Products - SANGFOR - Internet Access Management and WAN Optimization.

Introduction Functions Advantages Typical Cases Technologies

SANGFOR provides high-speed, easy-to-use, highly secure and reliable SSL VPN products. Since SANGFOR rolled out its SSL VPN products in 2004, SANGFOR solutions have been widely applied by medium-sized and large enterprises in all sectors, including government, banking, telecommunications, energy and education. Over 70% of domestic enterprises that rank in the world’s top 500 have chosen SANGFOR SSL VPN solutions. Statistics from Frost & Sullivan and IDC show that, in 2008 and 2009, SANGFOR SSL VPN beat multiple domestic and overseas SSL VPN manufacturers to occupy the highest market share in Chinese SSL VPN market.

Easy Mobile Officing
The SANGFOR SSL VPN can help you easily, safely and conveniently access the Intranet through mobile terminals such as laptops, PCs, intelligent phones and PDAs. Therefore, reduces costs and improves production efficiency.

Providing Third-party Remote Access
The SANGFOR SSL VPN provides a complete third-party remote access solution. This solution combines multiple acceleration technologies and carefully controls the access authorization of applications. Therefore, SANGFOR’s solution enables your third-party partners to quickly share resources and safely access applications under control.

Protecting the Intranet through Logical Isolation and Sectionalization
The SANGFOR SSL VPN provides a safe, reliable, cost-efficient, and flexible solution for network logical isolation. It employs multiple technologies, such as detailed permission classification, various authentication and security mechanisms, and client security inspection.

Reinforcing Security of the Key Business Information System
SANGFOR SSL VPN provides a complete solution to reinforce security of key business information systems. The solution provides a perfect identity authentication system and access protection. It also binds application access account of specified users by patented primary/secondary accounts to ensure that accounts are not falsely used or access permissions are not violated.

Preventing Illegal WLAN Access
SANGFOR SSL VPN provides a safe WLAN access solution for you. SSL VPN offers a uniform authentication of WLAN access, and strictly controls users to prevent information leakage and guarantee application security.

Rapidity
Technical Function	Functional Value
Intelligent routing	Automatically chooses the quickest link for remote access and solves the problem in which a network has multiple operators’ lines.
Multi-line multiplexing	Supports the multiplexing of multi-line bandwidth resources and optimizes VPN access speeds. This technology can also be used in one-armed mode.
HTP acceleration	Increases SSL VPN access speeds for GPRS/CDMA/EDGE wireless routers.
Load balancing	Uses server load balancing technology to assign users’ access requests to multiple servers and increase access speed.
Web optimization	Dynamically adjusts page display effects to improve the access experience of PDA and intelligent phone users.
Intelligent data compression	Greatly decreases data volume, reduces bandwidth demands, and improves transmission speeds.
Flow cache acceleration (optional)	Greatly reduces redundant data transmission (as much as 80% of total flow) through the unique acceleration technology; significantly improves user's access speed.

Identity Safty
Technical Function	Functional Value
Local authentication	Supports username/password, graphical identifying code, and local CA to construct a simpler authentication system.
Third-party authentication	Supports combination with third-party authentication system: CA; LDAP; Radius to ease users’ authentication management.
Dynamic authentication	Supports USB Keys, dynamic tokens, and terminal hardware fingerprinting to maximize the identity authentication security for access.
Hybrid authentication	Provides “and” and "or” combinations of multiple authentication modes to meet different login security requirements for different users. This authentication is safer than the Internet banking system.
Others	Supports passwords against violent cracks, soft keyboards, and graphic identifying code.

Terminal Security
Technical Function	Functional Value
Terminal security detection	Supports username/password, graphical identifying code, and local CA to construct a simpler authentication system.
Client dynamic authorization	Supports combination with third-party authentication system: CA; LDAP; Radius to ease users’ authentication management.
VPN private line	Supports USB Keys, dynamic tokens, and terminal hardware fingerprinting to maximize the identity authentication security for access.
Sandbox for secure desktop	Provides “and” and "or” combinations of multiple authentication modes to meet different login security requirements for different users. This authentication is safer than the Internet banking system.
Clear cache	Supports passwords against violent cracks, soft keyboards, and graphic identifying code.

