Juniper Networks SA2500 SSL VPN Appliance
Deploy cost-effective remote and extranet access, as well as intranet security
| Juniper Networks Products | ||
|---|---|---|
| SA Series Appliances | ||
| Juniper Networks Secure Access 2500 SSL VPN Appliance | #SA2500 List Price: $2,500.00 |
|
More pricing below, click here
SA2500 Overview:
Juniper Networks SA Series SSL VPN Appliances lead the SSL VPN market with a complete range of remote access appliances, including the new, next-generation Juniper Networks SA2500, SA4500, and SA6500 SSL VPN Appliance with its high scalability and redundancy capabilities that are specifically designed for large enterprises and service providers. The SA Series combines the security of SSL with standards-based access controls, granular policy creation, and unparalleled flexibility. The result provides ubiquitous security for all enterprise tasks with options for increasingly stringent levels of access control to protect the most sensitive applications and data. Juniper Networks SA Series SSL VPN Appliances deliver lower total cost of ownership over traditional IPsec client solutions and unique end-to-end security features.
The Juniper Networks SA2500, SA4500, and SA6500 SSL VPN Appliances meet the needs of companies of all sizes. With the SA6500, Juniper continues to demonstrate its SSL VPN market leadership by delivering a highly scalable solution based on real-world performance testing. SA Series SSL VPN Appliances use SSL, the security protocol found in all standard Web browsers. The use of SSL eliminates the need for pre-installed client software, changes to internal servers, and costly ongoing maintenance and desktop support. Juniper Networks SA Series also offers sophisticated partner/customer extranet features that enable controlled access to differentiated users and groups without requiring infrastructure changes, demilitarized zone (DMZ) deployments, or software agents.
The SA Series now includes Juniper Networks Junos® Pulse, a dynamic, integrated, multiservice network client for mobile and non-mobile devices. Junos Pulse enables optimized, accelerated, anytime, anywhere access to corporate data. Pulse enables secure SSL access from a wide range of mobile and non-mobile devices, including smartphones, netbooks, notebooks, Wi-Fi, or 3G-enabled devices. Junos Pulse delivers enterprises improved productivity and secure, ubiquitous access to corporate data and applications— anytime, anywhere.
Architecture and Key Components
The SA2500 SSL VPN Appliance enables small- to medium-size businesses (SMBs) to deploy cost-effective remote and extranet access, as well as intranet security. Users can access the corporate network and applications from any machine over the Web. The SA2500 offers high availability (HA) with seamless user failover. And because the SA2500 runs the exact same software as the larger SA4500 and SA6500, even smaller organizations gain the same high-performance, administrative flexibility, and end user experience.
Because each of the SA Series SSL VPN Appliances runs on the same software, there is no need to compromise user or administrator experience based on which one you choose. All devices offer leading performance, stability, and scalability. Therefore, deciding which device will best fit the needs of your organization is easily determined by matching the required number of concurrent users, and perhaps system redundancy and large-scale acceleration options, to the needs of your growing remote access user population.
- SA2500: Supports SMBs as a cost-effective solution that can easily handle up to 100 concurrent users on a single system or two-unit cluster.
Features & Benefits:
| Features | Benefits |
|---|---|
| Layer 3 SSL VPN (Network Connect) |
|
| Location awareness |
|
| Endpoint security |
|
| Split tunneling options (enable or disable with overriding route capability and route monitoring) |
|
| Flexible launch options (standalone client, browser-based launch) |
|
| Preconfiguration options (pre-configured installer to contain list of SA Series appliances) |
|
| Connectivity options (max/idle session timeouts, automatic reconnect, logging) |
|
| Authentication options (hardware token, smart cards, or soft token) |
|
End-to-End Layered Security
The SA2500, SA4500, and SA6500 provide complete end-to-end layered security, including endpoint client, device, data, and server layered security controls.
