cache-cleanup tailored to specific applications removes downloaded files and pages, URLs, custom caches, cookies, history, and user credentials.
• Detects endpoint security state.

Features & Benefits:

 

DirectAccess:

Celestix WSA Unified Access Gateway delivers comprehensive, secure remote access to corporate resources for employees, partners, and vendors from a diverse range of endpoints and locations, including managed and unmanaged PCs and mobile devices. Building on the secure remote access capabilities in Microsoft Intelligent Application Gateway 2007, Celestix WSA UAG draws on a combination of connectivity options, ranging from SSL VPN to Windows® DirectAccess, as well as built-in configurations and policies These enable Celestix WSA to provide centralized and easy management and thereby reduce management costs. In addition, Celestix WSA integrates a deep understanding of the applications published, the state of health of the devices being used to gain access, and the user’s identity to enforce granular access controls and policies.

Seamless and secure remote connectivity with DirectAccess

With DirectAccess in Windows 7 and Windows Server® 2008 R2, mobile workers can seamlessly and securely access the entire corporate network—file shares, intranet, and line-of-business applications—wherever they have an Internet connection. Celestix UAG works with DirectAccess to:

• Extend these benefits to legacy applications and resources, and support down-level and non-Windows clients through integrated SSL VPN capabilities and other connectivity options.
• Limit exposure associated with connecting unmanaged, down-level, and non-Windows clients through granular access controls and policies.
• Protect the DirectAccess gateway with a hardened edge solution and built-in firewall.
• Simplify deployment using built-in wizards and tools.
• Support scalability and ongoing administration through built-in array management and integrated load balancing.

Secure Connectivity for Microsoft BPOS:

Many enterprises are turning to cloud-based business applications to trim the high cost of hosting applications in house. Business Productivity Online Suite (BPOS) is Microsoft’s hosted (cloud) solution for communication and collaboration. BPOS includes Exchange Online, SharePoint Online, Office, Live Meeting, and Microsoft Office Communications Online. Protecting access to BPOS hosted applications and data presents some new challenges to network security professionals.

Celestix WSA™ appliances with Microsoft UAG SSL VPN software and Celestix software customizations are the new, powerful solution for protecting access to BPOS. WSA appliances are the first and only solutions that deliver BPOS to users through Microsoft’s UAG SSL VPN. WSA appliances also offer a suite of unique features engineered by Celestix that enhance the security and performance of BPOS deployments as well as enable the integration of BPOS/UAG with existing network infrastructure.

Microsoft UAG Secure Access

UAG’s browser-based SSL VPN provides users with secure access to applications regardless of their location. UAG controls access from any endpoint at any location such as kiosks, PCs, and mobile devices. UAG is more than a simple SSL VPN. UAG delivers:

• Policy-Based Access
• Application Intelligence
• High Flexibility for Configuration
• Network Separation
• Endpoint Security and Health Compliance
• Application control that BPOS lacks

Proprietary Celestix Software Integration for BPOS

The Only UAG and BPOS Integration
Celestix’ WSA appliances are the first and only working integration of BPOS with Microsoft Unified Access Gateway (UAG).

Extend Active Directory Policies to BPOS
WSA appliances can extend Active Directory group policies to BPOS applications. BPOS by itself has no direct connection to corporate Active Directory or corporate authentication standards. WSA lets enterprises leverage the authentication scheme they normally use with BPOS. For example, if an enterprise uses LDAP (OpenLDAP) authentication, the WSA appliance software will provide the translation and mapping to BPOS.

Custom Deployment Modes
WSA appliances let you deploy secure access to BPOS three ways:

1. Securely connect users to BPOS via the corporate LAN.
2. Use the WSA appliance to authenticate remote users who connect directly to Microsoft’s BPOS server via the Internet. This mode saves network bandwidth.
3. Use your WSA appliance to restrict user access to BPOS only through the corporate LAN for added security.

Protection Against Data Loggers
Celestix’ Virtual Keyboard feature on WSA protects BPOS users from keyboard loggers and other data loggers. Users click the on-screen keyboard to enter their passwords.

