Voice over IP is a common network traffic flow, and the TZ100W is designed to detect both SIP and H.323 VoIP traffic. The TZ100W will detect SIP or H.323 based VoIP traffic on your network and display calls in progress as shown in Figure 13. The TZ100W does not recognize proprietary VoIP protocols, or some of the more common protocols such as MGCP or Cisco's “skinny” (SCCP) protocol.
Figure 13: VoIP call status
The TZ100W also has a SIP Application Layer Gateway (ALG) function, labeled as “SIP Transformations” if your VoIP provider requires an ALG for connectivity. The SIP Transformations feature will change the source IP address in a SIP message to match the external IP address of the router, making it easier to connect VoIP calls over the Internet.
The TZ100W offers three VPN options, SSL Client-to-Site tunnels, IPSec Client-to-Site tunnels and IPSec Site-to-Site tunnels. All the standard IPSec encryption algorithms are supported, including DES, 3DES, AES-128, AES-192, and AES-256.
I prefer SSL VPN tunnels for client solutions. Typically, SSL VPN clients are easier to install, configure and manage for the end users. Enabling SSL Client-to-Site functionality on the TZ100W is a matter of defining user names and passwords for SSL authentication, specifying a range of IP addresses for SSL clients, and defining which subnets could be accesses over the SSL tunnel.
The SonicWall SSL VPN solution is called NetExtender, with versions for Windows XP Home and Professional, Windows Vista 32-bit and 64-bit, Windows 2000 Pro and Server, Windows 2003 Server, MAC and Linux. The SonicWall product team tells me the NetExtender software will also work with the Windows 7 64-bit.
NetExtender has versions for the MAC and Linux, too. The MAC version requires MacOS 10.4 or higher and the Linux version runs on Fedora 3 or higher, Ubuntu 7 or higher, and OpenSUSE.
NetExtender worked great for me on XP Pro, I logged on to my TZ100W and installed the software per the instructions in the manual. Once installed, launch the NetExtender icon, enter your user name and password, click connect, and you're remotely connected to the TZ100W as shown in Figure 15.
Figure 14: SSL VPN
But I couldn't get NetExtender to work in Windows 32-bit Vista. I tried installing the software directly from the TZ100W and from mysonicwall.com, but in both cases it failed. In fairness to SonicWall, this might be a problem with my Vista PC which has had so many VPN clients installed and uninstalled, I think it is time for a fresh OS. I'm encouraged to hear that NetExtender works with Windows 7 64-bit, which I plan as my next OS.
I was also able to install NetExtender on an Ubuntu 9.04 Linux PC. It wasn't as easy as with XP Pro, and I had to download the Linux client from mysonicwall.com instead of directly from the TZ100W, but it worked.
If you prefer an IPSec Client-to-Site solution, SonicWall offers Global VPN Clients for 32-bit and 64-bit Windows XP, Vista and 7. The Global VPN Client software is available for download along with firmware updates, support documentation, and other resources at mysonicwall.com.
The TZ100W will support up to five IPSec Site-to-Site VPN tunnels. I managed to configure and run three tunnels simultaneously as shown in Figure 15 from the TZ100W to a NETGEAR FVS318G, NETGEAR FVS336G, and Zyxel USG100.
Figure 14: Three IPsec tunnels
I found configuring IPSec Site-to-Site parameters on the TZ100W straightforward. I used the menu to set up 3DES tunnels. There is also a VPN Wizard to simplify the configurations.
VPN throughput is limited by the speed of the slower router, so I tested throughput from the TZ100W to the fastest of my three routers, the Netgear FVS336G. Using standard iperf TCP throughput tests, I measured 11.9 Mbps throughput between the TZ100W and the FVS336G, which is the FVS336G's throughput limit.
SonicWall rates the TZ100W with a maximum VPN throughput of 75 Mbps. Thus, if both ends of the VPN tunnel are TZ100W routers and there is enough bandwidth between them, the throughput over the tunnel could reach 75 Mbps. But since Sonicwall sent only one TZ100W for review, I couldn't verify the 75 Mbps claim.
Updated 11/18/2009: Added more VPN throughput test results.
After the review published, it occured to me that I could have tested VPN performance also with clients. So I went back and tested VPN throughput using both the SSL and IPSec client solutions.
I first ran three standard iperf TCP throughput tests between a Windows XP PC and a Windows Vista PC connected via Gigabit switch to establish a baseline. I then left the Windows XP PC on the Gigabit switch and moved the Windows Vista PC behind the TZ100W, with the TZ100W's WAN port attached to the Gigabit LAN. I then used SSL and IPSec VPN clients on the Windows XP Pro PC to connect to the Windows Vista PC on the TZ100W's LAN.
The table below shows a summary of the three tests.
VPN client-based throughput
The first row of the table shows that my two PCs can pass data at 210.9 Mbps when they are both on a Gigabit LAN. The second row of the table shows the SSL VPN Client throughput at 1.2 Mbps. Although low, I wasn't too surprised with this measurement for the SSL VPN Client since SonicWall's claim of 75 Mbps is for IPSec 3DES throughput, not SSL throughput.
The third row of the table shows 3DES IPSec VPN Client throughput at 17.2 Mbps. This result was surprising because it's very far below Sonicwall's claimed performance. When this data was shared with Sonicwall, however, they reminded me that the 75 Mbps spec is between two TZ100's and using UDP, not TCP/IP. Sonicwall has no spec for client to TZ100 VPN throughput.
So Sonicwall is sending me a second TZ100 so that I can test VPN performance between them and they are in the process of verifying my client-to-TZ100 results. I'll update this review again when we have those results.
Logging and Reporting
Activity on the TZ100W is logged and stored locally, with the option to send syslog data to an external server. Logs are recorded in 8 different priorities and 68 different categories, and can be filtered and viewed by priority, category, or source/destination IP or interface. Further, log messages can be sent via email to alert an administrator of any issues on the network or router.
There are also three reports available providing a nice snapshot of end user network activity, showing the top 25 most frequently accessed Web sites, the top 25 users of bandwidth by IP address, and the top 25 services consuming the most bandwidth.
The System Security Dashboard, a feature I covered in my review of the TZ190W, provides a display of Viruses, Intrusions, Spyware, and Multimedia activity detected by the Global SonicWall network, as well as your individual device. Figure 17 shows the amount of multimedia activity detected by my test TZ100W.