| Features | Features Description | Benefits |
|---|---|---|
| Anti-malware support with Enhanced Endpoint Security | Dynamically download Webroot’s market-leading anti-malware software to enforce endpoint security on devices that might not be corporate-assigned computers being used for network access. | Protects endpoints from infection in real time from anti-malware and thereby protects corporate resources from harm during network access. Enables dynamic enforcement of anti-malware protection on unmanaged assets, such as PCs of external partners, customers, or suppliers. |
| Endpoint auto-remediation | Automatically remediates non-compliant endpoints by updating software applications that do not comply to corporate security policies. Does not require Microsoft's SMS protocol for remediation and covers patches for not only Microsoft, but other vendors such as Adobe, Firefox, Apache, RealPlayer, etc. Directly downloads missing patches from vendor’s website without going through the SA Series appliance. | Improves productivity of remote users who gain immediate access to the corporate network without having to wait for periodic updates of software applications, and ensures compliance with corporate security policies. |
| Host Checker | Client computers can be checked both prior to and during a session to verify an acceptable device security posture requiring installed/running endpoint security applications (antivirus, firewall, etc.) also supports custom built checks including verifying ports opened/closed, checking files/processes and validating their authenticity with Message Digest 5 (MD5) hash checksums, verifying registry settings, machine certificates, and more | Verifies/ensures that endpoint device meets corporate security policy requirements before granting access, remediating devices and quarantining users when necessary |
| Host Checker Application Programming Interface (API) | Created in partnership with best-in-class endpoint security vendors. Enables enterprises to enforce an endpoint trust policy for managed PCs that have personal firewall, antivirus clients, or other installed security clients, and quarantine non-compliant devices | Uses current security policies with remote users and devices; easier management. |
| Trusted Network Connect (TNC) support on Host Checker | Allows interoperability with diverse endpoint security solutions from antivirus to patch management to compliance management solutions | Enables customers to leverage existing investments endpoint security solutions from third-party vendors |
| Policy-based enforcement | Allows the enterprise to establish trustworthiness of non-API compliant hosts without writing custom API implementations or locking out external users, such as customers or partners that run other security clients | Enables access to extranet endpoint devices like PCs from partners that may run different security clients than that of the enterprise |
| Hardened security appliance | Designed on a purpose-built operating system. | Not designed to run any additional services and is thus less susceptible to attacks; no backdoors to exploit or hack. |
| Security services employ kernel-level packet filtering and safe routing | Undesirable traffic is dropped before it is processed by the TCP stack | Ensures that unauthenticated connection attempts, such as malformed packets or denial of service (DoS) attacks, are filtered out |
| Secure Virtual Workspace (Advanced Feature Set) | A secure and separate environment for remote sessions that encrypts all data and controls I/O access (printers, drives, etc.) | Ensures that all corporate data is securely deleted from a kiosk or other unmanaged endpoint after a session |
| Cache cleaner | All proxy downloads and temp files installed during the session are erased at logout | Ensures that no potentially sensitive session data is left behind on the endpoint machine |
| Data trap and cache controls | Rendering of content in non-cacheable format | Prevents sensitive metadata (cookies, headers, form entries, etc.) from leaving the network |
| Coordinated threat control | Enables SA Series SSL VPN Appliances and Juniper Networks IDP Series Intrusion Detection and Prevention Appliances to tie the session identity of the SSL VPN with the threat detection capabilities of the IDP Series, taking automatic action on users launching attacks | Effectively identifies, stops, and remediates both network and application-level threats within remote access traffic. |
Ease of Administration
In addition to enterprise-class security benefits, the SA2500, SA4500, and SA6500 have a wealth of features that make it easy for the administrator to deploy and manage.