Transmission Security
Technical Function	Functional Value
Diversified encryption algorithms	Provides a complete security mechanism by supporting multiple international standard encryption algorithms, such as AES, DES, 3DES, RC4, SHA and MD5, and the security algorithms of the State Encryption Management Commission Office.
Standard SSL VPN support	Adopts the standard SSL protocol for data encapsulation and complies with the national standard SSL VPN technical specifications.

Authorization Security
Technical Function	Functional Value
Role-based authorization	Associates user identities with resources and directly controls user access authorization.
Fine-grained authorization	Optimizes resource allocation in the intranet and user access authorization based on URL, service, and IP.
Key file protection	Protects specified key files of the client. If these files are modified, the client cannot connect to the SSL VPN or access the key application systems.
Hierarchical user management	Establishes a 16-level tree user group structure consistent with the administrative structure system of an organization, and clarifies permission management.

Log Security
Technical Function	Functional Value
Comprehensive log data	Includes system logs, device operation logs, administrator logs, and user logs for convenient device management.
Independent log center	Adopts a third-party device for independent and mass storage of log data.
Numerous statistical reports	Adopts multiple display forms such as bar graphs, curves, and tables based on users, user groups, traffic and resources. Therefore, administrators can fully understand SSL VPN operations, resource access, and how users employ the SSL VPN.
Hierarchical log management	Supports log management on different nodes and levels in the log center to prevent track records from being deleted or misused.

Usability
Technical Function	Functional Value
Single Sign On	Supports the SSO of B/S and C/S applications to avoid inefficient operations, such as the repeated entry of accounts or passwords.
Compatibility with various terminals	Supports SSL VPN in different terminal environments, including PDA, intelligent phones, Apple, Linux, and Firefox.
Traffic/session control	Supports user/user group-based traffic/session control to avoid excessive traffic from a single user and the misuse of bandwidth; thus it improves user access experience.
System tray	Supports user connections to SSL VPN through tray, automatic login after startup, and automatic reconnection after disconnection.
Remote application release	Releases application windows of the intranet to remote users. This technology transmits interface, keyboard, and mouse information with a small volume. Therefore, it is faster and easy-to-use.
Virtual sites	Virtualizes one SSL VPN device into multiple independent and non-interfering virtual SSL VPN devices.

High Reliability and Scalability
Technical Function	Functional Value
Webagent	Supports access to SSL VPN through the only static entry of an organization with a dynamic IP.
Multi-line standby	Provides mutual backup of multiple VPN links to improve SSL VPN reliability.
Duel/multiple devices	Ensures that another device (or multiple devices) automatically takes over all SSL VPN operations when one device fails, guaranteeing VPN stability and reliability.
Cluster technology	Supports the cluster deployment of multiple SSL VPN devices, which guarantees higher stability and better performance, protects previous investment, and enables smooth performance upgrades.
Distributed cluster	Ensures that users automatically access the nearby SSL VPN at the highest speed through uniform entry; achieves remote hot standby access and whole-network load balancing after SSL VPN devices are deployed in multiple data centers.

Benefits
Technical Function	Functional Value
Rapidity	Flow cache: Greatly reduces redundant data transmission (as much as 80% of total flow) through unique acceleration technology. It thus significantly improves access speed.
Rapidity	Multi-line multiplexing and intelligent routing: Supports multiplexing of multi-line bandwidth resources and optimizes VPN access speed. This technology can also be used in one-armed mode.
Security	Hybrid authentication: Provides “and” and "or” combinations of multiple authentication modes to meet different login security requirements for different users, making it even safer than the Internet banking system.
	Terminal security detection: Detects users’ client devices in terms of system type, registration table, and processes to prevent clients with viruses such as Trojan from accessing intranets through VPN tunnels.
	Sandbox for secure desktop: Ensures that access to specified resources, editing, and data operations that relate to the intranet are performed on a safe virtual desktop. This technology eliminates the possibility that data is stored on the client device, causing information leakage.
	Virtual sites and hierarchical management: Provides a virtual site and establishes a 16-level tree user grouping structure in the virtual site. The tree user structure can be consistent with the administrative structure so that ease and clear the authorization management.
Usability	Single Sign On (SSO): Supports SSO of B/S and C/S applications to avoid complicated operations such as repeated entering of accounts or passwords.
	Remote application release: Releases application windows of the intranet to remote users. This technology transmits of the interface, keyboard, and mouse information with a small volume. Therefore, it is faster and easy-to-use.
	Compatibility with various terminals: Supports SSL VPN in different terminals including PDA, intelligent phones, Apple, Linux, and Firefox.
	Non-symmetrical cluster: Cluster with different model, maximizing investment returns and access convenience.

