2. Contents
AXsGUARD Gatekeeper at a glance _______________________________________________________________________ 2
Overview ___________________________________________________________________________________________
1 software bundle – 5 hardware platforms __________________________________________________________________
1 hardware platform – 4 software bundles __________________________________________________________________
Additional user licenses _______________________________________________________________________________
Recommended users _________________________________________________________________________________
3
3
3
3
3
Software bundles _____________________________________________________________________________________
aXsGUARD Gatekeeper basic ras ________________________________________________________________________
aXsGUARD Gatekeeper standard ras ______________________________________________________________________
aXsGUARD Gatekeeper enterprise ras _____________________________________________________________________
aXsGUARD Gatekeeper enterprise backup ras _______________________________________________________________
aXsGUARD Gatekeeper internet redundancy bundle ___________________________________________________________
4
5
5
6
6
7
Content scanning _____________________________________________________________________________________
Content scanning: mail _______________________________________________________________________________
Content scanning: web _______________________________________________________________________________
Reporting & statistics _________________________________________________________________________________
8
8
9
9
Authentication ______________________________________________________________________________________ 10
Hardware __________________________________________________________________________________________ 11
Hardware platforms _________________________________________________________________________________ 11
Hardware maintenance ______________________________________________________________________________ 11
Personal aXsGUARD __________________________________________________________________________________ 12
Secure and wireless connection to the corporate network ______________________________________________________ 12
Easy configuration and setup __________________________________________________________________________ 12
5 solutions with aXsGUARD Gatekeeper ___________________________________________________________________
Solution 1: secure government infrastructure with limited resources _______________________________________________
Solution 2: aXsGUARD enables services for Value Added Resellers ________________________________________________
Solution 3: aXsGUARD Gatekeeper as an outstanding all-in-one security solution ______________________________________
Solution 4: business automation for secure remote assistance ___________________________________________________
Solution 5: guarenteed business continuity for SMEs __________________________________________________________
13
13
14
14
15
15
Technical specifications _______________________________________________________________________________ 16
Hardware specifications ______________________________________________________________________________ 16
Specifications personal aXsGUARD ______________________________________________________________________ 17
Software specifications _______________________________________________________________________________
Administration ____________________________________________________________________________________
Network _________________________________________________________________________________________
Monitoring and logging ______________________________________________________________________________
Authentication _____________________________________________________________________________________
Firewall _________________________________________________________________________________________
IPS and iDS ______________________________________________________________________________________
VPN server _______________________________________________________________________________________
Multiple internet gateways ____________________________________________________________________________
Bandwidth management _____________________________________________________________________________
Public dns _______________________________________________________________________________________
Application firewall _________________________________________________________________________________
Ssl-vpn webportal __________________________________________________________________________________
High availability ____________________________________________________________________________________
Content scanning: web traffic __________________________________________________________________________
Content scanning: mail traffic __________________________________________________________________________
Statistics ________________________________________________________________________________________
1
aXsGUARD Gatekeeper
18
18
18
19
19
19
19
20
20
20
20
21
21
21
22
22
22
3. aXsGUARD Gatekeeper at a glance
A full-blown solution
for remote access
aXsGUARD Gatekeeper is part of VASCO’s remote access product line and offers a complete solution for secure network connectivity.
aXsGUARD Gatekeeper is a security appliance dedicated to the needs of the SME market. The solution is designed for administrators who
want an all-in-one solution for Internet connectivity and security. 24 functional features are bundled together into four software packages with
additional content scanning licenses. Each software bundle can run on one of the five available hardware models allowing organizations of any
size to choose the most suitable combination of performance and features. aXsGUARD Gatekeeper works transparently with any other solution
allowing organizations to activate only those features they really need. Additionally, aXsGUARD fits perfectly into any network environment,
whether it’s a Microsoft, Linux, Mac or mixed environment.
MONITORING & REPORTING
NETWORK PROTOCOLS
SOHO
Bandwith
Management
with QoS
Road Warrior
Remote Office
Internet
Redundancy
F
I
R
E
W
A
L
L
I
N
T
E
R
N
E
T
VPN/RAS SERVER
S
T
R
O
N
G
S
P
I
C
T
I
D
S
A
N
D
I
P
S
U
S
E
R
A
U
T
H
E
N
T
I
C
A
T
I
O
N
SSL VPN WEB
PORTAL
APPLICATION FIREWALL
HTTP/HTTPS/FTP
DIRECTORY
SERVICE
INTEGRATION
WEBMAIL SERVER
PUBLIC DNS
SMTP RELAY
CONTENT SCANNING
MALWARE
PROTECTION
PROXY SERVER
CONTENT SCANNING
MALWARE
PROTECTION
PKI CA
RADIUS SERVER
MAIL SERVER
S
T
A
T
I
S
T
I
C
S
S
T
R
O
N
G
U
S
E
R
A
U
T
H
E
N
T
I
C
A
T
I
O
N
S
P
I
C
T
F
I
R
E
W
A
L
L
S
E
C
U
R
E
Secure LAN
L
A
N
DMZ FIREWALL
COMMUNICATION
REMOTE ACCESS
SECURITY
AUTHENTICATION
AUDITING
DMZ ZONE
aXsGUARD Gatekeeper
2
4. Overview
aXsGUARD Gatekeeper
grows with your company
1 software bundle - 5 hardware platforms
ADDITIONAL user licenses
Each aXsGUARD Gatekeeper software bundle is available on
any hardware platform. The different hardware platforms only
differ in performance and in the number of network connections
available. Each appliance has the same functional features and
user interface which makes administration of multiple devices a lot
easier. The web-based GUI ensures intuitive administrator use for
all aXsGUARD appliances, from large installations on multiple sites
to a single appliance on a remote location.
To offer complete protection for your network, aXsGUARD Gatekeeper
comes with separate content scanning and authentication licenses.
