Short of blocking all instant messaging (IM), what's a company to do about employees using this fast growing — but insecure — method of Internet communication? Use Akonix Systems L7 Enterprise, for one. It's an IM gateway management server that provides security and control and has the potential to turn a potential problem into an advantage. Akonix L7 and its companion products provide all of the necessary pieces that comprise a reasonably well-integrated system. Its strength lies in detailed and flexible control over the use of IM. Couple this with its ability to route messages internally through an intranet, and enterprises can not only control but also benefit from IM as a form of corporate communication.

Like most IM gateway products, Akonix supports all of the major public IM services (AOL — both AIM and ICQ, MSN Messenger, and Yahoo! Messenger) as well as the major private IM systems (Microsoft Live Communication Server, IBM/Lotus SameTime, Reuters Messaging, and Jabber). For security reasons, Akonix has opted not to support some of the extensions of public IM, such as whiteboarding, shift to telephone, video, and application sharing. Other IM gateway products do support these features, however.

In the Akonix offering, the core program is L7 Enterprise (touting a patented IMX technology), which monitors, secures, and manages IM conversations. Supporting modules include: Akonix Enforcer, which monitors and manages IM and Peer-to-Peer traffic across a broad range of ports and services, and Compliance Manager, which runs on a Microsoft IIS Web server and provides reviewers and auditors with Web-based access to the L7 Data Warehouse. L7 isn't an IM network traffic cop, which is why Akonix Enforcer is required. The Compliance Manager is most useful for installations where compliance with HIPAA, SEC, and other regulations is an immediate issue.

Piece-by-Piece Installation
Akonix L7 Enterprise itself has many components: L7 Gateway Server, Authentication Server, Enterprise Manager, L7 Service Recovery Module, L7 HTTP Tunneling and Relay modules, L7 Data Warehouse, and L7 Enterprise Reporter. These modules provide multiple configuration options, placing, for example, modules on separate server machines to improve performance.

L7 supports native server clustering. To reap the maximum benefits, an enterprise must take the time to plan the installation and set up. The Akonix documentation does a good job of explaining possible configurations and requirements. We tested two of the more complex installations and were thankful for the Initialization Wizard, connection testing support, and (especially) the tracing facility that logs technical details about the communication between the L7 server and other participating computers. Although these installations require considerable network savvy, Akonix is ahead of the pack in its support.

Akonix offers three ways to set up L7: as a proxy server, where each client IM application must directly address the server; using a DNS server to route IM traffic to L7; and via a relationship with Check Point FireWall 1 or Microsoft Internet Security and Acceleration (ISA) server. In addition to these basic approaches, L7 provides for working through a firewall with two (optional) modules — HTTP Tunneling for inside the firewall and HTTP Relay on the outside. There are pros and cons to each approach, and Akonix outlines these.

One feature worthy of highlighting is L7's patent-pending Message Reflection technology. With this, Akonix can route messages internally without crossing the firewall to the public services. When properly configured, Message Reflection provides fast, secure, and useful intranet IM service for corporate communications.

The logging of IM conversations with the L7 Data Warehouse module requires a database connection (this is also required for the Compliance Manager and Akonix Enterprise Reporter modules). Akonix supports Microsoft SQL Server (2000 or 7) and Microsoft Database Engine (MSDE), which is provided with L7 as an evaluation or "database lite" option.

Administrative Flexibility
Once L7 is installed, most configuration tasks fall to the Akonix Enterprise Manager. This administrative module uses the services of Microsoft Console with its typical Explorer-like tree of server elements. MS Console is available to administrators on the corporate network. We hope future versions of the software will offer a Web-based version for greater accessibility.

L7's administrative features, like the product itself, are modular in organization: Gateway Administration (L7 configuration), Data Transformation Server Administration (L7 Data Warehouse management), and Authentication Server Administration (user management). The most impressive element, Policy management (e.g., communication rules such as controlling file transfer), is unusually flexible. It defaults to the global ability to allow all or block all — messages, file transfers, executables. From there, the global policy is modified by setting individual policies for global, IP range, network domain, user group, or individual. Policy actions include: block, flag, log (or disable log), and allow. The potential granularity of policies is impressive, such as setting a complete time schedule for when a policy will be in force. To facilitate policies being set, Akonix provides a New Policy Wizard, which guides the development of complex policy statements.

This is the best IM policy management we've seen to date.

User management features include importing user lists (L7 helpfully supports Microsoft Address Book and other sources) and user authentication (Authentication Server Administration module). L7 can authenticate against Microsoft Active Directory, Windows NT Domain authentication, SUN One Directory Server 4.1 and higher, and Novell eDirectory 8.9.

For analysis of IM activity, Akonix provides the Enterprise Reporter, which creates reports from the L7 Data Warehouse. This is another strength of the product. More than 30 canned reports are available, although they don't contain pretty graphics. All reports can be extensively modified using, for example, the Report Wizard, Report Template Wizard, and a Scheduled Report Wizard. Since most reports can be modified for dates, content, and format, the Report Template Wizard helps save the effort. Reports can then be exported to a bagful of formats (e.g., PDF, CSV, DIF, XLS, and XML) and destinations (e.g., file and e-mail).

Enterprises that have corporate e-mail archiving systems will be happy to note that L7 supports iLumin Assentor, Iron Mountain, KVS Enterprise Vault, Legato EmailXtender, and ZANTAZ Digital Safe.

Current Defense
IM, like e-mail, has its share of ills (spam, viruses, spyware, and various kinds of illicit use). This is a running battle for all IM gateway products. L7 handles the problems with an optional add-on for anti-virus software, a manually maintained language filter that checks for words that are not allowed (usually to block foul language and corporate key words), and, new in this version, a spim (IM spam) and malware filter that is automatically updated. Just as no one would think of manually updating anti-virus information, spam/spim should now be automatically updated. Thus, we find Akonix' automatic update service both realistic and important.

At the very least, IM gateways relieve the pressure to use IM securely and in compliance with corporate archiving requirements. Products like Akonix L7 go further, making it possible to enhance corporate communication with IM. The cost of comfort and advantage is not inconsiderable, although L7 (with Akonix Enforcer) is about average in pricing compared to other offerings.

Akonix was one of the first companies to tackle the IM management problem, and the current version of L7 remains a strong product in what has become a very competitive field.

Pros: Excellent flexibility for IM policy coupled with superior management tools; Strong reporting capability (without fancy pie charts); Automated updating of spim and malware filter.
Cons: Administrative management does not have a Web-based version; For some environments, the all Microsoft requirements may rule out deployment.

Reviewed by: Nelson King
Original Review Date: 7/21/2004
Original Review Version: 3.0

Article courtesy of ServerWatch.