Single Sign On (SSO) and Authentication
BPOS does not natively share SSO capability with enterprise-hosted applications. WSA appliance software lets BPOS share SSO functionality with enterprise applications.

BPOS uses a client SSO application to provide SSO among BPOS applications. BPOS’ client app has two problems:

• The SSO client only runs on Windows XP and Windows 7 devices
• Because the BPOS SSO runs on the client, you should not install the client on non-enterprise devices due to security concerns with certificates and SSO data. In contrast, WSA’s SSO feature runs in the appliance. This raises no certificate and SSO data issues on a client computer.

WSA appliances extend UAG’s single and multi-factor authentication methods. WSA appliances also deploy Kerberos Delegation support for authentication and application single sign on.

Celestix’ Adds Two-Factor Authentication
BPOS does not support 2FA. WSA appliances support Celestix’ HOTPin tokenless 2FA system as well as RSA, Vasco, Smartcards, and other 2FA systems.

Celestix’ CAPTCHA
WSA’s CAPTCHA authentication feature protects against automated bot attacks. If authentication attempts fail in succession, new CAPTCHA challenges appear before continuing. This insures users are people, not scripts or “hack machines.”

Celestix Appliance Advantages

WSA appliances are purpose-built security appliance solutions. Celestix builds appliance hardware with high-speed components and architecture throughout to maximize the performance of UAG. Celestix forgoes the use of unnecessary components to harden the solution and keep costs low.

Celestix Comet™ appliance engine provides network administrators with ease-of-use features that save labor and costs at every phase of the deployment.

The Jog dial and front panel display permit headless communication with the network. For installation, you rack the unit, connect it to the network, power it up, and adjust network settings with the Jog Dial to have your security solution for BPOS live in fifteen minutes.

The WSA’s Web UI lets you remotely configure and manage the appliance and software through a single interface.

WSA appliances have on-box backup of configurations that let you return to the Last Good Version for easy recovery. Or, use the feature for one-button reset to factory presets if desired.

Celestix’ software update system delivers prescreened software updates, patches and alerts for all of your appliance’s software through a single convenient UI.

The Right Security for BPOS

WSA appliances are the only solutions now available for secure access to BPOS through UAG. With Celestix added security and appliance features, you can be sure that WSA will be the leading solutions for BPOS protection far into the future.

Specifications:

Technical Specifications
Hardware	WSA 3200 Series	WSA 4200 Series	WSA 6200 Series	WSA 8200 Series
Type of Business	Designed for Small to mid-sized enterprises	Designed for mid-sized to large enterprises	Designed for large and multinational enterprises	Designed for large and multinational enterprises
Recommended Users	500 concurrent users	500 to 1,00 concurrent users	1,000 to 2,000 concurrent users	up to 15,000 concurrent users
CPU	Intel Core 2 Duo	Intel Core 2 Duo	Quad Core Intel Xeon	2 x Quad Core Intel Xeon Nehelam
Memory	4 GB	4 GB	8 GB	12 GB
L2 Cache	3 MB	6 MB	6 MB	2x3 MB
Front Side Bus	1066 MHz	1333 MHz	1333 MHz	Quick Path
Hard Drive	SATA-II 300 GB Available Storage (1 x 320 GB Hard Drive)	SATA-II 100 GB Available Storage (2 x 160 GB Hard Drive)	SATA-II 300 GB Available Storage (2 x 320 GB Hard Drive)	SATA-II 300 GB Available Storage (4 x 160 GB Hard Drive)
Disk Mirror RAID	-	RAID 1	RAID 1	RAID 5EE
Gigabit Ethernet Ports	6			8 (with 10 Gbe ports option)
Power	AC Power Voltage 100-240VAC, 50-60Hz with power switch and temperaturecontrolled fan		Redundant hot swappable 300W power supplies with PFC (RoHS compliant)	Redundant hot swappable 550W power supplies with PFC (RoHS compliant)
Dimensions	1.75" x 1.75" x 12.25"		3.5" x 17.5" x 17.5"	3.5" x 17.5" x 22.5"
Panel Display	Front Panel Jog Dial (Power Button) 40 x 2 Character LCD Display Power LED, HD Activity, Alert LED VGA Console
Safety & Emissions Certifications	Safety: ENC 55022:1998 + A1:2000 + A2:2003 Class B, EN61000-3-2:2000 + A1:2001 + A2:2005, EN61000-3-3:1995 + A1:2001 + A2:2005, IEC 61000-4- 2:1995 +A1:1998 + A2:2001, IEC 61000-4-3:1995 +A1:1998 + A2:2002, IEC 61000-4-4:1995 +A1:2001 + A2:2001, IEC 61000-4-5:1995 +A1:2001, IEC 61000-4-6:2004, IEC 61000-4-8:2001, IEC 61000-4-11:2004 Emissions: FCC Class B, CE, CB, C-Tick and RoHS.

