This Document was revised on 17 December 2010. For more information, see the Corrections page on gartner.com.

Remote access is a fact of everyday life for IT-enabled employees, with increasing importance for high-speed wireless connections to the Internet. Remote access creates continuous security challenges that must be defended by authentication and encryption, which form the basis of virtual private network (VPN) products and services. The solution space for remote access VPNs includes many protocols, but the most significant are IPsec, a long-used protocol implemented as a Layer 3 tunnel; and Secure Sockets Layer (SSL), which can be used to establish Layer 7 application sessions, as well as Layer 3 tunnels. Secure Shell (SSH) is occasionally implemented in ways similar to SSL. SSL VPN products now use an updated protocol — Transport Layer Security (TLS) — that provides Advanced Encryption Standard (AES) encryption, but the "SSL" persists as the official label.

Gartner ranks vendors in the SSL VPN Magic Quadrant (see Figure 1) based on performance for calendar year 2009 through the end of September 2010, and on client reviews received up to November 2010. The Magic Quadrant considers which vendors will be in frequent use and will influence technology directions through 2015, as well as which vendors are most visible among clients, generate the greatest number of requests for information and contract reviews, and account for the most new and ongoing installations in Gartner's client base.

After reading this Magic Quadrant:

• Consider the merits of all the vendors in the Magic Quadrant. All the vendors that Gartner tracks in the SSL VPN market have products that will meet the needs of most buyers.

• If your experience is entirely with IPsec, keep an open mind about alternative technologies and benefits. SSL VPNs are practical replacements for IPsec VPNs. They are easy to set up in their default role as application portals, and offer good performance for tunneled Layer 3 traffic. SSL VPN resilience over poor connections and ability to conduct dynamic endpoint security checks has strong appeal for controlling access from noncompany devices, including use cases for contractors and business continuity.

• Consider your incumbent networking and application delivery vendors. There are benefits for avoiding additional contracts, consoles and training. If an additional vendor is the best choice, then be prepared to justify your claims.

• If you plan to use several types of VPNs, weigh the administrative convenience, lower investment costs and lower general overhead of a single vendor against differentiating and potentially superior features from several vendors.

• Start pilot programs for smartphone and tablet VPNs, even if you do not have an immediate implementation plan. There exists considerable variation in quality and capability among IPsec and SSL VPNs embedded in different smartphone platforms and offered by the leading VPN vendors.

• Consider vendor ratings, strengths and challenges in adjacent markets, such as WAN optimization, application delivery, Web conferencing, Web access management (WAM) and enterprise single sign-on (ESSO). VPNs may not be the best approach, for example, if WAM or simple portal technologies will suffice.

• Demand a comprehensive working demonstration in the RFP phase. SSL VPNs are easy to set up. Make the vendors prove their worth, and you may get the first prototype of your eventual production system for free in the bargain.

• Decide what you are willing to pay. Although it's a mature market, SSL VPN prices vary widely. Negotiate your initial purchase price based on a future commitment, and include no-penalty escape clauses in case the product and the vendor fail to deliver service levels. Pricing in this market is highly variable, and multivendor RFIs gather important data for negotiations. For example, entry-level systems (99 or less concurrent session capacity) begin at $8, with a median of $44, and an average of $95. At purchase levels in the 5,000-session range, concurrent session costs start at less than $1, but still range more than $81 at the high end, with a median of $21 and an average of $28. These prices are calculated by dividing vendor survey quotes of total costs for first-year equipment and support by the concurrent session load.

• When pricing SSL VPNs, consider the ease of setup and administration, on-demand security, granular access policies, and other features that characterize products in this market. These aspects will lower the cost of ownership — even if your initial purchase is more expensive than a default IPsec VPN.

SSL VPNs are persistent encrypted connections between user systems and VPN gateways using the SSL protocol. SSL was originally conceived to intermittently secure protocol Layer 7 for browser sessions, but it has expanded to provide a broader range of access ranging from Layer 7 for applications down to Layer 3 for access to networks.

SSL VPNs are evaluated in a Magic Quadrant because they have, for many years, been the focal point for innovations in remote access. Clients cite SSL and browser-based VPNs as key decision factors in new VPN investments, and the market revenue and product penetration can be differentiated and tracked.

SSL VPNs are most characterized by the fact that the user can start a VPN session from a Web browser, although nearly all vendors now offer a nonbrowser client alternative. SSL VPNs feature a menu-driven front end to provide a default greeting to a remote user. The menu and resources offered to the user can be altered by runtime rules that react to the user's access status with respect to a variety of factors, including remote system health security status, and the user's method of authentication.

SSL VPNs make it easy for users to start a VPN from any system. For example:

• The VPN can be established without a formally installed client beyond the browser. Browsers are found on every standard user platform (desktop, laptop and smartphone). The strength of SSL encryption is based on TLS and conforms to AES encryption standards.

• All browsers contain embedded encryption (SSL) and certificate authentication.

• SSL is optimized to facilitate application delivery and to maintain connections over unreliable networks

• Sessions can survive multiple interruptions, and can reconnect and roam across networks without preserving an IP address. This resilience can be enhanced by a WAN optimization controller, but originates largely with the client. Actual results will vary, and require tuning and experience.

• Nonbrowser SSL VPN clients are available for fully managed and legacy workstations, to give users a similar experience to legacy IPsec VPNs, while taking advantage of the resilience benefits of SSL. This is a highly recommended method for introducing SSL as a replacement VPN for normal business access on managed workstations.

• Security tools can be downloaded to end-user systems during session establishment. Browser mechanisms that download executable code on demand (ActiveX, Java and browser helper objects) provide SSL VPNs with the ability to perform extensive health checks and to alter the security of the remote system without formally installing additional software. By means of up-to-date browsers, these functions should be easier and safer to use on unmanaged Microsoft Windows systems, but problems may still occur if administrative privileges are required at installation and/or runtime. Several vendors have made progress to minimize the need for privileges.