| Features | Features Description | Benefits |
|---|---|---|
| Bridge certificate authority (CA) support | Enables the SA Series to support federated PKI deployments with client certificate authentication. Bridge CA is a PKI extension (as specified in RFC 5280) to crosscertify client certificates that are issued by different trust anchors (root CAs). Also, enables the customer to configure policy extensions in the SA Series admin UI, to enforce during certificate validation. These policy extensions can be configured according to RFC 5280 guidelines. | Enables customers who use advanced PKI deployments to deploy the SA Series to perform strict standardscompliant certificate validation, before allowing data and applications to be shared between organizations and users. |
| Based on industry-standard protocols and security methods | No installation or deployment of proprietary protocols required | SA Series investment can be leveraged across many applications and resources over time. |
| Extensive directory integration and broad interoperability | Existing directories in customer networks can be leveraged for authentication and authorization enabling granular secure access without recreating those policies | Existing directory investments can be leveraged with no infrastructure changes; no API’s for directory integration as it’s all native/built in |
| Integration with strong authentication and identity and access management platforms | Provides ability to support SecurID; Security Assertion Markup Language (SAML), including standards-based SAML v2.0 support, and public key infrastructure (PKI)/digital certificates. | Leverages existing corporate authentication methods to simplify administration |
| Multiple hostname support | Provides the ability to host different virtual extranet websites from a single SA Series appliance. | Saves the cost of incremental servers, eases management overhead, and provides a transparent user experience with differentiated entry URLs |
| Customizable user interface | Allows for creation of completely customized sign-on pages. | Provides an individualized look for specified roles, streamlining the user experience |
| Juniper Networks Network and Security Manager | Provides intuitive centralized UI for configuring, updating, and monitoring SA Series appliances within a single device/cluster or across a global cluster deployment. | Enables companies to conveniently manage, configure, and maintain SA Series appliances and other Juniper devices from one central location. |
| In Case of Emergency (ICE) | Provides licenses for a large number of additional users on a SA Series SSL VPN Appliance for a limited time when a disaster or epidemic occurs | Enables a company to continue business operations by maintaining productivity, sustaining partnerships, and delivering continued services to customers when the unexpected happens |
| Cross-platform support | Provides the ability for any platform to gain access to resources such as Windows, Mac, Linux, or various mobile devices including iPhone, WinMobile, Symbian, and Android. | Provides flexibility in allowing users to access corporate resources from any type of device using any type of OS. |
| Enterprise licensing | Allows any organization with one or more device to easily lease licenses from one appliance to another as required to adapt to changing organizational needs. | Provides administrators the ability to start with minimal per-device licensing costs and then incrementally upgrade to enterprise leased licensing capabilities as needed. |
Rich Access Privilege Management Capabilities
The SA2500, SA4500, and SA6500 provide dynamic access privilege management capabilities without infrastructure changes, custom development, or software deployment/maintenance. This facilitates the easy deployment and maintenance of secure remote access, as well as secure extranets and intranets. When users log into the SA Series SSL VPN Appliance, they pass through a pre-authentication assessment, and are then dynamically mapped to the session role that combines established network, device, identity, and session policy settings. Granular resource authorization policies further ensure exact compliance to security restrictions.
| Features | Features Description | Benefits |
|---|---|---|
| UAC-SA Federation | Seamlessly provision SA Series user sessions into Juniper Networks Unified Access Control upon login—or the alternative (provisioning of UAC sessions into the SA Series). Users need to authenticate only one time to get access in these types of environments. | Provides users—whether remote or local—seamless access with a single login to corporate resources that are protected by access control policies from UAC or the SA Series. Simplifies end user experience. |
| Certificate authentication to backend servers | Enables customers to enforce client authentication on their secure backend servers and allows the SA Series to present an admin-configured certificate to these servers for authentication. | Allows customers to mandate strict SSL policies on their backend servers by configuring client authentication. |
| Client certificate authentication for ActiveSync | Any mobile device supporting ActiveSync, along with client-side certificates, can now be challenged by the SA Series for a valid client certificate before being allowed access to the ActiveSync server. | Enables the administrator to enforce strict mobile authentication policies for ActiveSync access from mobile devices. |
| Multiple sessions per user | Allows remote users to launch multiple sessions to the SA Series appliance. | Enables remote users to have multiple authenticated sessions open at the same time. |
| User-Record Synchronization | Supports synchronization of user records such as user bookmarks across different non-clustered SA Series appliances | Ensures ease of experience for users who often travel from one region to another and therefore need to connect to different SA Series appliances |
| Virtual Desktop Infrastructure (VDI) support | Allows interoperability with VMware View Manager and Citrix XenDesktop to enable administrators to deploy virtual desktops with the SA Series appliances | Provides seamless access to remote users to their virtual desktops hosted on VMware or Citrix servers. Provides dynamic delivery of the Citrix ICA client or the VMware View client, including dynamic client fallback options to allow users to easily connect to their virtual desktops |
| ActiveSync Feature | Provides secure access connectivity from mobile devices (such as Symbian, Windows Mobile, or iPhone) to the Exchange server with no client software installation. Enables up to 5000 simultaneous sessions on the SA6500 | Enables customers to allow a large number of users including employees, contractors and partners to access corporate resources through mobile phones via ActiveSync |
| Mobile-friendly SSL VPN login pages | Provides predefined HTML pages that are customized for mobile devices, including Apple iPhones and iPad, Google Android, and Nokia Symbian devices. | Provides mobile device users with a simplified and enhanced user experience with web pages customized for their device types. |
| Dynamic role mapping with custom expressions | Combines network, device, and session attributes to determine which types of access are allowed. A dynamic combination of attributes on a per-session basis can be used to make the role mapping decision. | Enables the administrator to provision by purpose for each unique session. |
| Resource authorization | Provides extremely granular access control to the URL, server, or file level for different roles of users. | Allows administrators to tailor security policies to specific groups, providing access only to essential data. |
| Granular auditing and logging | Can be configured to the per-user, per-resource, and per-event level for security purposes as well as capacity planning. | Provides fine-grained auditing and logging capabilities in a clear, easy-to-understand format. |
Flexible Single Sign-On (SSO) Capabilities
The SA2500, SA4500, and SA6500 offer comprehensive single sign-on features. These features increase end user productivity, greatly simplify administration of large diverse user resources, and significantly reduce the number of help desk calls.