Content scanning exists in a basic and a standard version with
yearly renewable licenses.
The authentication feature can complement the Gatekeeper
appliance by simply adding the VACMAN plugin and DIGIPASS
authentication devices.
1 hardware platform - 4 software bundles
Recommended users
The four Remote Access Solution software bundles can operate on
each available aXsGUARD Gatekeeper hardware platform. Should
you require additional features, you simply can upgrade to another
software bundle, even without switching the hardware appliance.
An automated updating and licensing system will remotely push
the new features to the appliance, avoiding lengthy upgrade or
installation procedures as your current configuration will continue
to run as before.
Each combination of hardware and software has a recommended
number of users. The number of users is an indication of best
performance and hardware maintenance for the appliance and
surmises that all available features – including the content scanning
option – have been activated. There is no user limit, however,
when the number of users exceeds recommendations, system
performance may be influenced. As expected, the number of users
can be increased when fewer options have been selected.
Overview recommended users including Standard content scanning
AG2504
AG3443
AG3604
AG5506
AG7500
BASIC RAS
25
50
250
1000
2000
STANDARD RAS
10
25
100
500
1500
ENTERPRISE RAS
10
25
100
500
1500
Basic Content Scanning
√
√
√
√
√
Standard Content Scanning
√
√
√
√
√
DIGIPASS
√
√
√
√
√
Optional licenses
3
aXsGUARD Gatekeeper
5. Software bundles
All the security you
need bundled together
Software bundles
aXsGUARD Gatekeeper has four different software bundles to choose from, allowing you to select the most suitable solution to address your
remote access challenges. Each bundle adds additional functionalities on top of the previous bundle, turning aXsGUARD Gatekeeper in a future
proof solution that grows with your business needs. Depending on your requirements with regards to network connectivity, you can select
the appropriate bundle.
High Availability
aXsGUARD Gatekeeper
ENTERPRISE BACKUP
ENTERPRISE
Reverse proxy
SSL VPN Web portal
STANDARD
Bandwith Management
Multiple Internet Connections
Public DNS
BASIC
Gatekeeper Core OS including authentication
Firewall with IPS
VPN Server
4
6. Software bundles
aXsGUARD Gatekeeper BASIC RAS
The Basic Remote Access Solution bundle allows your users
to connect in a secure way to the local network. The bundle
was designed for the SMB market, offering small and medium
companies a simple solution to connect remote users while
providing full protection by aXsGUARD Gatekeeper.
The Gatekeeper Core OS includes all necessary networking and
routing protocols to connect your network to the Internet. Complete
logging and monitoring is available on the appliance itself but
logging and monitoring reports can also be sent towards an
external syslog server.
The Directory Integration Services allow you to synchronize your
users from any LDAP server to aXsGUARD Gatekeeper. Users
and groups are directly managed in aXsGUARD Gatekeeper’s
administration interface.
Users can authenticate themselves using a DIGIPASS. DIGIPASS
functionalities and management are incorporated in aXsGUARD
Gatekeeper in which VASCO’s core authentication platform
VACMAN Controller is integrated. Should you prefer to work with
certificates, a CA is incorporated.
The network is protected from hacking attempts through the
SPICT Firewall with IPS. Firewall rules can be determined and
implemented on IP address, user or group level. User and group
policies are added from a list of predefined rules. This allows an
IT administrators to build a more secure setup of the network and
perform better control and more efficient management through
aXsGUARD Gatekeeper.
Remote access can be achieved with any standard VPN client
over pptp, l2tp and ssl-vpn. The VPN server supports access from
Personal aXsGUARD, a remote VPN appliance dedicated for SOHO
use.
Includes software modules:
• Administration
• Network
• Monitoring and logging
• Authentication
• Firewall
• IPS and IDS
• VPN server
aXsGUARD Gatekeeper STANDARD RAS
The Standard Remote Access bundle offers additional network
connectivity tools, on top of the Basic bundle.
It allows you to add multiple Internet lines with automated failover
and load balancing. IT administrators are able to determine whether
internet traffic should be redirected over another line or be blocked
in case of internet failure. When no rules are applied, traffic will be
divided over all other available lines.
The bundle also includes a bandwidth management module with
QoS which will help you to use the available Internet capacity in an
optimal way. Rules can be determined based on IP address or type
of traffic per interface or inside a VPN tunnel… It’s an ideal option
for enterprises using cloud applications or companies that have
remote offices or are implementing a VoiP system with remote
sites, using cloud applications…
Companies hosting their own web servers can benefit from the
public DNS server module which will guarantee continuity of web
services in case of Internet outage from a provider.
5
aXsGUARD Gatekeeper
The public DNS server allows you to publish your own public DNS
names without the need of your ISP. In case your Internet line fails
which has the public IP of your webservers assigned to it, the public
DNS server will automatically detect the failure and publishes the
IP address from your other Internet line to the DNS root servers on
the Internet. This is ideal for enterprises offering webmail, citrix,
rdp, vpn… to their users.
Includes software modules:
• Administration
• Network
• Monitoring and logging
• Authentication
• Firewall
• IPS and IDS
• VPN server
• Multiple Internet Gateways
• Bandwidth management
• Public DNS
7. Software bundles
aXsGUARD Gatekeeper ENTERPRISE
RAS
aXsGUARD Gatekeeper ENTERPRISE
BACKUP RAS
The Enterprise Remote Access bundle offers secure web-based
access to your network on top of the STANDARD Bundle.
Reliability of the aXsGUARD Gatekeeper hardware is among the
highest in its category. Nevertheless, to allow 100% uptime, there
is the possibility to have a second aXsGUARD in High availability
mode. The active/passive high availability (HA) allows a full time
continuity of your aXsGUARD Gatekeeper.