SSL VPNs shield the user from direct access to the network by default, and Layer 3 tunnels that support routing are opened only by policy choices. These policies can be set dynamically based on gateway rules that evaluate the user, device and location. When users initiate an SSL VPN from an unmanaged device, remote security controls may not be possible, and administrators can mitigate the risk of network exposures by limiting applications and services.

Compelling use cases for SSL VPNs include:

• Protecting access connections used by contractors, providing selective access to systems on a need-to-know basis.

• Providing secure and private ad hoc connections in the event of business continuity disruptions, such as natural disasters and disease outbreaks.

• Integration with emergency notification systems (ENSs) to facilitate emergency VPN access.

• Increasing opportunities for traditional VPN vendors to compete with vendors in adjacent markets, such as Web application delivery, multichannel access gateways for mobile devices and Web application firewalls.

• Convergence with trusted portable personality devices to develop more-secure portable desktops by use of on-demand security tools originating with SSL VPNs.

• Improvements in WAN optimization via acceleration, load balancing, traffic shaping and caching.

• Increasing uses for on-demand security, for example, malware scans, device and software version checks, user geolocation checks on wider ranges of endpoint devices, and operating systems (OSs), especially user-owned workstations and smartphones.

• VPN on click. If a user clicks on a URL that points to a company's internal resource, then the user automatically gets a VPN for the duration of the request. This feature is particularly valuable for smartphone users, but has been underutilized.

• Secure, cloud-based business portals. SSL VPNs combined with cloud-based business applications create instant, robust commercial portals. Companies that own their own SSL VPNs and server-based computing platforms are in the strongest position to address security concerns, and to remove implementation barriers for leading-edge delivery methods such as hosted virtual desktops. For example, a Citrix Systems-powered cloud service hosting would make it very easy for companies to adopt XenApp, Citrix Receiver and XenDesktop, using Citrix Access Gateway for secure communications. A Microsoft-powered cloud service can make Microsoft Forefront Unified Access Gateway (UAG), SharePoint and Terminal Servers easily accessible to companies of any size.

SSL is sufficiently versatile and secure to completely replace remote IPsec VPNs, and many companies have done so. However, Gartner is no longer anticipating that SSL VPNs will eliminate the use of IPsec VPNs, because:

• IPsec is deeply embedded in networking products, such as routers and firewalls, and, therefore, has a lower incremental session cost in gateways. SSL VPNs represent an extra cost.

• Many companies are satisfied with their IPsec experiences. If the legacy VPN meets business needs, there is no pressure to change.

• The major handheld device OSs include mobile IPsec clients, often due to legacy engineering and also because IPsec is easier on battery life in handheld devices, requiring less power to set up and tear down sessions — although large screens and constant data usage are probably larger drains. Several major and specialty independent software vendors (ISVs) offer mobile VPNs based on IPsec and proprietary protocols.

• The low barrier to entry to start with the embedded VPN may delay consideration for SSL VPNs. SSL VPN vendors have not effectively promoted their advantages on phones as a solution for "VPN on click" to company URLs (that is, if the user clicks on a URL that points to the company intranet, a VPN can launch and provide access). This feature may also be offered in some other types of mobile VPNs.

A global quantitative analysis of performance in the SSL VPN equipment market is cautious. The SSL VPN market has been affected by the recession for two consecutive years. Gartner's global market forecast based on a more comprehensive quantitative analysis shows revenue growth for SSL VPN equipment from 2008 to 2009 at about 8% more than 2007, but there was a collective 5% decline in equipment revenue from 2009 to 2010. Gartner expects that global equipment revenue growth recovered in 2010 and the compound annual growth rate between 2009 and 2014 are forecast to be just greater than 10%.

Fifteen vendors returned survey data for this Magic Quadrant to represent a subset of the entire SSL VPN market. Data is not directly comparable to Gartner's global market forecast, because it represents only those vendors that are most competitive in selling enterprise SSL VPN products, and the Magic Quadrant uses broader definitions for revenue and market share. Among vendors that provided data for this Magic Quadrant, the growth of revenue in their SSL VPN lines of business in 2009 compared to 2008 showed an average increase of 35%. Line-of-business revenue, which may include related products as well as support and services, totaled more than $400 million.

Seat sales (seat sessions or penetrations) are estimated for this Magic Quadrant to be usable concurrent VPN sessions on product gateways. These sessions are usually not reserved for dedicated user accounts. Vendors that do not set maximum capacity limits on their products were asked to estimate the number of ports available on products sold, according to the recommended loading. The number obtained represents the usable logical sessions in play.

Seat penetrations calculated by this method for 10 vendors reporting seat data add up to a total of more than 10 million, representing a 32% increase from 2008 to 2009, and preliminary estimates for 2010 are expected to exceed that level. We attribute much of this growth to increasing interest in business continuity program development and spare capacity purchase decisions.

However, the size/revenue/seat share gap among SSL VPN vendors is growing, and increasingly challenges the viability of smaller companies. In 2009, the average for seat penetrations reported by vendors for this Magic Quadrant jumped nearly 80% to 940,000, but the median share shrank about 25% to 250,000 compared to the prior year. At the same time, median income in the SSL VPN line of business (LOB) dropped from $19.5 million to about $15 million. The bulk of sales and revenue went to three companies, not surprisingly: Juniper Networks, Citrix Systems and Cisco, which all perform at least five times better than the medians. The SSL VPN market is, for practical purposes, saturated in terms of the ability to sell to legacy workstation installations. Only vendors that can afford to tackle emerging mobile wireless markets will have long-term leadership prospects.

Other types of VPNs will continue to play roles for remote access and will fill specific roles. Examples include:

• SSH was originally developed for secure remote console access and secure file transfers. Several companies have extended SSH to provide application layer access through the browser, as well as tunnel support. One of those companies, AppGate, is functionally equivalent to an SSL VPN; it appears in this Magic Quadrant.

• Proprietary Wireless Transport Layer Security (WTLS) and User Datagram Protocol (UDP) VPNs are offered through various companies that specialize in mobile VPNs. These tend to be niche products that compete based on aggressive WAN optimization.