| Features | Features Description | Benefits |
|---|---|---|
| Kerberos Constrained Delegation | Provides support for Kerberos Constrained Delegation protocol. When a user logs in to the SA Series with a credential that cannot be proxied through to the backend server, the SA Series appliance retrieves a Kerberos ticket on behalf of the user from the Active Directory infrastructure. The ticket is cached on the SA Series appliance throughout the session. When the user accesses Kerberos-protected applications, the SA Series uses the cached Kerberos credentials to log the user in to the application without prompting for a password. | Eliminates the need for companies to manage static passwords, resulting in reduced administration time and costs. |
| Kerberos SSO and NTLMv2 support | SA Series will automatically authenticate remote users via Kerberos or NTLMv2 using user credentials | Simplifies user experience by avoiding having users enter credentials multiple times to access different applications |
| Password management integration | Provides a standards-based interface for extensive integration with password policies in directory stores (LDAP, Microsoft Active Directory, NT, and others). | Leverage existing servers to authenticate users. The users can manage their passwords directly through the SA Series interface. |
| Web-based SSO basic authentication and NT LAN Manager (NTLM) | Allows users to access other applications or resources that are protected by another access management system without re-entering login credentials. | Alleviates the need for end users to enter and maintain multiple sets of credentials for web-based and Microsoft applications. |
| Web-based SSO forms-based, header variable-based, SAML-based | Provides ability to pass username, credentials, and other customer-defined attributes to the authentication forms of other products and as header variables. | Enhances user productivity and provides a customized experience. |
Provision by Purpose
The SA2500, SA4500, and SA6500 include three different access methods. These different methods are selected as part of the user’s role, so the administrator can enable the appropriate access on a per-session basis, taking into account user, device, and network attributes in combination with enterprise security policies.
| Features | Features Description | Benefits |
|---|---|---|
| IPsec/IKEv2 support for mobile devices | Allows remote users to connect from devices such as PDAs, mobile devices, and smartphones, which support IKEv2 VPN connectivity. Administrators can also enable strict certificate authentication for access via IPsec/ IKEv2. Also enables username/password authentication through Extensible Authentication Payload (EAP), whereby IKEv2 provides a “tunnel” mechanism for EAP authentication. | Extends Juniper’s leading mobility and access control features of the SA Series to a broad range of devices and OS platforms that support IKEv2 VPN connectivity. Enables remote users to securely authenticate to the SA Series appliance from platforms that support IKEv2 VPN connectivity. |
| Clientless core Web access | Provides access to web-based applications— including complex JavaScript, XML, or Flash-based apps and Java applets that require a socket connection—as well as standards-based e-mail such as Outlook Web Access (OWA), Windows and UNIX file share, telnet/SSH hosted-applications, terminal emulation, SharePoint (including extensive Sharepoint 2010 support), and others. | Provides the most easily accessible form of application and resource access from a variety of end user machines, including handheld devices; enables extremely granular security control options; completely clientless approach using only a Web browser. |
| Secure Application Manager (SAM) | A lightweight Java or Windows-based download enables access to client/server applications. | Enables access to client/server applications using just a Web browser; also provides native access to terminal server applications without the need for a pre-installed client. |
| Network Connect (NC) | Provides complete network-layer connectivity via an automatically provisioned cross-platform download; Windows Logon/GINA integration for domain SSO; and installer services to mitigate need for admin rights. Allows for split tunneling capability. | Users only need a Web browser. Network Connect transparently selects between two possible transport methods to automatically deliver the highest performance possible for every network environment. When used with Juniper Networks Installer Services, no admin rights are needed to install, run, and upgrade Network Connect; optional standalone installation is available as well. Split tunneling capability provides flexibility to specify which subnets or hosts to include or exclude from being tunneled. |
| Junos Pulse | This single, integrated remote access client can also provide LAN access control, WAN acceleration, and dynamic VPN features to remote users, in conjunction with Juniper Networks Unified Access Control, WXC Series Application Acceleration Platforms, and SRX Series Services Gateways devices, respectively. | Pulse replaces the need to deploy and maintain multiple, separate clients for different functionalities—such as VPN, LAN access control, and WAN acceleration. By seamlessly integrating all these functionalities into one single, easy-to-use client, administrators can save on client management and deployment costs to end users. |
Product Options:
The SA2500, SA4500, and SA6500 appliances include various license options for greater functionality.