The bundle includes a Reverse Proxy which protects internal
webservers from hacking attempts. To authenticate your users it
can use the built in VACMAN Controller. This enables strong user
authentication to protect any webserver without the need to adapt
your website. For dedicated web applications, like Outlook Web
Access and Citrix, it allows single sign-on features.
The SSL VPN web portal allows a connection from any browser
towards the local network. The default web portal page - protected
with two-factor authentication - can be customized for each user
according to his needs. Default applications are available, which
will allow you to set up Remote Desktop Protocol (RDP) RDP
sessions, browse internal web servers, access local file servers…
You can optionally extend the Enterprise RAS bundle with an active/
passive High Availability appliance.
Includes software modules:
• Administration
• Network
• Monitoring and logging
• Authentication
• Firewall
• IPS and IDS
• VPN server
• Multiple Internet Gateways
• Bandwidth management
• Public DNS
• Application Firewall
• SSL-VPN Webportal
• High Availability (optional)
aXsGUARD Gatekeeper
6
8. Software bundles
aXsGUARD Gatekeeper INTERNET
REDUNDANCY bundle
How important is the internet for sme’s?
Do you need the internet for the execution of your daily work? Do
you place orders through the internet? Do you use online banking
for your financial transactions? Do you receive your orders through
the internet? Would you lose customers when your website is not
available? How much would you lose when your internet connection
fails? The internet has become indispensable in today’s business
world. A reliable internet connection is crucial for SME’s to ensure
business continuity. Or to be prepared for cloud applications, such
as online accounting, online banking, back-up or a remote mail
server.
Why would you choose this bundle?
Your internet connection always fails at the worst possible time.
When you urgently need to mail an offer, when your store is
filled with customers or when you need to find something on the
internet. To ensure the continuity and availability of your company
and employees at all times, VASCO launches a tailor-made solution
for SME’s. Continuity is always guaranteed even if a problem with
your internet connection should occur.
7
aXsGUARD Gatekeeper
The solution?
The aXsGUARD Gatekeeper Internet Redundancy bundle is a
solution where a second internet line is deployed in addition to
the line of your existing provider. By installing internet lines using
different technologies (cable – xDSL), connectivity is guaranteed
and you can continue working without any problems even when
the internet connection should fail. aXsGUARD Gatekeeper will
immediately detect failures and automatically switch to another
available line.
Includes software modules:
• Administration
• Network
• Monitoring and logging
• Authentication
• Firewall
• Multiple Internet Gateways
• Public DNS
10. Content scanning
Content Scanning: web
To avoid that users import all kinds of malware and to increase
productivity, all web traffic should pass the proxy on aXsGUARD
Gatekeeper. After authentication (web-based or SSO by using static
passwords or 2-factor authentication), specific rules can be applied
to each user or group of users. It doesn’t matter which PC the user
logs on to, he will always receive his specific web browsing rules.
In order to create those rules aXsGUARD Gatekeeper first needs
lists: A site list can exist out of a list of defined URLs or parts of
URLs in wording. It can contain words and URLs that you want to
block, or words and URLs that should pass. (E.g. the administrator
might want to block URLs with the word sex, but would want to
allow URLs with the word msexchange
Predefined blacklists are available on aXsGUARD Gatekeeper,
categorizing 3.5 million sites into 90 different categories such as,
malicious web pages (spyware, phishing, virus infected,…); adult
related content (adult, porn, art nudes,…); social networking (chat,
blog, im, mail, …); gaming (gambling, online gaming,…); whitelist
(!) 100% suitable for kids;…
Since site lists never can provide a complete list of all malicious
sites on the Internet (due to localizations and new sites popping
up every day), the standard version of Content Scanning also
includes web content scanning: every web page will be scanned
and analyzed, based on the content of a page.
Using content analysis, the content scanner tags particular words
and phrases with a score and a category (e.g. the word breast
would lead to give a negative score, but when the word cancer is
found in the same page, it would give a better score). 30 different
predefined wordlists (positive and negative) in multiple languages
are provisioned in aXsGUARD Gatekeeper. Administrators can
create their own additional wordlists to give an even better result.
After content scanning, the total web page receives a certain score.
These site lists and wordlists are then combined into categories, to
create a complete list of rules. It avoids repetitive work and adds
granularity to the access rights you want to give to different users.
A category can be defined as an allowed list, a forbidden list and
an exception list. The exception list is used to block URLs inside a
webpage, without blocking the whole page.
9
aXsGUARD Gatekeeper
These categories are then added to access control lists (ACL). An
ACL exist of categories of sites and the time when this ACL applies
(e.g. during or outside working hours). It also adds virus scanning
and blocking of specific extensions. In the ACL you also set the
score for the web based content scanning, to decide which pages
are shown or blocked.
There is one general ACL, for all web traffic in the company, which
can be overruled by ACLs which are applied for a specific IP address
(e.g. printers, servers…), a group of people or a specific user.
Reporting & statistics
Every action through the proxy is logged on aXsGUARD Gatekeeper.
Administrators can view and search through these reports during
2 months, or export them and use other analytic tools. A statistics
tool is available as well which gives a complete overview of web
and mail behavior. Statistics can be viewed per client, per website
and per hour.
11. Authentication
We authenticate
the world
To provide secure remote access, VACMAN Controller is integrated in aXsGUARD Gatekeeper.
This allows users to authenticate themselves with a DIGIPASS on their network. The administrator
can decide which level of authentication is needed for a certain application. Strong user
authentication can be added to access the tool, authenticate on the proxy, VPN access and
connecting to webservers through the reverse proxy or SSL Web portal.
If you have another Radius client, it can also authenticate it’s users on the aXsGUARD Gatekeeper.
The Gatekeeper supports hardware DIGIPASS (GO-series and 2xx series) as well as the DIGIPASS
for Mobile. Belgian citizens who want to authenticate with their e-ID card can also authenticate
on the aXsGUARD Gatekeeper with the DIGIPASS 810 for e-ID.