• Microsoft's DirectAccess (DA) creates a new type of continuous tunnel VPN access method. The use case is similar to legacy IPsec VPNs, and best suited to fully managed PCs. While DA is just another VPN, a key benefit is that corporate IT can more easily patch company PCs over the Internet. DA itself is part of Windows 7 and the Windows 2008 R2 server; it is designed for IPv6. Because IPv6 is not yet widely available, a variety of transition technologies are required to address all use cases, and Microsoft is promoting migration technologies, configuration templates, wizards and its UAG product to provide a transition. These technologies include 6to4, IP over HTTPS, Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), NAT64 and Teredo (adoption is still in its infancy). IT planners should evaluate potential tunneling vulnerabilities and Teredo security advisories. Gartner clients calling in for remote access inquiries do not indicate a high priority for early adoption. DA will not be competitive until Windows 7 is widely adopted and IPv6 is generally available. Many peer vendors in the market have reported that confusion over DA is spurring new conversations with clients and prospects, and it makes a useful segue to sell competing products.

Products in the SSL VPN market provide secure and private connections for individuals to reach company gateways via the Internet using the SSL protocol from a workstation, such as a desktop, laptop or a smaller, end-user computing device, such as a smartphone or tablet. This Magic Quadrant evaluates SSL VPN products that are sold for purchase and use within enterprises.

All companies that sell IPsec remote-access VPNs were asked about their experiences in selling the two different types of VPNs. IPsec vendors report that SSL VPNs provide important current and future growth opportunities. The contribution of IPsec remote-access VPN revenue is impractical to quantify as an execution differentiator because, as mentioned, IPsec is embedded in router and firewall appliances, and the purchasing decision can no longer be separated for competitive analysis.

SSL VPN products combine browser security enhancement software with a VPN gateway that may be delivered as a stand-alone gateway appliance or as software to be installed on a user-supplied gateway server. The market is dominated by appliances; however, pure software products are becoming more popular through virtualization, which makes it easy to develop drop-in, scalable, plug-and-play solutions for gateway production systems, as well as to evaluate presale demonstrations. Menu-driven, "point and click" browser access to programs and resources characterize the default interface for an SSL VPN; however, several companies offer nonbrowser clients to more closely imitate an IPsec VPN, and a few companies omit the menu interface altogether.

SSL VPNs support the strong authentication and logging desired for VPN protection, as well as application access audits, and support the roaming requirements for mobile users, especially those carrying notebooks, but also increasingly to support smartphones and tablets.

Inclusion Criteria

SSL VPN companies were considered for this Magic Quadrant under the conditions listed here (25 companies were contacted, 15 responded, and 13 were qualified to be ranked):

• The company must sell a VPN product that fits the market definition and definition, and is commercially supported.

• Gartner analysts have a generally favorable opinion, based on analysis, about the company's ability to compete in the market.

• The vendor must generate sufficient client interest and inquiries, attention at conferences, case study references, and general public and press interest to be noticed by Gartner analysts. Our analysts must also receive feedback from clients and case study reference organizations indicating that they are using the products.

• The vendor should appear regularly in other sources (such as publications and support forums) as a product that's competitive with companies that are already qualified for this market.

• The vendor must demonstrate competitive presence and sales to Gartner analysts. Competitive presence is improved greatly if the product is sold and supported in multiple countries — or, even better, in multiple geographies. Exceptions may be granted if other inclusion factors merit consideration.

• The vendor should appear regularly on Gartner clients' shortlists for final selection and should be able to demand attention for RFI consideration.

• For 2010, minimum thresholds for seat sales and revenue have been continued because of economic challenges in the market. To qualify for a new inclusion, vendors had to meet both of these conditions:

  • A qualifying vendor needed to earn at least $1 million in revenue in calendar year 2009 in the worldwide line of business for SSL VPNs. In this Magic Quadrant, no ranked vendor earned less than $3 million. Many of the vendors in this Magic Quadrant are small companies, or large companies with small earnings in this market.

  • A qualifying vendor needed to account for at least 100,000 cumulative concurrent user/seat sessions in play for 2007, 2008 and 2009. In this Magic Quadrant, no ranked vendor reported less than 200,000.

Exclusion Criteria

VPN companies not included in the 2010 Magic Quadrant might have been excluded for one or more of these conditions:

• The company did not have a competitive product on the market for a sufficient time during calendar year 2009 and the first half of 2010 to establish a visible, competitive position and track record.

• The company had a minimal or negligible apparent market share and market inquiry interest among Gartner clients.

• The company sells the product as an application firewall or other specialized interface that is not competing directly within the larger SSL VPN product/function view.

• The company sells Web-enabled personal remote-control products that are not true multiuser access gateways.

• The company was invited to participate, but did not reply to an annual request for information and did not otherwise meet the inclusion criteria. Alternate means of assessment, particularly client requests and competitive visibility, did not meet the inclusion criteria.

• Services built from the products and offered by third parties are considered additive to the product vendor ranking, but the service vendors are not ranked. Managed network services of all types are separate markets.

Other Companies

Companies that have products in the market but are not ranked include, but are not limited to, Avaya, Barracuda Networks, Elitecore Technologies (Cyberoam), HOB GmbH, Fortinet, O2Security, Palo Alto Networks, Stonesoft and WatchGuard Technologies.

Avaya acquired Nortel in 2009. It was removed by mutual agreement until product futures could be re-evaluated under new ownership. As of 2010, Avaya is moving away from hardware-based SSL VPN products toward a virtualized appliance model with focus on integrating the product capabilities into other Avaya products and endpoints. This change may provide new competitive opportunities outside the definition of this market. Avaya will maintain support for existing customers of Nortel's legacy VPN products. Since Avaya is not pursuing a new competitive release at this time for SSL VPN, it is not being formally evaluated in this Magic Quadrant.

Sangfor Technologies, located in mainland China.

