SSL VPN performance vs. SecureClient

We've recently replaced our 2 Nokia IP330's with UTM-1
2050's.  We  
used to provide remote access to our salespeople via
SecureClient  
(they're mostly Mac).  The circuit to our main office is
only a T1  
but performance was always quite acceptable mainly because
they're  
running Citrix connections exclusively.

I would occasionally do file transfers using a VPN
connection to the  
IP330s employing SecureClient and noted that the throughput
was  
pretty exceptional.  We've now migrated to SSL VPN using SSL
Network  
Extender.  I've noted that the throughput is not nearly what
it was.   
I used to achieve 300k/sec using SecureClient and am now
lucky if I  
hit 100k/sec.

Has anyone noted this degradation and, if so, have you been
able to  
overcome it through configuration?  Maybe this is just that
SSL VPNs  
carry more network overhead with them?

Any help would be appreciated.

Thanks in advance,
Cory

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cory Rau wrote:
> We've recently replaced our 2 Nokia IP330's with UTM-1
2050's.  We used
> to provide remote access to our salespeople via
SecureClient (they're
> mostly Mac).  The circuit to our main office is only a
T1 but
> performance was always quite acceptable mainly because
they're running
> Citrix connections exclusively.
> 
> I would occasionally do file transfers using a VPN
connection to the
> IP330s employing SecureClient and noted that the
throughput was pretty
> exceptional.  We've now migrated to SSL VPN using SSL
Network Extender. 
> I've noted that the throughput is not nearly what it
was.  I used to
> achieve 300k/sec using SecureClient and am now lucky if
I hit 100k/sec.
> 
> Has anyone noted this degradation and, if so, have you
been able to
> overcome it through configuration?  Maybe this is just
that SSL VPNs
> carry more network overhead with them?

Given the choice between SSL VPN and IPSEC VPN I will choose
IPSEC 8
days of the week.

I must admit I have not extensive research on performance
differences.
But if SecureClient worked before, why would you drop it?

Hugo.

- --
hvdkooijvanderkooij.org               http://hugo.vanderkooij.
org/
PGP/GPG? Use: http://hug
o.vanderkooij.org/0x58F19981.asc

	A: Yes.
	>Q: Are you sure?
	>>A: Because it reverses the logical flow of
conversation.
	>>>Q: Why is top posting frowned upon?

Bored? Click on http://spamornot.org/ and
rate those images.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFHH4j+BvzDRVjxmYERAhOuAJ97UIaE0Ijsj+Is8gcJuLG6EybHHACf
ZEZC
W7onXXJTrZRq3DDzuh6j1Bw=
=tp/b
-----END PGP SIGNATURE-----

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

On Oct 24, 2007, at 2:03 PM, Hugo van der Kooij wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Cory Rau wrote:
>> We've recently replaced our 2 Nokia IP330's with
UTM-1 2050's.  We  
>> used
>> to provide remote access to our salespeople via
SecureClient (they're
>> mostly Mac).  The circuit to our main office is
only a T1 but
>> performance was always quite acceptable mainly
because they're  
>> running
>> Citrix connections exclusively.
>>
>> I would occasionally do file transfers using a VPN
connection to the
>> IP330s employing SecureClient and noted that the
throughput was  
>> pretty
>> exceptional.  We've now migrated to SSL VPN using
SSL Network  
>> Extender.
>> I've noted that the throughput is not nearly what
it was.  I used to
>> achieve 300k/sec using SecureClient and am now
lucky if I hit 100k/ 
>> sec.
>>
>> Has anyone noted this degradation and, if so, have
you been able to
>> overcome it through configuration?  Maybe this is
just that SSL VPNs
>> carry more network overhead with them?
>
> Given the choice between SSL VPN and IPSEC VPN I will
choose IPSEC 8
> days of the week.
>
> I must admit I have not extensive research on
performance differences.
> But if SecureClient worked before, why would you drop
it?
>
>

A few reasons:

1. Check Point has had many crippling issues with Mac
clients in  
recent years.  Seems that when something in the Mac OS
changes which  
causes SecureClient not to work (which has happened twice
since we  
began using it), Check Point takes forever to come out with
a fix.   
This puts us in a precarious situation...because these
changes to the  
Mac OS have not involved major upgrades but incremental,
free ones  
that the users generally install themselves.

2. We are a Check Point reseller.  During a lunch with a
couple of  
Check Point reps, I asked about when Check Point was going
to fix  
their most recent issue the SecureClient.  He basically told
me that  
development for SecureClient for OS X had almost completely
stopped  
and that I should migrate to SSL VPN because that was the
direction  
most companies were going in and that's where Check Point
was  
focusing most of their development.

3. Not having to worry about which version of SecureClient
is  
installed on the client and not having to install anything
to add new  
users remotely is a nice feature.

Cory

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

On 10/24/07, Hugo van der Kooij <hvdkooijvanderkooij.org> wrote:
>
>
> Given the choice between SSL VPN and IPSEC VPN I will
choose IPSEC 8
> days of the week.
>
>
> Hugo.


Why?
I only see benefits when using SSL VPN's instead of IPSEC
VPN's, as
discussed over and over:
- (depending on the usage) no additional software to
install
- less connection problems (NAT-T, firewalls blocking
access)

Br.
Robby

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

Robby Cauwerts wrote:
> On 10/24/07, Hugo van der Kooij <hvdkooijvanderkooij.org> wrote:
>>
>> Given the choice between SSL VPN and IPSEC VPN I
will choose IPSEC 8
>> days of the week.
>>
>>
>> Hugo.
> 
> 
> Why?
> I only see benefits when using SSL VPN's instead of
IPSEC VPN's, as
> discussed over and over:
> - (depending on the usage) no additional software to
install
> - less connection problems (NAT-T, firewalls blocking
access)

SSL network extender also costs money.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

On 10/24/07, sin <sinimacandi.net> wrote:
>
> Robby Cauwerts wrote:
> > On 10/24/07, Hugo van der Kooij <hvdkooijvanderkooij.org> wrote:
> >>
> >> Given the choice between SSL VPN and IPSEC VPN
I will choose IPSEC 8
> >> days of the week.
> >>
> >>
> >> Hugo.
> >
> >
> > Why?
> > I only see benefits when using SSL VPN's instead
of IPSEC VPN's, as
> > discussed over and over:
> > - (depending on the usage) no additional software
to install
> > - less connection problems (NAT-T, firewalls
blocking access)
>
> SSL network extender also costs money.


Well ok, besides the cost of licenses or an additional box.
I was looking for technical arguments.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================