DIGIPASS
GO 6
DIGIPASS
GO 7
DIGIPASS
GO 100
DIGIPASS
for Mobile
DIGIPASS
270
DIGIPASS
810 eID
aXsGUARD Gatekeeper
10
12. Hardware
optimal performance,
always
Hardware platforms
aXsGUARD Gatekeeper comprises one software solution which
can run on different hardware platforms. The hardware platforms
only differ in performance and in the number of available network
connections. aXsGUARD Gatekeeper hardware is meant to last.
VASCO chooses industry hardware to run its aXsGUARD Gatekeeper
software on. This ensures that aXsGUARD appliances have a longer
lifetime than other comparable systems on the market.
It also ensures the highest performance necessary for any
environment. Every time aXsGUARD Gatekeeper connects to the
VASCO Managed Service environment, the hardware status is sent
over, so VASCO can take preemptive actions in case of imminent
hardware failure.
AG2504
AG3443
AG3604
AG5506
AG7500
BASIC RAS
25
50
250
1000
2000
STANDARD RAS
10
25
100
500
1500
Enterprise RAS
10
25
100
500
1500
Hardware maintenance
Each aXsGUARD Gatekeeper bundle includes one year software
and hardware maintenance (Standard Exchange). The hardware
maintenance covers all defects of aXsGUARD including tear and
wear of specific parts. Standard Exchange is a yearly renewable
contract, with no end date. As long as an appliance is under
Standard Exchange, VASCO guaranties it will work in normal
operating conditions for the recommended number of users. If
aXsGUARD Gatekeeper under Standard Exchange does suffer
from underperformance and the normal operation conditions
and recommended user settings have been followed, VASCO will
replace it by a refurbished appliance with more performance.
11
aXsGUARD Gatekeeper
If an upgrade to more robust hardware is required, for example
due to an increasing number of users or features, the new
appliance can be purchased at a reduced price, almost covering
the price difference between the new and old appliance. The new
appliance will be shipped with the latest available back-up already
preinstalled. The customer only needs to switch the hardware.
13. Personal aXsGUARD
remote connections
made easy
Personal aXsGUARD establishes secure network connections for home workers and branch offices to companies’ headquarters
With mobile workforces increasing, companies face a growing number of security concerns. Whenever an employee remotely connects to
the company’s network it has to be done in a secure way. At the same time, security concerns must be balanced with the end-user’s needs
ensuring a smooth and user friendly experience.
Secure and wireless connection to the
corporate network
Personal aXsGUARD enables branch offices or home workers
to connect in a straightforward and secure manner to the main
aXsGUARD Gatekeeper appliance at the company’s headquarters.
Built upon proven VASCO GATEKEEPER core technology, aXsGUARD
Gatekeeper offers a comprehensive solution for secure network
connectivity.
Personal aXsGUARD is centrally managed in aXsGUARD Gatekeeper
and has a Wifi receiver, enabling the remote user to work wireless.
The security of the wireless network is also centrally managed on
the parent aXsGUARD Gatekeeper appliance.
Remote parameters such as DHCP, WIFI settings and firewall
policies are managed on the parent aXsGUARD Gatekeeper.
Administrators can hence determine who can access the main
site through VPN and who has direct access to Internet. The
configuration allows administrators to route and monitor all network
traffic on one central location while at the same time ensuring the
highest security for remote or home offices with a minimum of
effort. To achieve maximum uptime, multiple parent aXsGUARD
Gatekeeper appliances can be defined in the configuration of
Personal aXsGUARD. If for some reason Personal aXsGUARD is
unable to connect to one parent appliance, a connection with
another aXsGUARD Gatekeeper will automatically be set up.
Easy configuration and setup
The configuration of Personal aXsGUARD is kept to a strict minimum.
Only three parameters need to be defined: how to connect to the
internet, the main aXsGUARD Gatekeeper and the Certificate of
the main appliance. The Certificate contains the encryption keys to
securely connect to the main site through VPN. All other security
parameters are configured in the main aXsGUARD Gatekeeper
appliance and are automatically pushed to Personal aXsGUARD.
End-users only need to plug the Internet cable in the Personal
aXsGUARD appliance to connect to the corporate network.
aXsGUARD Gatekeeper
12
14. 5 solutions with aXsGUARD Gatekeeper
simple solutions for
complex problems
Solution 1: secure government infrastructure with limited resources
Information and network access security are of vital importance for
local governments in order to prevent confidential information from
falling into the wrong hands.
VASCO has years of experience and a proven track record of
successfully mitigating security vulnerabilities. With aXsGUARD
Gatekeeper VASCO helps local municipalities and governmental
organizations to implement complete IT security solutions to protect
valuable information and assets. Access is provided through a
secure, encrypted connection in order to protect the network from
hackers. Users can authenticate themselves by generating an OTP
using for instance their electronic identity card, By adding additional
content scanning licenses, users are protected from malware and
malicious sites can be blacklisted.
The all-in-one concept allows the municipality’s IT department to
organize and control its own security, without having to acquaint
itself with different multiple systems and the complexity of making
different appliances work together.
If necessary, aXsGUARD Gatekeeper can be remotely managed
by the IT partner helping local governments to stay ahead of the
onslaught of IT threats at a fixed price.
13
aXsGUARD Gatekeeper
aXsGUARD Gatekeeper provides several possibilities for secure
remote access, making it easy to connect different sites of
municipalities through aXsGUARD Gatekeeper’s e-tunnels with
automatic failover. Smaller sites with only a couple of workplaces
can be connected and centrally managed with a Personal
aXsGUARD. Confidential documents are securely shared through
the SSL web portal, protected with a DIGIPASS device.
