Wednesday, January 14, 2009
Netgear FVS336G Gigabit VPN
The company I work at is small, so we all have to wear different hats from time to time. Even though I am a software engineer, I find myself helping out with IT issues every once in a while. In fact, I am the official Wireless Administrator! We have made some infrastructure changes recently and I feel compelled to write about the obstacles that we encountered. This post will be the first of a two part series on the trials and tribulations of the setup and administration of Netgear products.
We recently moved offices and we took it as an opportunity to upgrade our VPN. We spent a fair amount of time comparing specifications and reading reviews. Eventually we settled on the Netgear FVS336G Gigabit VPN. It is the only unit in its class that had a built in Gigabit switch, which is nice. It claims to not need any special client software, it is an order of magnitude faster than our previous VPN and it had decent reviews on Newegg.
Once I began setting it up I immediately encountered obstacle number one. The statement that it does not need any client software is only partially true. The SSL VPN mode does not require any special software, but the IPsec VPN requires the Netgear ProSafe VPN Client. Because we require using the IPsec VPN I reluctantly went down the path of purchasing the VPN Client software.
From the buynetgear.com website it wasn't clear if the software was going to be shipped, or if it was available as a download. We really wanted to be able to buy the software and download it immediately because we needed that VPN up and running ASAP. I called Netgear to verify that I could download it. The support agent assured me that I could download it, and then she rushed me off the phone.
Well, as I quickly found out, she was wrong, you can't download it. I had to wait for it to arrive via the mail system. After many days I finally had the clients in hand and within minutes obstacle number two was discovered. Even though the Website claims that the VPN Client is Windows Vista compatible, it would not install on Vista. Through some research on the forums I discovered that the software in the box was really old, and that a much newer version exists. There is no information that I could find on the internet about how to acquire the new version, so I called Netgear a second time.
I had to get transferred several times before I finally reached a technical support person who could help me. But before he would help me I had to prove to him that I purchased the software. I actually had to forward him a receipt from my e-mail, he had no way of looking up my information. Once he was satisfied that I had purchased the software he e-mailed me a special link through a 3rd party download service so that I could acquire the latest version of the software.
The whole process was completely asinine. I don't understand why the client software isn't included with the VPN hardware! The technical support agent actually told me that the software is difficult to acquire on purpose! The reasoning is that there is no software protection built into the software so they are worried about piracy. The client software has no way of informing the user if an update is available, nor will they publish any information on the website about new updates. The only way to make sure I stay current with the software is to call Netgear every few months and ask! This was the agent's advice! Unbelievable.
Now that I was able to install the client I encountered the final obstacle. The Reference Manual is no longer in sync with the current version of the firmware. In the latest documentation it describes this crazy scheme where the users' ID should be of the 'Domain Name' form and should be constructed like "[name][XY].fvg_remote.com" where XY is a unique two digit number. Well, this functionality no longer appears to work in the latest firmware. I finally realized that the right way to configure the VPN is to use Extended Authentication where each user has a username/password managed by the hardware, which is much better. I understand why they moved away from that crazy scheme, it is completely unmanageable, the administrator would have to keep a separate spreadsheet to manage those unique two digit numbers.
Even though it was such a bear to get up and running, it has been working well. It is much much faster than our previous Symantec unit. If they made it easier to acquire the client software, had more accurate documentation, and was a little more honest in the marketing materials then I would definitely recommend the product.