No companies were dropped from the Magic Quadrant.

Execution considers factors related to getting products sold, installed, supported and in user hands. Companies that execute strongly generate pervasive awareness and loyalty among Gartner clients, as well as a steady stream of inquiries to Gartner analysts. Execution is not primarily about company size and income; however, as the market matures, larger companies tend to have a greater influence on the market. We track influence on buyers through revenue and seat sales. We track influence among vendors in the market through client feedback about shortlist decisions, as well as on comments from each vendor about its peer group, including perceived threats and competitive self-assessment. For example, for two years running, Juniper Networks, Cisco and Citrix Systems were voted by their peers as the most serious competitive threats in the market. Mentions of other vendors in this regard were negligible. The level of concern for other vendors is considerably diminished:

• Product/Service: Compares the completeness and appropriateness of core SSL VPN products sold for use in the enterprise remote-access market. The SSL VPN market defined in this Magic Quadrant is product-focused, but related service areas may contribute, including consulting services and managed service resellers. A strong product focus is critical to demonstrating that the vendor can generate market awareness.

• Overall Viability (Business Unit, Financial, Strategy, Organization): Considers the company's history and its demonstrated commitment in the SSL VPN market, as well as the difference between a company's stated goals for the evaluation period versus actual performance, as compared with the rest of the market. The growth of the customer base and the revenue derived from sales are considered. All vendors were asked to disclose comparable market data, such as SSL VPN revenue, the number of unique companies under contract and information about seats sold year by year. Seats are defined as concurrent active license seats deployed on sold products. Where companies have moved to an unlimited license model, active seats are estimated from the normal capacity limits of the platforms sold.

• Some vendors do not report portions of competitive information in the format requested for comparison. In these situations, other quantitative sources of Gartner information were considered, but qualitative evidence from client feedback and peer analyst feedback become more important. Indirect measures of product penetration, such as "boxes shipped," were not used to measure execution in this Magic Quadrant. Instead, we considered concurrent seats sold, licensed and accessible to the buyer as evidence that the products are being used. Vendors were asked to convert to the concurrent seat formula as necessary, and the actual numbers reported were treated as guidance, rather than as hard facts.

• Sales Execution/Pricing: Compares the strength of vendors' sales and distribution operations, as well as their discounted list pricing for systems supporting as few as 25 concurrent users up to more than 10,000 concurrent users. Pricing was compared in first-year, cost-per-concurrent-active-license seats, including the cost of all hardware and support.

• Market Responsiveness and Track Record and Marketing Execution: Rates competitive visibility as the key factor, including which vendors are most commonly considered the top competitive threats during the RFP process and which are considered the top threats by each other. In addition to buyer and analyst feedback, this rating considers feedback from clients, analysts and the vendors themselves. Strong ratings mean that a company has demonstrated to Gartner analysts that the enterprise can get listed in RFPs early and can win a large percentage of competition with other vendors. Marketing execution in this Magic Quadrant is considered an aspect of market responsiveness and track record, rather than a separate criterion.

• Customer Experience: Is subjectively rated from client feedback to analysts; the opinions of Gartner analysts in security, network and platform research groups; and vendor-supplied references, where needed. Intense interest in SSL VPNs from Gartner clients provided a year's worth of ample feedback to frame the market.

• Operations: Considers the ability of a vendor to pursue goals in a manner that enhances and grows its influence in all execution categories.

Table 1 provides an overview of the evaluation criteria for the Ability to Execute.

The SSL VPN market is mature in terms of its core definition, and most vendors have functions and features that make them more similar rather than distinguished among peers. For the past two years, many SSL VPN vendors — particularly the smaller vendors — concentrated on selling into safe situations, and their investments in disruptive vision-differentiating activities were limited. Some of the R&D projects that required a lot of effort, such as building out support for virtualization, are now considered status quo rather than matters of differentiation:

• Market Understanding and Marketing Strategy: Assessed through direct observation of the degree to which a vendor's products, road maps and mission anticipate leading-edge thinking about buyer wants and needs. Gartner makes this assessment subjectively by several means, including interaction with vendors in briefings and by reading planning documents, marketing and sales literature, and press releases. Incumbent vendor market performance is reviewed year by year against specific recommendations that have been made to each vendor and against future trends identified in Gartner research. Vendors cannot merely state an aggressive future goal; they must put these plans in place, show that they are following the plans and modify the plans as market directions change.

• Sales Strategy: Examines vendors' strategies for communicating their product messages. This ranking factor is the bridge between marketing execution and product strategy.

• Offering (Product) Strategy: Is ranked through an examination of the breadth of functions, platform and operating-system support for the SSL client, the VPN gateway OS and features, and the investments made by the vendor to optimize and support applications accessed through the gateway. R&D investments are credited in this category.

• Business Model: Takes into account a vendor's underlying business objectives for its products and its ongoing ability to pursue R&D goals in a manner that enhances all vision categories.

• Vertical/Industry Strategy: Considers a vendor's ability to communicate a vision that appeals to specific industries and vertical markets.

• Innovation: Takes into consideration the degree to which vendors invest in core requirements for the successful use of their products. Criteria include a vendor's internal investments in value-added security tools and technology road maps, as well as external efforts to expand interoperability, alliances and partnerships with companies in related security markets. A vendor with a strong vision creates communities with other companies, and this, in turn, helps other companies, as well as buyers, view the SSL VPN vendor as a necessary component of larger business solutions.

• Geographic Strategy: Takes into account a vendor's strategy to direct its resources, skills, products and services in multiple geographies.

Table 2 gives an overview of the evaluation criteria for Completeness of Vision.

Leaders demonstrate balanced progress, effort and clout in all execution and vision categories. Their actions raise the competitive bar for all products in the market, and they can change the course of the industry. To remain in the Leaders quadrant, vendors must excel in performance, scalability and protection, and must dominate in sales. However, a leading vendor is not a default choice for all buyers, and clients are warned not to assume that they should buy only from the Leaders Quadrant. To stay on the right side of the chart, Leaders (and Visionaries) must follow courses that are competitively disruptive, not only ahead of the curve, but offering features that remove significant roadblocks to vendor sales and buyer implementations. One example of a competitively disruptive activity might include, but is not limited to, delivering a superior smartphone client in terms of capability, user experience and user adoption that could significantly stimulate new smartphone VPN deployments.