Benefits
• Complete solution, covering all aspects of network security
• Ideal for undermanned IT staff
• Full scale of remote access possibilities. Choose the best fit
for each location and application
• Cost savings through centralization
• Enhanced confidentiality
• High-availability of services
• Increased transparency
• Guarantees privacy of employees surfing behavior, but allows
control
15. 5 solutions with aXsGUARD Gatekeeper
Solution 2: aXsGUARD enables services for Value Added Resellers
aXsGUARD Gatekeeper RAS software is the same software suite
which is deployed on each hardware platform. You only need to
acquaint yourself with one solution to service all your customers,
regardless of the size of their organization.
An easy upgrade path allows you to expand the aXsGUARD
Gatekeeper as the needs of your customer grow. Since the software
remains the same only the hardware needs to be replaced. Every
aXsGUARD connects to VASCO’ service center every 4 hours to
back-up its configuration. In case of unexpected hardware failure,
or when upgrading towards a stronger hardware system, the
configuration can easily be restored from the service center backup system.
Every customer’s infrastructure runs on the same version thank to
automated updates There’s no need for patch management at the
customer’s site as everything is automated and centrally managed.
With VASCO’s central management portal ,resellers get an overview
of all the customers’ systems increasing upsell possibilities. Every
aXsGUARD Gatekeeper reports his status back to this central
platform, so you immediately get an overview of the managed
systems. Furthermore, you can access every customer’s appliance
remotely through a secure connection.
The standard exchange warranty system allows you to give lifetime
warranty on your customer’s environment, and allows upgrades at
almost the price difference, guaranteeing the best ROI and TCO.
All these unique points severely reduce the chance of mistakes and
oversights meaning that your customers get a faster and better
service. The SEAL training program allows your support staff to
become certified engineers allowing you to better service your
customers. aXsGUARD Gatekeeper and VASCO allow you to focus
on new business while providing you with a time-saving, highquality solution.
Benefits
•
•
•
•
•
•
•
Easy and complete solution
One solution to secure all your customers
Central management providing an overview of your customers
Upgrade path
Remote assistance from reseller to customer
Assistance from the vendor for certified engineers
End-customer gets offering high quality service
Because of the completeness of the solution and the availability
of servers for the complete SME market, there’s no need to invest
in training, support and spare parts of multiple different vendors.
aXsGUARD Gatekeeper can easily be preconfigured in the setup
you desire, and can be copied to every new system.
Solution 3: aXsGUARD Gatekeeper as an outstanding all-in-one security solution
Organizations worldwide understand the need to secure their
business-critical data and network from unauthorized access. At
the same time they are also aware that anytime, anywhere access
becomes overall important for a dispersed workforce and remote
offices. Companies are looking for a one-stop shop to provide an
overall security solution that can secure network, mail and web
traffic; ensure secure access to the central network from remote
sites and guarantees high availability to ensure productivity.
VASCO’s aXsGUARD Gatekeeper is an all-in-one security concept
that offers secure remote access to your business-critical data
through VPN tunnels. Depending on your needs, aXsGUARD offers
out-of-the-box different site to site connections, as well as highly
secured, personalized remote access solutions.
Productivity is enhanced as downtime is eliminated with offered
features such as high availability and Internet redundancy.
Benefits
• All-in-one security solution
• Business continuity is guaranteed thanks to high availability
and Internet redundancy (multiple Internet lines)
• All offices are connected through an easy to manage star
network
• Secure network access using VPN tunnels
• Reduced complexity (one central appliance)
• Two-factor authentication integrated out-of-the-box
• Flexible solution, which can be integrated into any
environment (Windows, Mac, Linux)
• Easy to manage
• Focus on your core business, while aXsGUARD takes care of
your security
aXsGUARD Gatekeeper
14
16. 5 solutions with aXsGUARD Gatekeeper
Solution 4: business automation for secure remote assistance
Remote assistance and support is a valuable asset for customer
retention. Management and support at a customer’s site however,
is not as evident as it seems. Organizations are confronted
with different procedures and workflows, specific network
implementations and rules, administration issues, the deployment
of machinery, logistic hassles…
VASCO has developed a specific aXsGUARD Gatekeeper
concept for business automation enabling remote assistance
and management across the entire business ensuring service
continuity and eliminating costly manual processes. . A solution
ideally suited to meet the provisioning and configuration needs of
large, heterogeneous, geographically distributed environments.
aXsGUARD Gatekeeper is deployed at the main site and VASCO’s
Personal aXsGUARD is deployed at the customer’s site or built-in
into your remote products and machinery, but managed on the
central aXsGUARD Gatekeeper.
The secure link between the main and remote site enables remote
assistance and support, automatic software updates etc.
Benefits
• Secure remote access to remote sites and equipment
• Enhanced supportability
• aXsGUARD Gatekeeper can help companies to create an
easily supported and consistent environment
• Helps companies to implement a fixed method of work flow
• Server and network automation
• Central administration
• Time- saving (instant remote access, no need to deploy
people on remote site)
• Cost-efficient
• Overcomes network issues and policies at remote sites
• Flexibility
• Administrators can define different sets of policies and
rules for different user types and a different number of
environments
Solution 5: guaranteed business continuity for SMEs
Internet has become indispensable in today’s business world. A
reliable internet connection is crucial for SME’s to ensure business
continuity. To ensure the continuity and availability of your company
and employees at all times, VASCO launches a tailor-made solution
for SMEs.
The aXsGUARD Gatekeeper Internet Redundancy bundle is a
solution where a second internet line is deployed in addition to
the line of your existing provider. By installing internet lines using
different technologies (cable – xDSL), connectivity is guaranteed
and you can continue working without any problems even when
the internet connection should fail. aXsGUARD Gatekeeper will
immediately detect failures and automatically switch to another
available line.
15
aXsGUARD Gatekeeper
Benefits
• Business continuity guaranteed for all incoming/outgoing
traffic (e-mail, internal and external websites, VPN, …)
• Flexibility
• Connect multiple internet connections to your network and
choose which type of internet traffic passes through which
line (surfing, mailing, downloading files, …)
• Reliability
• Ample experience (>3500 installations)
• Robust hardware with the possibility of a lifetime warranty
• Speed
• Divide your internet traffic over your available Internet lines.