User License
With the release of the SA2500, SA4500, and SA6500 appliances, purchasing has been simplified, thanks to a combination of features that were once separate upgrades. Now, there is only one license that is needed to get started: the user licenses. Current customers with the older generation hardware (Juniper Networks SA2000, SA4000, and SA6000) will also benefit from these changes as systems are upgraded to version 6.1 (or higher) software.
User licenses provide the functionality that allows the remote, extranet, and intranet user to access the network. They fully meet the needs of both basic and complex deployments with diverse audiences and use cases, and require little or no client software, server changes, DMZ build-outs, or software agent deployments. And for administrative ease of user license counts, each license only enables as many users as specified in the license and are additive. For example, if a 100 user license was originally purchased and the concurrent user count grows over the next year to exceed that amount, simply adding another 100 user license to the system will now allow for up to 200 concurrent users. Key features enabled by this license include:
- SAM and Network Connect provide cross-platform support for client/server applications using SAM, as well as full network-layer access using the adaptive dual transport methods found in Network Connect. The combination of SAM and Network Connect with Core Clientless access provides secure access to virtually any audience, from remote/mobile workers to partners or customers, using a wide range of devices from any network.
- Provision by purpose goes beyond role-based access controls and allows administrators to properly, accurately, and dynamically balance security concerns with access requirements.
- Advanced PKI support includes the ability to import multiple root and intermediate certificate authorities (CAs), Online Certificate Status Protocol (OCSP), and multiple server certificates.
- User self-service provides the ability for users to create their own favorite bookmarks, including accessing their own workstation from a remote location, and even changing their password when it is set to expire.
- Multiple hostname support (for example, https://employees.company.com, https://partners.company.com and https://employees.company.com/engineering) can all be made to look as though users are the only ones using the system, complete with separate logon pages and customized views that uniquely target the needs and desires of that audience.
- User interfaces are customizable for users and delegated administrative roles.
- Advanced endpoint security controls such as Host Checker, Cache Cleaner, and Secure Virtual Workspace work to ensure that users are dynamically provisioned to access systems and resources only to the degree that their remote systems are compliant with the organization’s security policy, after which remnant data is scrubbed from the hard drive so that nothing is left behind.
- Provides support of up to 240 VLANs.
Secure Meeting License (Optional)
The Juniper Networks Secure Meeting upgrade license extends the capabilities of the SA Series SSL VPN Appliances by providing secure any time, anywhere, cost-effective online Web conferencing and remote control PC access. Secure Meeting enables real-time application sharing so that authorized employees and partners can easily schedule online meetings or activate instant meetings through an intuitive Web interface that requires no training or special deployments. Help desk staff or customer service representatives can provide remote assistance to any user or customer by remotely controlling his/her PC without requiring the user to install any software. Best-in-class Authentication, Authorization, and Accounting (AAA) capabilities enable companies to easily integrate Secure Meeting with their existing internal authentication infrastructure and policies. Juniper’s market-leading, hardened, and Common Criteria-certified SSL VPN appliance architecture, and SSL/HTTPS transport security for all traffic, means that administrators can rest assured that their Web conferencing and remote control solution adheres to the highest levels of enterprise security requirements.
The Secure Meeting upgrade is available for the SA2500, SA4500, and SA6500.
Instant Virtual System License (Optional)
Juniper Networks Instant Virtual System (IVS) option is designed to enable administrators to provision 240 logically independent SSL VPN gateways within a single appliance/cluster. This allows service providers to offer network-based SSL VPN managed services to multiple customers from a single device or cluster, as well as enabling enterprises to completely segment SSL VPN traffic between multiple groups. IVS enables complete customer separation and provides segregation of traffic between multiple customers using granular role based VLAN (802.1Q) tagging. This enables the secure segregation of end user traffic even if two customers have overlapping IP addresses, and enables provisioning of specific VLANs for different user constituencies such as remote employees and partners of customers.