Vendors that have pursued new technologies but have not changed the course of buyer decisions and implementations, and companies that add features to make their product more complete in comparison to the same features offered by other vendors, are not creating competitively disruptive situations.

In a mature VPN market, leaders sell broad network infrastructure product families to buyers, as well as stand-alone VPNs. Buyers of leader products include larger companies and/or projects that often stretch products in ways that uncover problems in scalability and maintainability. Quick response is essential. Larger investments in help and support operations contribute greatly to satisfaction.

Challengers have attractive products that address the typical needs of the market with strong sales and visibility that add up to higher execution than Niche Players. Challengers are good at winning contracts, but they do so by competing on a limited selection of functions or a limited selection of prospect buyers. They may be perceived as a threat by other vendors, but that threat will be primarily focused on a limited class of buyers, rather than the VPN market as a whole. Challengers are efficient and expedient choices for defined access problems. Many clients consider Challengers to be the conservative, safe alternative to Niche Players.

Visionaries invest in the leading-edge or "bleeding edge" features that will be significant in next-generation products, and will give buyers early access to improved security and management. Visionaries can affect the course of technological developments in the market, but they lack the execution influence to outmaneuver Challengers and Leaders. Buyers pick Visionaries for best-of-breed features, and for broader network infrastructure investments than Niche Players. Buyers may obtain more personal attention. Visionaries may take risks on potentially disruptive technologies (as described in the Leaders section), and often they do this without the financial reserves of a Leader or Challenger. Buyers of Visionaries' products may base their selections on specific technology features and by participating in the vendor's road map plans.

Niche Players offer viable, dependable solutions that meet the typical needs of buyers and fare well when given a chance to compete in a product evaluation. Niche Players respond to market changes and new technologies, but they generally lack the clout to change the course of the market. Niche Players may serve conservative and risk-averse buyers more efficiently than Leaders. Clients tend to select Niche Players as stand-alone/point solutions for SSL VPN when stability and focus on a few important functions and features are more important than a wide and long road map. Niche Players may target clients that, for various reasons, prefer not to buy from larger network players. Buyers report that Niche Players tend to provide more personal attention to their needs. Buyers of niche VPN products are generally happy and do not stretch the systems past design parameters. They are unlikely to switch vendors, but they may represent limited upsell opportunities.

In 2004, AEP Systems and Netilla merged, keeping the company name AEP Networks and the Netilla brand. Subsequently, AEP acquired V-One and combined all pieces to create its VPN and key management product lines. AEP has emphasized policy-based security and high certification levels. The AEP Secure Application Access platform can scale into the tens of thousands of concurrent users. A virtual appliance is also available.

• AEP Networks maintained essentially flat SSL VPN revenue, but increased overall company revenue. The company has a steady market presence, long track record, and reliable products that emphasize policy and access controls.

• Several of the hardware products are natively certified to a relatively high cryptographic level. Notably, the Series K Hardware Security Module has achieved Federal Information Processing Standard (FIPS) 140-2 Level 4.

• Nearly 80% of AEP's market presence is concentrated in Europe, although it sells in other geographies. Buyers are strongly interested in extranet/contractor access, high-level security certifications and business continuity solutions.

• AEP CloudProtect is a new portfolio of subscription services to draw revenue in the managed service provider market.

• AEP follows all the major directions of the market, but does not usually set directions nor force others to react. This mode of operation is in keeping with the role of a Niche Player. Entry-level pricing is above average and limits execution.

• Its seat penetrations for 2007 through 3Q10 remain among the lowest reported and contribute, in combination with other evaluation factors, to reduce market visibility, influence and vision.

• AEP does not offer WAN optimization performance enhancements such as SSL Acceleration WAN optimization, bandwidth throttling, compression and caching.

AppGate is a relatively small company with market share and other criteria sufficient for inclusion. AppGate began building secure access solutions for the Swedish defense industry in the late 1990s. The initial design goal required strict control of endpoint security, combined with granular access policies for tunnel access into company networks. AppGate was acquired by the Cryptzone Group, which provides additional funds and resources. Cryptzone has begun to expand its U.S. sales and support presence, and plans to continue expansion in 2011.

• AppGate has an unusual implementation, which provides function, look and feel highly similar to a typical SSL VPN but uses SSH (along with SSL) as the underlying transport layer. This is acceptable because some Gartner clients are interested in SSH for VPNs. Like SSL, SSH was not originally meant to be a VPN but is easily adapted. AppGate buyers are most interested in extranet/contractor access, nonbrowser tunnel clients and smartphone VPNs.

• AppGate features an embedded FIPS 140-2 Level 1 validated cryptographic module based on OpenSSL 1.1.2. Products are certified to CC EAL-2+.

• SSH server-managed host keys provide an alternative to client-based SSL certificates and, due to lower penetration, are not currently a target for hackers.

• Its 2009-2010 revenue is at the bottom of the range of ranked vendors, but viable and growing.

• Three-fourths of the company's revenue derives from EMEA countries, but there is a growing foothold in the U.S. AppGate is virtually unknown in other geographies. Cryptzone needs to further build its reputation in North America.

• Acceleration is not available at this time from AppGate, although compression is included.

• AppGate does not support a connect-on-demand VPN, and should add this capability promptly if it is to continue to attract interest in smartphone VPNs.

• Its seat pricing is above average and should be adjusted to reduce barriers as the company tries to expand to new geographies and encounters more-competitive bids.

Founded in 2000, Array Networks sells entry-level through carrier-class equipment into a number of related markets, including application delivery controllers, load-balancing and SSL acceleration. The SPX Universal Access Controller SSL VPN appliance can isolate up to 256 virtual portals for multitenant usage scenarios.