This gives you the best speed according to your needs
• Easy maintenance with automatic software updates and
remote configuration back-up
• Future proof solution:
• Ready for strong authentication via DIGIPASS-technology
• Easy to extend (software bundles, content scanning,
DIGIPASS)
• Upgrade to more performing hardware against the price
difference
17. Technical specifications
under the hood
Hardware specifications
AG2504
Operating System
Gatekeeper Core OS 7.6
AG3443
AG3604 r2
AG5506
AG7500
Gatekeeper Core OS 7.6
Gatekeeper Core OS 7.6
Gatekeeper Core OS 7.6
Gatekeeper Core OS 7.6
Chassis Form Factor
Desktop model
1U Rack Mount
1U Rack Mount
1U Rack Mount
2U Rack Mount
Processor Type
Intel® Atom™ N450
processor
Intel® Atom™ D510
processor
Intel® Atom™ D525
Intel® Core™ 2 Duo
E8400 3GHz 1333MHz
6MB LGA775
Intel® Xeon Proc. 5620/
2.4GHz/ 5.86GTs 12MB
Memory
1 GB 667 Mhz DDR2
SO-DIMM
1GB 667MHz DDR2
SO-DIMM
4GB 800MHz DDR3
SO-DIMM
4GB 800MHz DDR2 ECC
CL5 DIMM
12GB 1066Mhz DDR3
ECC CL7
Disk n/size
1 x HDD/160 GB SATA
2.5” 5400rpm 8MB
1 x HDD/WD RE4/250GB
SATA 7200rpm 64MB
1 x HDD/WD RE4/500GB
SATA 7200rpm 64MB
1 x HDD/WD RE4/500GB
SATA 7200rpm 64MB
2 x HDD/WD RE4/500GB
SATA 7200rpm 64MB
Hot Swappable
No
No
No
No
YES
Raid formatted
No
No
No
No
RAID1
Power Supply
60W, 15V power
adapter
AC 100~240V, 50/60 Hz,
4-2 Amp Max
200W max
AC 100~240V, 50/60 Hz,
4-2 Amp Max
200W max
AC 100~240V, 50/60 Hz,
4-2 Amp Max
200W max
AC 100~240V, 50/60 Hz,
10-4 Amp Max
700W max
Power Redundancy
No
No
No
No
Hot swappable
Network Ports
4 GbE NIC
3 GbE NIC
4 GbE NIC
6 GbE NIC
10 GbE NIC
Management
Web GUI
SSH
Web GUI
SSH
Web GUI
SSH
Web GUI
SSH
Web GUI
SSH
Dimensions (W/H/D)
182 x 150 x 40mm
7.1” x 5.9” x 1.65”
437mm x 43mm x 249mm 437mm x 43mm x 249mm 426mm x 43mm x 365mm 437mm x 89mm x 450mm
17.2” x 1.7” x 9.8”
17.2” x 1.7” x 9.8”
16.8” x 1.7” x 14”
17.2” x 3.5” x 17.7”
Weight
0,8 kg (<1,8lbs) excl. adapter
1,1 kg (<2,4lbs) incl. adapter
6,7 kg (<15lbs)
Compliance to
standards
Safety UL, CE,
ECC-EMC, LVD
Safety UL, C-UL, CE EMC
Safety UL, C-UL, CE EMC
Safety UL, C-UL, CE EMC
Safety UL, C-UL, CE EMC
FCC, CE Environment RoHS FCC, CE Environment RoHS FCC, CE Environment RoHS FCC, CE Environment RoHS
Mounting Position
Desktop model
Horizontal orientation,
19” Rack, 1 U
Horizontal orientation,
19” Rack, 1 U
Horizontal orientation,
19” Rack, 1 U
Horizontal orientation,
19” Rack, 2 U
Operating
Temperature
5°C to 35°C, 40°F to
90°F. Fanless
10 to 35 °C, 50 to 90 °F
10 to 35 °C, 50 to 90 °F
10 to 35 °C, 50 to 90 °F
10 to 35 °C, 50 to 90 °F
Operating Humidity
20 to 90%
(non-condensing)
8 to 90%
(non-condensing)
8 to 90%
(non-condensing)
8 to 90%
(non-condensing)
8 to 90%
(non-condensing)
Storage Temperature
0°C to 70°C, 32°F to
158°F
-40 to +70 °C, -40 to
158 °F
-40 to +70 °C, -40 to
158 °F
-40 to +70 °C, -40 to
158 °F
-40 to +70 °C, -40 to
158 °F
Storage Humidity
5 to 95%
(non-condensing)
5 to 95%
(non-condensing)
5 to 95%
(non-condensing)
5 to 95%
(non-condensing)
5 to 95%
(non-condensing)
6,7 kg (<15lbs)
7.7 kg (<17 lbs)
17.6 kg (<38.8 lbs)
aXsGUARD Gatekeeper
16
18. Technical specifications
Specifications Personal aXsGUARD
SPECIFICATIONS - Recommended for up to 5 unique IP devices
Model
AG1296
Standards
IEEE 802.3, IEEE 802.3u, IEEE 802.11g, IEEE 802.11b
Internet port
One 10/100 RJ-45 Port
Ethernet
Four 10/100 RJ-45 Switched Ports, WIFI
LEDs
Power, DMZ, WLAN, Ethernet (1, 2, 3, 4), Internet
Cabling Type
CAT 5
RF Power (EIRP) in dBm
18
Security Features
Statefull Packet Inspection Firewall, Internet Policy,
Central management on corporate aXsGUARD Gatekeeper, PKI Certificates
(can be generated by the CA of the central aXsGUARD), Custom NAT rules,
routing, DHCP Server
Wireless Security
WEP, WPA-PSK-AES encryption, WPA-PSK-TKIP encryption
Internet Connections
DHCP Client, PPPoE with external xDSL modem, Static IP address
Remote access
• Towards central aXsGUARD Gatekeeper through SSL VPN
• Automatic recovery of VPN connections
• Failover towards other aXsGUARD Gatekeeper appliances possible
Personal aXsGUARD
(AG1296)
aXsGUARD AG3443
aXsGUARD AG5506
17
aXsGUARD Gatekeeper
aXsGUARD AG2504
aXsGUARD AG3604
aXsGUARD AG7500
19. Software specifications
The bits and the bytes
Administration
Network
Basic
•
•
•
•
Enterprise
Internet Redundancy bundle
Basic
Standard
Enterprise
Internet Redundancy bundle
√
•
•
•
•
•
•
•
Standard
√
√
√
√
√
√
√
Web-based GUI for appliance administration
Clickable status overview and health monitor
Automated configuration check
Automated license upgrade tool
Manual or automated upgrades, with pre-testing
Automated online updating system
Back-up options:
• remote back-ups of configuration at VASCO Service
Center
• Back-up of configuration sent by e-mail
• Back-up of configuration, logs and mail on local file
servers
