Astaro Web Gateway AWG4000

ov_logo_blueonWhite
by || 09/15/2008

Astaro’s new Web Gateway appliances are aimed at businesses that already have firewall and IPS solutions in place, and just want to add web content filtering at the gateway. The top-of-the-range AWG4000 is a good quality, if somewhat noisy, all-Supermicro affair of a 1U chassis and motherboard, offering a decent hardware specification. You get a 2.4GHz Xeon X3220 quad-core processor, partnered by 2GB of memory, and a 3Ware SATA PCI RAID controller card for storage.

The device can operate as a single system, but also supports high availability (HA), where active/active clusters of up to ten appliances can be created. Not only is network bandwidth spread across the cluster, but CPU-intensive operations such as anti-virus scanning are also spread across multiple appliances, providing a valuable feature.

The first device to come online is designated as the master and all others are slaves, with the CPU load spread across all of them. The master appliance designates one slave to act as a secondary unit that will take over should it fail.

Initial installation is swift as you connect a PC to the Eth0 port on the device and point a web browser at its default IP address. The web interface fires up a quick-start routine, which deals with licensing, hostnames and administrative access. For network interface configuration the AWG4000 has four Gigabit ports to play with. For testing we used the first two for LAN and WAN duties, but you can use all of them for different functions, including DMZ and HA.

To manage web traffic the box employs easy-to-configure HTTP and FTP proxies. The HTTP proxy offers a number of modes, with the standard option listening on port 8080 and requiring proxy settings configured in your client’s browsers. There are plenty of user authentication modes as the appliance maintains a local user and group database, but can also integrate with Active Directory, Radius and LDAP servers, and even Novell’s eDirectory. Astaro offers an unusual feature in proxy profiles, which allow you to use transparent mode for some users and authentication for others.

For web content filtering you have Websense, with 18 URL categories to choose from, each with up to seven sub-categories. HTTP proxy profiles also use sets of URL categories, along with white and black lists assigned to specific users and groups, allowing a variety of access policies to be enforced.

During profile creation you can view all network definitions in a side bar, and drag and drop selected ones into the source network box. Definitions are also used for time intervals, allowing you to specify working hours, lunch periods, weekends and so on, and apply them to policies to determine when they are active. The only thing the policies can’t do is allow access to selected URL categories for a specific time period and then block them.

Dual, anti-virus scanning engines are included courtesy of ClamAV and Authentium. All web traffic is scanned, specific file types can be blocked, and if performance is a concern you can opt for a single engine that drops the Authentium scanner from the process. IM and P2P controls are also on the menu, allowing specific applications to be blocked or file transfers to be stopped. You can’t add you own custom apps, but Astaro provides a reasonable selection of the most common types and a new feature is the ability to control Skype.

Astaro offers somewhat basic reporting facilities. For each proxy you get a real-time rundown on the top web domains being accessed, the busiest users and the top blocked sites, while an executive report option provides a complete summary of all activities. An export function would have been useful, but at least daily, weekly and monthly summaries can be created automatically and emailed to selected users.

With the price including support for unlimited users, the AWG4000 looks comparatively good value. Reporting facilities could be better and HTTPS needs to be supported, but Websense provides tough content filtering and Astaro’s policies allow access to be fine-tuned for a wide range of requirements.