Domain Name Service (DNS)/Windows Internet Name Service (WINS), AAA, log/accounting servers, and application servers such as Web mail and file shares to name a few, can reside either in the respective customer’s intranets or in the service provider network. Service providers can provision an overall concurrent number of users on a per-customer basis with the flexibility to distribute further to different user audiences such as remote employees, contractors, partners, and others. The SA Series extends programmatic support to configure and manage IVS. This enables service providers to integrate IVS management into their own operations support systems (OSS). It also enables enterprises that use Instant Virtual Systems to leverage XML import/export capabilities for management of the individual virtual systems.
The IVS upgrade is available for the SA4500 and SA6500.
High Availability License (Optional)
Juniper Networks has designed a variety of HA clustering options to support the SA Series, ensuring redundancy and seamless failover in the rare case of a system failure. These clustering options also provide performance scalability to handle the most demanding usage scenarios. The SA2500 and SA4500 can be purchased in cluster pairs, and the SA6500 can be purchased in multi-unit clusters or cluster pairs to provide complete redundancy and expansive user scalability. Both multi-unit clusters and cluster pairs feature stateful peering and failover across the LAN and WAN, so in the unlikely event that one unit fails, system configurations (like authentication server, authorization groups, and bookmarks), user profile settings (like user-defined bookmarks and cookies), and user sessions are preserved. Failover is seamless, so there is no interruption to user/enterprise productivity, no need for users to log in again, and no downtime. Multi-unit clusters are automatically deployed in active/active mode, while cluster pairs can be configured in either active/active or active/passive mode.
High availability licenses allow you to share licenses from one SA Series appliance with one or more additional SA Series appliances (depending on the platform in question). These are not additive to the concurrent user licenses. For example, if a customer has a 100 user license for the SA4500 and then purchases another SA4500 with a 100 user cluster license, this will provide a total of 100 users that are shared across both appliances, not per appliance.
The HA option is available for the SA2500, SA4500, and SA6500.
ICE License (Optional)
SSL VPNs can help keep organizations and businesses functioning by connecting people even during the most unpredictable circumstances—hurricanes, terrorist attacks, transportation strikes, pandemics, or virus outbreaks—the result of which could mean the quarantine or isolation of entire regions or groups of people for an extended period of time. With the right balance of risk and cost, the new Juniper Networks SA Series ICE offering delivers a timely solution for addressing a dramatic peak in demand for remote access to ensure business continuity whenever a disastrous event strikes. ICE provides licenses for a large number of additional users on an SA Series SSL VPN Appliance for a limited time. With ICE, businesses can:
- Maintain productivity by enabling ubiquitous access to applications and information for employees from anywhere, at any time, and on any device.
- Sustain partnerships with around-the-clock, real-time access to applications and services while knowing resources are secured and protected.
- Continue to deliver exceptional service to customers and partners with online collaboration.
- Meet federal and government mandates for contingencies and continuity of operations (COOP) compliance.
- Balance risk and scalability with cost and ease of deployment.
The ICE license is available for the SA4500 and the SA6500 and includes the following features:
- Baseline
- Secure Meeting
Antispyware Support with Enhanced Endpoint Security (EES) (Optional)
The amount of newly discovered malicious programs that can harm endpoint devices such as PCs continues to grow. According to the 1985-2008 AV-test.org report, there were over seven million new malware programs discovered in 2008, and just over five million were discovered in 2007. Malware and spyware are known to cost enterprises an increasing amount of money every year in terms of efforts involved to quarantine and remediate appropriate endpoints.
In order to prevent endpoints from being infected with spyware, Juniper Networks offers the Enhanced Endpoint Security license option. This license is a full-featured, dynamically deployable antispyware/antimalware module that is an OEM of Webroot’s industry-leading Spy Sweeper product. This dynamic antispyware/antimalware download capability is also available with Unified Access Control. With this new capability, organizations can ensure that unmanaged and managed Microsoft Windows endpoint devices conform to corporate security policies before they are allowed access to the network, applications, and resources. For example, potentially harmful keyloggers can be found and removed from an endpoint device before the user enters sensitive information such as their user credentials. The Enhanced Endpoint Security license protects endpoints from infection in real-time and ensures only clean endpoints are granted access to the network. Enhanced Endpoint Security licenses are available as 1-year, 2-year, and 3-year subscription options (see the Ordering Information section for more details).