Group- and use- based configuration allowing easy and
secure setup
LDAP Synchronization (users/groups) from:
• Microsoft Active Directory
• Novell e-Directory
• Generic LDAP
Predefined rules and policies allowingfast setup
Layered access levels for admin tool
• Complete set of network protocols:
• Routing tables
• NAT with helper for FTP, PPTP VPN, IRC, H.323, SIP,
SNMP, TFTP, Amanda
• Portforwarding & redirection
• SNAT/DNAT
• Masquerading
• Internet connectivity:
• Static
• DHCP Client
• PPTP
• PPPoE
• DHCP server(s)
• NTP client and server
• DNS server
• VLAN support
• Bridging support
• Dynamic DNS support (DynDNS and EasyDNS)
• Ping and trace route tool
aXsGUARD Gatekeeper
18
20. Software specifications
Monitoring and logging
Firewall
Basic
Enterprise
Internet Redundancy bundle
Basic
Standard
Enterprise
Internet Redundancy bundle
√
•
•
•
•
•
•
•
•
•
Standard
√
√
√
√
√
√
√
Internal Logging Capacity
Built- in hard disk
Detailed Real Time monitoring
Historical Reporting
e-mail notification on viruses and attacks
Syslog server delivery (local, network, relay)
Local log files of all activities
Log files kept during 2 months
Graphics
• load
• Cpu usage
• memory
• all conifgured devices
Authentication
Basic
Standard
Enterprise
Internet Redundancy bundle
√
√
√
√
•
•
•
•
•
Radius Server
Single Sign-on tool
Ident server
AD back-end authentication
Built in strong user authentication for:
• Admin tool
• Radius clients
• Firewall and Web access
• VPN (PPtP, IPSec, OpenVPN)
• SSL-VPN web portal (Enterprise Edition)
• Application Firewall (Enterprise Edition)
• Imap/Webmail (Content Scanning)
• DIGIPASS clients supported (*)
• DIGIPASS GO 6 and GO 7
• DIGIPASS 260 and 270
• DIGIPASS for Mobile
• DIGIPASS 810 e-ID card reader
• Belgian e-ID card with DIGIPASS810 eID Card Reader delivery
procedure
• Integrated PKI with Certificate Authority (CA)
19
aXsGUARD Gatekeeper
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Self-adaptive Firewall
Statefull Packet Inspection (Connection Tracking)
Denial-Of-Service attack blocking
Distributed Denial-Of-Service attack blocking
IP / Packet Filter
Bad Packet Management
Predefined rules and policies
Policies based on device, type of traffic, or IP address/range
Static/Dynamic/Advanced Policies
Unlimited rules and policies
Company Policies
Group Policies (overrule Company)
User Policies (overrule/append Group)
Host Policies
Separate RAS policies
Authenticated port forwarding
DMZ zone
SPICT Firewall Performance 150 Mbps - 2Gbps
Concurrent sessions 4000 - 600.000
New sessions/second 5.000 - 15.000
IPS and IDS
Basic
Enterprise
Internet Redundancy bundle
√
•
•
•
•
•
•
•
•
•
•
Standard
√
√
X
Active System Attack monitoring
Protocol Anomaly prevention & detection
Customizable detection signature list
DoS and DDoS Prevention
Fragmented Packet Reassembly
Malformed Packet Protection
Analysis of all popular application protocols
Detect network-level packet based attacks
Detection of all types of port scans, including stealth types
Automatic reconfiguration of firewall
21. Software specifications
VPN server
Bandwidth management
Basic
Standard
Enterprise
Internet Redundancy bundle
√
√
√
X
•
•
•
•
•
•
•
•
•
•
•
PPtP Server
Propose IP Address support for PPtP Server
NAT helper for PPtP
L2TP Support
IPSEC Client to Gateway
IPSEC NAT-Traversal
IPSEC VPN Keep Alive
IPSEC VPN Dead Peer Detection
IPSec PSK (pre shared secret)
IPSec RSA Key
IPSec X.509
Integrated PKI
Internal Certificate Authority
• Certificate creation / revocation handling
Xauth support
Encryption (DES/3DES/AES/BF)
MD5 / DH2/ PFS/ SHA-1/CBC authentication
IPSec Gateway to Gateway
SSL-VPN Support with Open VPN client
SSL VPN
Fault tolerant VPN (e-tunnels)
Simplified routing using e-tunnels
Personal aXsGUARD support
Max. number VPN tunnels: unlimited
Max. number VPN users: unlimited
•
•
•
•
•
•
•
•
•
Standard
Enterprise
Internet Redundancy bundle
X
•
•
•
•
•
•
•
•
•
•
•
•
•
Basic
√
√
X
Quality of Service
Internal Bandwidth management
Full Policy based traffic shaping
Static and Dynamic bandwidth shaping
Time based policies
Policies on protocol (TCP, UDP, ICMP, GRE, ESP, AH)
Policies on source address and port/range
Policies on destination address and port/range
Bandwidth management inside VPN tunnels
Public DNS
Basic
Standard
Enterprise
Internet Redundancy bundle
X
√
√
√
• Publish public domain names and subdomain names on the
Internet
• Primary and secondary zones
• Forward and Reverse DNS
• Allow multiple DNS servers
• Publish SOA, NS, PTR, A, CNAME, MX and SPF records
• Set Refresh, Retry, Expiry and Minimum time
• Set TTL
• Set Priorities
• Automatic failover allows to reroute your web servers and VPN
tunnels instantly
Multiple Internet Gateways
Basic
Enterprise
Internet Redundancy bundle
X
•
•
•
•
•
•
•
•
•
Standard
√
√
√
Redundant Internet Connections
Automatic failover
