Few workplace experiences are as frustrating as attempting to configure a new virtual private network connection.
In order to achieve successful remote access–from an employee’s home to an office server, say–there are a myriad of options that must align in perfect harmony between the client and server that make even hardened security professionals cringe.
VPN Tracker 5.2.1 hides much of this complexity behind a slick Mac interface, but it may be overkill for the average Mac user.
What’s a VPN?A
virtual private network (VPN) is a way to securely connect to a remote network over the Internet without having to worry about someone sniffing–that is, eavesdropping on–your traffic. A VPN client connects to a VPN server or gateway, creating an encrypted tunnel between the two.
It allows you to check your e-mail, access servers or applications, or perform any other activity as if you were on the local network. Most VPNs use a protocol called IPSec, although an older, less secure, standard called PPTP is still in wide use. VPNs are also an excellent way to protect yourself from eavesdropping when using public wireless hotspots. VPN Tracker supports IPSec, and does not conflict with the native Mac OS X PPTP or IPSec VPN client–in fact, you can use both concurrently.
Simple remote accessVPN Tracker 5.2 simplifies the complexity of connecting to remote networks through a clean interface, built-in configuration profiles, and a dynamic help system that attempts to identify connection problems. It’s available in three versions to meet the needs of different users: Professional, Personal, and Player.
VPN Tracker Professional is designed for power users and administrators; it supports multiple, simultaneous connections, the creation of deployment images for the Player version (a disk image file that includes the program, connection configurations, and license), automatic actions on connections, network-to-network connections, and connection groups. The Personal version is targeted to the average user; it supports one connection at a time and is location aware, but lacks actions and other advanced features in the Professional version. Player merely runs connections provided in a distribution package created in Professional.
Perform automatic actions based on your location or connection status.
The interface uses a simple, iPhone-style slider to manage connections. Connections are organized in groups for individual or collective launch. Connection status and statistics for the current connection are graphically displayed in the Status pane on the bottom, while the main window expands and uses a tabbed interface to display detailed configuration information and logs for the current connection. A Dashboard widget, AppleScript, and Growl support are included.
VPN Tracker makes an admirable effort to hide much of the complexity of VPNs and guide you through the process of creating and troubleshooting connections. Many VPN gateways, even inexpensive small office devices, require you to use their specific client program, which may or may not be available for Macs. VPN Tracker says it is compatible with over 300 gateways, and the first step to create a new connection is to pick your manufacturer and model. For my first connection to the Macworld gateway, I selected the Cisco concentrator version, and the main window then showed the required settings.
Control multiple connections with iPhone-style sliders.
Unfortunately, my initial connection effort failed. A quick click on the Log tab helpfully highlighted the suspected problem. Clicking on that link moved me back to the main interface and highlighted the offending setting (a missing group ID). With that fixed, connecting to the VPN gateway was a breeze and performance felt faster than the native OS X client or other options I’ve previously used.
My second attempt to connect also failed, and this time VPN Tracker identified the wrong problem. After 30 minutes of adjusting different settings, a helpful Macworld IT administrator determined we were using the wrong authentication mode. A second test connection on different hardware required 40 minutes on the phone with the gateway administrator.
This illustrates the main pitfall of VPN clients: manually configuring a connection is often difficult, even for IT professionals. VPN Tracker does everything possible to simplify the process and identify problems, but the odds are high that you’ll still need help from your IT department. This isn’t a failure of the software, just the reality of managing VPNs.
Ideally, your IT department will provide you with a preconfigured connection, which imports easily into your remote computer and saves manual configuration headaches.
PN Tracker 5.2 really shines once configuration is complete. The Professional version supports multiple simultaneous connections, allowing you to check your e-mail in London while pulling files from Dubai and running applications in Argentina. It’s overkill for the average user, but IT professionals often need to connect to multiple networks.
The software is location aware, allowing you to change connections manually by changing network location (with the Location pull-down menu), or automatically based on your Airport wireless network ID. You can thus connect to your VPN automatically when you leave the office, and disconnect when returning to work.
Among the software’s most useful features are startup and shutdown actions. VPN Tracker can automatically mount servers, check e-mail, and even launch applications when connecting to remote networks, and shut them down when disconnecting. This is a powerful feature that gives you access to the right sets of servers and applications only when you’re connected, and eliminates system slowdowns and error messages if they are unreachable. If those aren’t enough for you, the application also supports an extensive AppleScript library. You can start, stop, and reconfigure connections and groups via AppleScript commands. I easily wrote a three-line script to automatically connect a client by sending it a specially formatted e-mail.
In my testing, I didn’t have any problems using VPN Tracker with Parallels virtualization. All I had to do was set my Windows XP virtual machine to use shared networking, and all traffic tunneled over the VPN. This is a very useful feature for those of you running Windows on your Mac who still need to connect to corporate assets, like an Exchange server. To ease integration with corporate environments, VPN Tracker also supports the strongest VPN encryption options and multifactor authentication, such as smart cards or RSA SecureIDs via integration with the OS X Keychain. If Keychain supports it, so does VPN Tracker.
Multiple connectionsVPN Tracker Professional also creates connection distributions for VPN Player versions. The creation process is straightforward: you select a connection, assign a license and password, then e-mail it in just a few steps. It took about two minutes to create a bundle, send it to my test system, and install it locally. It’s an ideal way for IT administrators to set up employees without the complexity of manual configuration.
But this streamlined process highlights a weakness of VPN Tracker–price. Many VPN gateways include their client software for free, but the VPN Tracker Player costs $79 per user, which adds up quickly. Unless you need a client for a gateway that doesn’t support Macs, or need to enable multiple connections for users in a single client, you may find it more cost effective to stick with free options like the native Mac OS X IPSec client or software provided with your VPN gateway.
If you’re an IT professional connecting to multiple virtual private networks, or a single user lacking VPN client support for your gateway, VPN Tracker 5.2.1 is an ideal solution. But due to the price, other users and enterprises supporting many employees may choose to stick with free options.
[Rich Mogull is an independent security consultant who blogs regularly on security issues at Securosis.com. He is also the security editor at TidBits.]