Technical Specifications:
Front View
Rear View
| Model: | SA2500 | SA4500 | SA6500 |
|---|---|---|---|
 |
 |
 |
|
| Dimensions and Power | |||
| Size (W x H x D) | 17.26 x 1.75 x 14.5 in (43.8 x 4.4 x 36.8 cm) |
17.26 x 1.75 x 14.5 in (43.8 x 4.4 x 36.8 cm) |
17.26 x 3.5 x 17.72 in (43.8 x 8.8 x 45 cm) |
| Weight | 14.6 lb (6.6 kg) typical (unboxed) |
15.6 lb (7.1 kg) typical (unboxed) |
26.4 lb (12 kg) typical (unboxed) |
| Rack mountable | Yes, 1U | Yes, 1U | Yes, 2U, 19 inch |
| A/C power supply | 100-240 VAC, 50-60 Hz, 2.5 A Max, 200 W | 100-240 VAC, 50-60 Hz, 2.5 A Max, 300 W | 100-240 VAC, 50-60 Hz, 2.5 A Max, 400 W |
| System battery | CR2032 3V lithium coin cell | CR2032 3V lithium coin cell | CR2032 3V lithium coin cell |
| Efficiency | 80% minimum, at full load | 80% minimum, at full load | 80% minimum, at full load |
| MTBF | 18 gauge (.048”) cold-rolled steel | 18 gauge (.048”) cold-rolled steel | 18 gauge (.048”) cold-rolled steel |
| Material | 75,000 hours | 72,000 hours | 98,000 hours |
| Fans | Three 40 mm ball bearing fans, one 40 mm ball bearing fan in power supply | Three 40 mm ball bearing fans, one 40 mm ball bearing fan in power supply | Two 80 mm hot swap, one 40 mm ball bearing fan in power supply |
| Panel Display | |||
| Power LED, HD activity, HW alert | Yes | Yes | Yes |
| HD activity and fall LED on drive tray | No | No | Yes |
| Ports | |||
| Traffic | Two RJ-45 Ethernet - 10/100/1000 full or half-duplex (auto-negotiation) | Two RJ-45 Ethernet - 10/100/1000 full or half-duplex (auto-negotiation) | Four RJ-45 Ethernet – full or half-duplex (auto-negotiation); for link redundancy to internal switches SFP module optional |
| Management | N/A | N/A | One RJ-45 Ethernet - 10/100/1000 full or half-duplex (auto-negotiation) |
| Fast Ethernet | IEEE 802.3u compliant | IEEE 802.3u compliant | IEEE 802.3u compliant |
| Gigabit Ethernet | IEEE 802.3z or IEEE 802.3ab compliant | IEEE 802.3z or IEEE 802.3ab compliant | IEEE 802.3z or IEEE 802.3ab compliant |
| Console | One RJ-45 serial console port | One RJ-45 serial console port | One RJ-45 serial console port |
| Environment | |||
| Operating Temperature | 41° to 104° F (5° to 40° C) | 41° to 104° F (5° to 40° C) | 41° to 104° F (5° to 40° C) |
| Storage Temperature | -40° to 158° F (-40° to 70° C) | -40° to 158° F (-40° to 70° C) | -40° to 158° F (-40° to 70° C) |
| Relative Humidity (Operating) | 8% to 90% noncondensing | 8% to 90% noncondensing | 8% to 90% noncondensing |
| Relative Humidity (Storage) | 5% to 95% noncondensing | 5% to 95% noncondensing | 5% to 95% noncondensing |
| Altitude (Operating) | 10,000 ft (3,048 m) maximum | 10,000 ft (3,048 m) maximum | 10,000 ft (3,048 m) maximum |
| Altitude (Storage) | 40,000 ft (12,192 m) maximum | 40,000 ft (12,192 m) maximum | 40,000 ft (12,192 m) maximum |
| Certifications | |||
| Safety Certifications | EN60950-1:2001+ A11, UL60950-1:2003, CAN/CSA C22.2 No. 60950-1-03, IEC 60950-1:2001 | EN60950-1:2001+ A11, UL60950-1:2003, CAN/CSA C22.2 No. 60950-1-03, IEC 60950-1:2001 | EN60950-1:2001+ A11, UL60950-1:2003, CAN/CSA C22.2 No. 60950-1-03, IEC 60950-1:2001 |
| Emissions Certifications | FCC Class A, EN 55022 Class A, EN 55024 Immunity, EN 61000-3-2, VCCI Class A | FCC Class A, EN 55022 Class A, EN 55024 Immunity, EN 61000-3-2, VCCI Class A | FCC Class A, EN 55022 Class A, EN 55024 Immunity, EN 61000-3-2, VCCI Class A |
| Warranty | 90 days; Can be extended with support contract | 90 days; Can be extended with support contract | 90 days; Can be extended with support contract |
Performance-Enabling Services and Support
Juniper Networks is the leader in performance-enabling services and support, which are designed to accelerate, extend, and optimize your high-performance network. Our services allow you to bring revenue-generating capabilities online faster so you can realize bigger productivity gains, faster rollouts of new business models and ventures, and greater market reach, while generating higher levels of customer satisfaction. At the same time, Juniper Networks ensures operational excellence by optimizing your network to maintain required levels of performance, reliability, and availability.