Failover decision to dedicated Internet connection
Option to drop traffic on failure of Internet connection
Policy based routing
Policies on protocol (TCP, UDP, ICMP, GRE, ESP, AH)
Policies on source address and port/range
Policies on destination address and port/range
Load balancing
aXsGUARD Gatekeeper
20
22. Software specifications
Application Firewall
High Availability
Basic
•
•
•
•
•
•
•
•
•
•
•
•
Standard
Enterprise
Internet Redundancy bundle
Basic
Standard
Enterprise
Internet Redundancy bundle
X
X
√
X
X
X
√
X
Protects web servers in your LAN and DMZ
Malicious URL filter
URL Sanitizer
Predefined rules for OWA and Citrix with Single Sign On
FTP server protection
https to http gateway
Active Sync Compatible
Multiple Webservers
Routing based on hostname
Routing based on port number
Routing based on IP address
Strong user authentication
SSL-VPN Webportal
Basic
Standard
Enterprise
Internet Redundancy bundle
X
X
√
X
• Allows connection to all your applications through a java
•
•
•
•
•
•
•
•
•
compatible web browser
No additional client software needed
Personalized web portals
Single Sign-on with DIGIPASS
Predefined applications:
Terminal Server / Remote Desktop / VNC
Citrix (ICA)
Fileserver (Webbased/Webdav)
Port forwarding, allowing fat clients
Web forwards (Reverse proxy, Replacement proxy, Tunneled
Web forward)
21
aXsGUARD Gatekeeper
(when purchasing the Enterprise Backup bundle)
•
•
•
•
•
•
•
•
Active/Passive
Active/Active
Automatic Configuration Synchronization
Automatic Data Replication (e-mail, logs, website, ...)
Session Synchronization for Firewall
Device failure detection
Internet Link monitoring
Link failover
23. Software specifications
Content Scanning: Mail traffic
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Separate user/group/company web access policies
E-mail attachment filter
E-mail spam detection/quarantine delete
Black and white list (e-mail, IP, text, dns)
Pattern matching with points
Customizable score threshold for object reject
MIME header check
File analysis (extension checker match)
Files embedded in other files recognition and decoding
(ZIP,RAR,TAR,LHA,...)
File content control in attachment filter
Recursive algorithm for embeddings (1000 levels)
Blocks Java Applet, Cookies, Active X Y
E-mail white & black list filters
IP white & black list filters
Text white & black list filters
Multiple blacklist servers
SPF support
Quarantine blocked files and blocked due to black list
Greylisting
Pattern matching with regular expressions
Pattern match results in points score
Sender or site blocking
sender <--> recipient relations
allow/block mail sending/receiving
allow/block attachments
spam checking/e-mail security checks
Embedded HTML or XML parser
Preconfigured backlist
Virus scanning
Multiple Virus scanners (Standard version)
SMTP Relay Server
E-mail server
POP3, IMAP4 mail server
Unlimited number of mailboxes
Distribution lists
Outgoing e-mail disclaimer (ascii / html)
Central address book
Out of Office
Mail forwarding
Remote mailbox retrieval
Group mailbox retrieving and dispatching
Webmail (https to aXsGUARD mail server or external mail server
Embedded Virus Scanner ClamAV
Embedded Virus Scanner Trend Micro (Standard)
Automatic Signature update
Automatic Engine update
Delay of update check every 15 minutes
Auto unpack of attachments
•
•
•
•
•
•
•
•
•
SMTP Scanning
IMAP scanning
POP3 scanning (remote mailbox retrieval)
Encrypted VPN tunnel scanning
Quarantine / delete infected messages
Distributed Checksum Clearinghouse (DCC)
Domainkeys (check signature on mailheader)
Backscatter (check bounced mails sent from owned domain
TLS encryption
Content Scanning: Web traffic
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Separate user/group/company e-mail policies
Web proxy with adjustable cache
Single Sign on for Domain and Workgroup client PC
Additional authentication allowed for kiosk PCs
HTTP URL filter
HTTP extension filter
Time-based URL filtering
Policy-based URL filtering
User defined Black and Whitelisting
Predefined blacklists:
• Over 3 million sites
• Daily updates
• Predefined sitelists
• Customizable categories
Web based content scanning: (standard version)
• Score based system
• 30 predefined wordlists
• multilingual
• Customizable categories
Extension filtering
Multi-layered Defense system
Filter selection for statistics
ClamAV virus and malware scanning with automated engine
updates
Trend Micro virus and malware scanning with automated engine
updates (standard version)
Ident authentication
Statistics
•
•
•
•
•
•
•
•
•
•
Graphical overview
User based web traffic statistics
Computer (IP) based web traffic statistics
Site based statistics
Time based statistics
Overview of visited webpages
Obfuscating users possible
Sent e-mails
Received e-mails
Overview rejected mails
aXsGUARD Gatekeeper
22