 

Options & Upgrades:

Celestix WSA Upgrade Program

Introduction - By participating in the Celestix Upgrade Program, you ensure your network is protected by the very latest in security, reliability, and performance available without hurting your bottom line. The Celestix Upgrade program is available to current Celestix customers with earlier generation products wishing to upgrade to our latest line of unified access solutions.

Details - Celestix customer is able to upgrade an earlier generation Celestix appliance, to eligible new Celestix solutions at 25% off the standard purchase price. To activate Upgrade products one must simply retire the eligible earlier generation Celestix appliance already on their account with 8x5 or 24x7 support contract. Not all devices are eligible for all Upgrade appliances. Specific eligibility details are outlined in the “Eligibility Chart”.

How to Purchase Celestix Upgrade Products - If you have an eligible product you would like to upgrade, simply purchase the Upgrade part number that corresponds to the desired available Upgrade product. Celestix products with unique Trade Up part numbers are available through this website. The discount is built into the price so you see the savings instantly.

Activating Upgrade Products - During activation of the Upgrade product you will be required to identify an eligible product on your account to be replaced. The specific device must be active in order to complete the activation of the Upgrade product. (To verify that the device you wish to replace is active and please contact your local reseller or Celestix at upgrade@celestix.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it ) Once the eligible device has been identified, it will be retired and the new box will become active.

• Retired product will be removed from the customer’s Support contract account
• Retired product will not be eligible for upgrades, support, or software updates

Further Action Required - To complete the process, a certificate of retirement (CORE) must be completed and returned to Celestix within sixty (60) days of activation. The CORE can be returned via an email to upgrade@celestix.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it. The CORE will certify that the retired device used in the upgrade has been destroyed and properly disposed of in accordance with local environmental standards. Celestix reserves the right to deactivate the new Upgrade product if at any time if the Upgrade product is determined to have been activated in violation of any of the Upgrade Program’s Terms and Conditions.

Eligibility Chart:

Terms and Conditions:

1. Celestix Networks reserves the right to deactivate an Upgrade product at any time if found to be in violation of program guidelines.
2. Distributors or resellers found to be abusing the Celestix Upgrade Program may face penalties from Celestix, which may include but are not limited to: termination of partnership status, loss of specific partnership benefits as deemed appropriate by Celestix, and/or exemption from participating in any or all Celestix promotions and/or programs that benefit partners and/or end users.
3. Celestix reserves the right to change or cancel any aspect of this program at any time.
4. Upgrade offer valid for Celestix WSA Series products only.
5. For certain products Upgrade is restricted, review “Eligibility Chart” for qualifications.
6. In order to be eligible for the Upgrade Program, the device being upgraded must be activated in the same Support contract account that the new Upgrade product will be activated in.
7. Device being upgraded must not have been previously retired or otherwise deactivated prior to activation of new Upgrade product.

Client Access Licenses (CAL) - WSA customers must have UAG Client access licenses for each user using the gateway. IAG CAL’s cannot be applied to UAG systems therefore new CAL’s must be purchased. CAL’s can either be purchased from Celestix, from a Microsoft channel partner or directly from Microsoft.

Documentation:

Celestix WSA Series Data Sheet (.PDF)