• Array has competitive price/performance, green IT designs (high performance with reduced power and reduced network overhead) and scalability for large and demanding access needs, while also offering an affordable, low-end entry point. Array's market presence is primarily in Asia/Pacific (especially China), although it is selling in all geographies and doing about a third of its business in the U.S. Buyers are most strongly interested in VPN alternatives to IPsec, and frequently combine SSL VPN with Array's DesktopDirect, Array's fully monitored Remote Desktop Protocol (RDP) remote access switch that works as a companion to the SSL VPN.

• It now supports User Datagram Protocol (UDP) tunnels for high-performance tunnels, particularly to support latency-sensitive applications such as voice over IP (VoIP). A 64-bit appliance performance upgrade is planned for mid-2011.

• Its revenue was positive for 2009, and grew 13% over 2008 levels.

• The iPad has become a revenue driver for its DesktopDirect remote control product.

• The company should have breadth of product and financial resources to be more effective at challenging market leaders, but it is still not regarded as a competitive threat by peers.

• Array earned slightly higher visibility in Gartner client inquiries during 2009 and 2010, but its market performance is in keeping with a Niche Player. Array's marketing and communications in North America have been relatively weak and are undergoing an overhaul.

• The company has many interesting R&D projects in play, such as cloud services, but its visionary successes, such as DesktopDirect, are infrequent.

Check Point Software Technologies' SSL VPN was developed in-house starting in 2002, as an integral part of its VPN-1 family. Technology from the Zone Labs acquisition (2003) formed the basis of a comprehensive suite of on-demand security tools integrated into the SSL VPN, which became known as Connectra. In 2009, it acquired Nokia's security appliance business and launched the IP appliances integrated with Check Point software licenses and support. A virtual appliance is also available.

• Check Point offers wide support for all platforms, desktop, laptop and smartphone for SSL and IPsec VPNs. Check Point sells in all geographies, but is strongest in Europe and the U.S., selling SSL as an alternative VPN for mobile laptop users. All its gateway products provide consistent and equivalent support for SSL VPN. Buyers are most interested in alternatives to IPsec VPNs, extranet/contractor access and smartphone VPNs.

• A new Mobile Access software blade has been released to compete with Junos Pulse and Cisco Secure Mobility, and features easy VPN remote access from popular smartphones and tablets. Mobile Access provides user-specific/task-specific portals optimized for smartphones and fully supports Check Point's secure e-mail synchronization.

• Its joint project with SanDisk has been released under the product name Abra. Abra is a trusted portable personality device (TPPD) that integrates the features of a Check Point VPN client and Check Point-managed on-demand security checks directly into dedicated, encrypted USB storage devices. Joint work with SanDisk devices now makes these features available independent of the SSL VPN. The timing for this new product is good, based on rising general interest in TPPDs.

• Check Point remote access solutions are natively certified to CC EAL 4, and a FIPS 140-2 application in progress.

• Native support for Microsoft Exchange is present in the VPN gateway so that users do not need a direct connection to an internal Exchange server to synchronize. This could be a distinct advantage for firewalling e-mail traffic, but seems to be largely undiscovered by Gartner clients.

• Its business revenue for SSL products is consistently below average since reporting became available in 2007, and would be considered relatively low even if the figures are regarded as extremely conservative. Check Point's revenue and influence are on par with a Visionary company, and its peers do not consider them to be a threat. Gartner clients that inquired about SSL VPNs were likely to consider a separate vendor for SSL, even if they use firewalls or IPsec from Check Point.

• Check Point's innovations during the past several years have not made it stronger in terms of execution. Check Point does not provide comparative actual or estimated seat penetration. Gartner's assessment based on client feedback and peer analyst review merits a Visionary ranking.

• Despite having VPN solutions for iPhone from the beginning, Check Point never succeeded in getting an endorsement from Apple, and most Gartner clients do not recognize that Check Point has iPhone (and iPad) support. Check Point has plans for improved native support on more smartphone platforms.

Cisco released its first SSL VPN in 2004. Today, Cisco's SSL VPN capabilities are an embedded option on all Adaptive Security Appliance (ASA) and many IOS platforms. Cisco's universal access vision for VPNs is an evolution of philosophy it inherited from Altiga Networks, an earlier VPN acquisition, and the Twingo Systems acquisition, which provided the baseline technology for the Cisco Secure Desktop.

• In 2010, Cisco announced a new product focus and vision called Secure Mobility, marked by enhanced mobile optimizations for the AnyConnect client and broader support for smartphone platforms. On smartphone platforms, Cisco offers network persistence and VPN connect on demand (for the iPhone/iPad). AnyConnect is well-presented in the Cisco vision as a strategic remote access tool.

• Cisco also easily sells SSL VPN as part of an ASA bundle with firewall, IPS and IPsec. Among legacy network infrastructure players, Cisco is currently the most successful at generating revenue directly from SSL VPNs. Its endorsed relationship with Apple has led it into deals involving SSL and IPsec VPNs for iPhones and iPads.

• Cisco's 2009 and preliminary 2011 VPN LOB revenue results are among the highest reported — on a par with Citrix Systems. Overall seats (estimated per concurrent user) are the highest reported for 2006 through first half of 2010. Cisco sells in all geographies for all use cases, and is adept at selling SSL VPN as a total replacement for IPsec, as well as part of a larger infrastructure solution.

• Its SSL VPN entry cost and discount rates are the lowest reported. Other surveyed vendors consider Cisco a major competitive threat, earning Cisco a close second place after Juniper Networks as a named competitive threat.

• Cisco AnyConnect supports an always-on mode by design, and competes with situations involving Microsoft DirectAccess.

• Clients continue to report that CSD, the on-demand endpoint security component is difficult to install and maintain. Gartner also hears continuing feedback that the Cisco SSL VPN user interface feels crude compared to other vendors. Some of these sentiments date to earlier product versions. Cisco needs to spend more time exposing customers and prospects to its new features. In the meantime, many Cisco shops continue to purchase SSL VPNs from other vendors in the market.