Single Sign-On

* Utilizes Java script-based encryption of username and password to provide Web Single Sign-On (SSO) convenience and ensure security throughout the connection session
* Permits users to specify (and modify) individual SSO usernames and passwords for specific resources

Multi-method Hybrid Authentication

Users can be authenticated via any ("and/or") combination of local address database, LDAP/Active Directory and RADIUS 3rd-party authentication with hardware methods such as USBKey, dynamic token, and SMS-based authentication.

Clustering

•  Up to 253 sites can be clustered
•  Clustering function can operate under either the Router Deployment or One Arm modes
•  Email alarm function

Third-party API interconnectivity

•  LDAP
•  RADIUS
•  Certificate Authorities

Multi-line binding

Automatic binding of multiple lines under the One Arm mode to increase bandwidth and further accelerate user access

Customizable Web pages

• Web pages can be completely customized (over the default gateway page), including the upload of single or multiple files, ZIP archives, and resetting to the default pages.
• Default service page can be automatically skipped, and user resource application page loaded, after successful authentication (bypassing the display of the resource list). This function can be combined with Single Sign-On and configured for users or user groups.

Boosting Informatization for China Merchants Group

China Merchants Group is one of four China-invested enterprises in Hong Kong. Its business currently involves finance, wharves, shipping, real estate, logistics, transport, and industry. More than 20 of its affiliated enterprises are listed, including China Merchants Bank, China Merchants Securities, China Merchants Holdings International/HK, China Merchants Property Development, China Merchants Steam Navigation, Shenzhen CIMC, Shenzhen CHIWAN and Ping An Insurance ...

PBC HQ Chooses SANGFOR SSL VPN

The People’s Bank of China (PBC) is the central bank of China and performs various major functions: formulating and implementing monetary policy; regulating financial markets; managing the State treasury; managing credit operations; and participating in international financial activities. As the highest administrative organization in China’s banking sector, PBC deals with a large amount of information each day, and must promptly process marketing and financial information, make decisions, and formulate policies ...

Sangfor Assists Hebei Unicom Reformation

In the year of 2008, China reorganized its three main operators: China Unicom, China Mobile and China Telecom. According to the restructuring plan, China Unicom merges China Network Communications Corporation to get fixed network business and in the meanwhile sells its CDMA business to China Telecom. This reorganization brought challenges to China Unicom’s business operation as well as its IT construction ...

SANGFOR Structures Distributed VPN Remote Access System for CNOOC

China National Offshore Oil Corporation (CNOOC) is one of the largest state-owned oil companies, and the largest offshore oil and gas producer in China. CNOOC has maintained rapid growth since its incorporation. It has evolved to be an internationally integrated energy company, with a high performing core business, a complete industrial chain, and an increasing competitive edge. In 2008, the Company boasted total revenue of RMB 194.8 billion and a total profit of RMB 67.8 billion. Through sustainable growth and innovation, the Company aims to become a world-class international energy company ...

Single Sign-On	Multi-method Hybrid Authentication	Clustering
Third-party API interconnectivity	Multi-line binding	Customizable Web pages

Single Sign-On	↑TOP
* Utilizes Java script-based encryption of username and password to provide Web Single Sign-On (SSO) convenience and ensure security throughout the connection session * Permits users to specify (and modify) individual SSO usernames and passwords for specific resources

Multi-method Hybrid Authentication	↑TOP
* Users can be authenticated via any ("and/or") combination of local address database, LDAP/Active Directory and RADIUS 3rd-party authentication with hardware methods such as USBKey, dynamic token, and SMS-based authentication.

Clustering	↑TOP
* Up to 253 sites can be clustered * Clustering function can operate under either the Router Deployment or One Arm modes * Email alarm function

Third-party API interconnectivity	↑TOP
* LDAP * RADIUS * Certificate Authorities

Multi-line binding	↑TOP
* Automatic binding of multiple lines under the One Arm mode to increase bandwidth and further accelerate user access

Customizable Web pages

↑TOP

* Web pages can be completely customized (over the default gateway page), including the upload of single or multiple files, ZIP archives, and resetting to the default pages.
* Default service page can be automatically skipped, and user resource application page loaded, after successful authentication (bypassing the display of the resource list). This function can be combined with Single Sign-On and configured for users or user groups.