SA Series Comparison Matrix:
| Model: | SA700 | SA2500 | SA4500, SA4500 FIPS | SA6500, SA6500 FIPS |
|---|---|---|---|---|
 |
|
|
|
|
| Market Segment | Small to mid-size enterprises <250 total employees | Small to mid-size enterprises | Mid-size to large enterprises, government agencies | Large enterprises, service providers, large government agencies |
| Users | Remote or mobile employees, business partners, customers | Remote or mobile employees, business partners, customers | Remote or mobile employees, business partners, customers | Remote or mobile employees, business partners, customers |
| Access Method |
|
|
|
|
| Interfaces |
|
|
|
|
| High Availability | N/A | A/P, A/A, Stateful Peering, Clustering | A/P, A/A, Stateful Peering, Clustering | Plus redundant power supply, hard drive w/ real-time data mirroring, & additional memory |
Documentation:
Download the Juniper Networks SA2500, SA4500, and SA6500 SSL VPN Appliance Datasheet (PDF).
| Juniper Networks Products | ||
|---|---|---|
| SA Series Appliances | ||
| Juniper Networks Secure Access 2500 SSL VPN Appliance | #SA2500 List Price: $2,500.00 |
|
| Juniper Networks Licenses | ||
| User Licenses | ||
| Add 10 simultaneous user licenses to SA2500 | #SA2500-ADD-10U List Price: $2,495.00 |
|
| Add 25 simultaneous user licenses to SA2500 | #SA2500-ADD-25U List Price: $4,945.00 |
|
| Add 50 simultaneous user licenses to SA2500 | #SA2500-ADD-50U List Price: $8,795.00 |
|
| Add 100 simultaneous user licenses to SA2500 | #SA2500-ADD-100U List Price: $15,995.00 |
|
| Feature Licenses | ||
| Secure Meeting for SA2500 Note: Enables the number of concurrent meeting users licensed on the box up to 50 users and 25 meetings in single unit or 100 users/50 meetings in cluster |
#SA2500-MTG List Price: $4,495.00 |
|
| Lab Licenses | ||
| SA2500 Lab Unit License (10 simultaneous users, all features) Note: This is a 1 year lab license only - requires ordering the base hardware system separately (SA2500). Can be renewed via JTAC ticket when valid maintenance contract exists. |
#SA2500-LAB List Price: $2,495.00 |
|
| Clustering Licenses | ||
| Clustering Licenses: Allow 10 users to be shared from another SA2500 | #SA2500-CL-10U List Price: $1,995.00 |
|
| Clustering Licenses: Allow 25 users to be shared from another SA2500 | #SA2500-CL-25U List Price: $4,395.00 |
|
| Clustering Licenses: Allow 50 users to be shared from another SA2500 | #SA2500-CL-50U List Price: $7,695.00 |
|
| Clustering Licenses: Allow 100 users to be shared from another SA2500 | #SA2500-CL-100U List Price: $12,495.00 |
|
| SA2500
Lab Unit License: Clustering Note: This is a 1 year lab license only - requires ordering the base hardware system separately (SA2500). Can be renewed via JTAC ticket when valid maintenance contract exists. |
#SA2500-LAB-CL List Price: $1,000.00 |
|