• Cisco does not generate the majority of inquiries at Gartner that involve SSL VPNs and does not appear to be a perceived SSL leader in terms of name and product recognition in public forums and searches. We believe that there is an ongoing disconnect between buying centers for application delivery purchases and pure network access, and may indicate that in some cases SSL is purchased incidentally, rather than intentionally.

• Cisco also needs to escape legacy perceptions that limit buyer awareness of its breadth of product features. While these perception disconnects continue, Cisco's competitive strength merits a slightly reduced execution score.

Citrix has offered remote access support for more than 10 years. The original gateways went through many evolutions; the current lineup includes Citrix Access Gateway, Citrix Access Gateway VPX (virtual appliance) and Citrix Access Gateway Enterprise Edition (running on NetScaler for its high-end scalable hardware platform) products built on the acquisitions of Net6 and NetScaler. Other relevant technologies include Citrix Branch Repeater (Orbital Data, 2006) for acceleration and WAN optimization technologies, Citrix Receiver for unified access client (PCs and mobile devices), and Caymas Systems (2007) to enhance user and application identity. Citrix is the largest provider of Microsoft Windows-based portals for application publication, which drives sales for all vendors in the SSL VPN market. Access Gateway VPX can be deployed on Citrix XenServer and VMware vSphere (ESX/ESXi) hypervisors.

• Citrix has the greatest experience of all market vendors in remote, thin-client application delivery, and its pioneering development of the business portal market drove the necessity for SSL VPNs. In the 1990s, the company developed the original, protected browserlike client (SecureICA) well ahead of the SSL VPN market. Buyers are most interested in nonbrowser SSL clients, vertical/specialized applications and business continuity.

• In 2009, Citrix Receiver was ported to a wide range of platforms, including smartphones and tablets, and can support some of the unique user interface (UI) features of the iPhone and iPad. Citrix Receiver is one of the few products that offers smartphone device persistence. If a connection drops, applications are held in suspense until Receiver can reconnect (the features are called Smooth Roaming and Session Persistence).

• Citrix SSL VPN LOB revenue in 2009 improved and remains second highest in the survey. Within its vast and profitable installed base for XenApp (was Metaframe or Presentation Server), Citrix is a strong competitor with other SSL VPN vendors and generates a very high rate of seat penetrations therein. Half of the ranked vendors recognize Citrix as a competitive threat.

• Citrix Access Gateway Enterprise Edition has been natively certified at CC EAL2+.

• Citrix provides an unusually broad choice for management interfaces, including a proprietary console delivered via Flash, MMC snap-in, programmable SOAP interface, SNMP and integration with SIEM products that have SYSLOG and SNMP hooks.

• In September 2010, Citrix belatedly licensed the technology from Opswat (as used by other SSL VPN vendors for years) to bolster Citrix Receiver security checks. This may have a benefit on ratings for the 2011 Magic Quadrant.

• In 2009 and 2010, Gartner clients calling generally for SSL VPN advice were frequently asked about the Citrix name and product recognition in the SSL VPN market. Citrix users consistently reported they would not have considered Citrix for VPN if they did not have an investment in XenApp (formerly Presentation Server) or had not seen Citrix appear in the Magic Quadrant.

• Non-Citrix users consistently reply that they do not put Citrix on their shortlists because they do not perceive it as a networking infrastructure vendor. Citrix is not effectively communicating its VPN vision and appeals to only a market subset, earning it a Challenger spot.

• XenDesktop has been presented in the road map for two years as a superior alternative for better endpoint security and a resolution to client concerns about endpoint integrity checks. However, clients that call for SSL VPN guidance, even if they are Citrix shops, generally regard Xen Desktop as a large commitment for a situation requiring a light client. For most buyers, Citrix Receiver with Citrix Access Gateway is the expedient choice today, and XenVault will be an easier choice for a secure local desktop experience.

• The number of requests for server-based computing portals combined with VPNs is increasing, but non-Citrix shops — especially companies that invest in SharePoint — are reluctant to consider the cost and complexity of adding Citrix infrastructure.

F5 saw the opportunity to sell SSL VPNs in the early 2000s because VPN products were being inserted in front of its core business lines (accelerators and load balancers). F5 developed its flagship product, FirePass, from the acquisition of URoam in 2003. F5's main distinguishing characteristics are high performance, reliable gateways and carrier-class acceleration. F5 delivers steadily on road map milestones, including its Access Policy Manager (APM) and Big IP Edge Gateway. A virtual appliance, FirePass VE is also available.

• Revenue for F5's SSL VPN LOB in 2009 grew about 35% while the company overall remained flat. F5 is showing the biggest sales spike of all vendors in the market based on preliminary 2010 results, nearly equal to its three-year sales performance. Pent-up demand for high-end scalable gateways is being fulfilled now that functional parity for the SSL VPN has crossed from FirePass to the BIG IP platform. FirePass products will continue to be offered to provide entry-level, small and midsize platforms. Even with the 2010 sales spike, however, F5's execution is most appropriately ranked in the Visionaries quadrant, until the full year can be reviewed.

• F5 is an attractive and logical sale in the data center. Its strong understanding of Web application deployments within the enterprise, and the fact that it is a leading player in the provision of application delivery services, account for a healthy vision ranking, and provide a good opportunity to extend to access layer controls, such as SSL VPNs. F5 is also a strong player in related markets for load-balancing, Web acceleration, WAN optimization, dynamic DNS load balancing, and Web application firewall. Entry-level pricing is attractive.

• F5's Visual Policy Editor makes access control setups easy for administrators, and its iRules scripting language makes it easy for buyers to customize the platform. This feature is periodically called out by clients as a decision driver. Other buyer preferences include hosted virtual desktop support, business continuity and smartphone support. F5 has Android device support on the road map for 2011.

• F5 receives only a minor mention as a competitive threat by the other responding vendors, falling from one-third in 2009, one-half in 2008 and three-fourths in 2007.

• The apparent visibility for F5 in Gartner client VPN inquiries has increased slightly. Given F5's long standing in related SSL markets, the softness of its SSL VPN business is a flag for reduced execution. However, user feedback from inquiries and cases studies is positive.

• To improve vision, F5 needs to pursue more leading-edge features that will challenge the groundwork set forth by Juniper, Citrix Systems and Cisco. In the near term, F5 needs to show how its move onto Android mobile devices will translate into better and more competitive client delivery mechanisms.

Juniper Networks acquired NetScreen Technologies in 2004 and quickly realized that one of the most promising assets was the Neoteris SSL VPN. Juniper has maintained the product vision, execution and overall momentum so effectively that it has held a Magic Quadrant leadership position continuously since the acquisition. Juniper competes on the basis of universal access, broad client platform support and comprehensive infrastructure. The Secure Access SSL VPN hardware product line can scale to hundreds of thousands of users. A virtual appliance is also available.

• Juniper delivers sound multiyear performance with strong sales and revenue in SSL and IPsec VPNs. In general, Juniper can sell more products at a higher incremental revenue than any other company in the market, creating an unchallenged disruptive sales advantage. Juniper's current historical revenues are the best in the SSL VPN market.

• Juniper is the No. 1 competitive threat cited by peer vendors in the SSL VPN market. This assessment has persisted for a number of years. Juniper sells in all geographies for all use cases, and two strong buyer preferences to use SSL as a total replacement for IPsec and for extranet/contractor access. The company appears on most shortlists discussed in Gartner client inquiries for midsize to large businesses and is entrenched in the Fortune 500 with a track record for large deployments.

• Junos Pulse is the company's new integrated network client tool and vision. Pulse was announced in October 2010, and is expected to pose a strong competitive advantage for Juniper SSL VPN sales. On smartphone and tablet platforms, Junos Pulse combines SSL VPN functionality with a complete Mobile Security Suite built from the Smobile acquisition. On desktop/laptop platforms, Junos Pulse makes it easy to blend SSL VPN with IPsec VPN and 802.1X NAC along with the benefits of Juniper's on-demand security tools. Junos Pulse is a modular platform to facilitate integration of third-party security applications, and is available as a native app on iPhone and iPad, and supports iOS 4.2.

• More than 17 major global service providers, including carriers and application service brokers, are offering Juniper-powered VPNs.

• Juniper's entry prices continue to be high in the market, but negotiable. Various competitors are more effective at selling to the small business end of the market because of lower entry prices.

• Juniper's value proposition for enterprise network access is excellent, but somewhat less compelling in terms of application delivery than Citrix Systems and Microsoft.

• Being one of the most complete SSL VPN companies for many years, Juniper has fewer "disruptive" improvements to add to its product line than most of its competitors. Other vendors have caught up on all the core competency features. Junos Pulse has the potential to be very disruptive to the competition, but it also sends a mixed message to buyers because the Pulse smartphone platform looks more like an endpoint protection vendor suite than an offering from a network infrastructure leader.

Microsoft acquired Whale Communications in 2006 and rapidly developed new products by combining features of Internet Security and Acceleration Server (ISA Server) to create its Intelligent Application Gateway (IAG). IAG benefited from Microsoft's global sales and support, and a strong road map to help integrate some of Microsoft's scattered remote-access projects. The latest product phase, Forefront Unified Access Gateway (UAG) became available on 1 December 2009.

• Microsoft's UAG (based on the Whale Communications acquisition) has proved to be a dependable product, and earns positive client feedback. Coupled with Exchange, SharePoint and Windows Terminal Services, Microsoft presents a single-source solution for application and network access.

• Improved on-demand endpoint security checks have been added to the product, including the ability to change user access privileges based on geolocation.

• UAG and SharePoint are a natural fit and sell well together, catalyzing each other's opportunities.

• Microsoft has been successful at selling UAG into small, midsize and large businesses.

• UAG's encryption engine is certified to FIPS 140-2. Also, UAG is undergoing Common Criteria EAL 2+ evaluation.

• Microsoft's remote-access products are still fragmented in ways that Gartner believes can confuse and delay implementations. Examples include: The Windows Mobile 6.x VPN is still not part of UAG, Windows Phone 7 is not initially designed to use a business VPN, and the UAG management console does not integrate with MMC. Microsoft is a single-source vendor; its products and services may be implemented like point solutions.

• UAG has been described as a solution for extending and scaling DA. However, clients should consider that DA might create security vulnerabilities that require a product like UAG for improved defense. DA's benefits cannot be fully realized without IPv6 and Windows 7 endpoints.

• Microsoft does not currently support an independent trusted time and date source to validate the audit trail from its management system.

• Microsoft does not provide comparative estimates of revenue or penetration. Gartner's assessment based on client feedback and peer analyst review merits a Visionary ranking.

NeoAccel was founded in 2004 by the former CEO and founder of NetScaler (NetScaler was acquired by Citrix). NeoAccel is a dedicated SSL VPN company selling on the basis of ease of use, bundled functionality and high performance. Hardware appliances scale to 25,000 concurrent sessions and can provide up to 128 virtual portals for multitenant scenarios. A virtual appliance is also available.

• NeoAccel established its viability on Indian markets but has now succeeded, with the help of partners, in building a balance of revenue across continents. A third of its revenue comes from Europe, and nearly a quarter is generated in North America. The platform is feature-rich with a low entry price. Buyers are most strongly interested in nonbrowser clients, vertical/specialized VPNs and IPsec alternative VPN solutions for mobile PCs and smartphones.

• The company now offers end-to-end VPN cloud service. In addition, the gateway integrates with VDI and allows easy rollout of VDI solutions outside the firewall.

• NeoAccel's Application Triggered Compression Engine provides a dynamic way to deploy and engage application-specific optimizations.

• The SSL VPN product is licensed by IBM, Allied Telesis, NetPilot and others. Managed service providers include Process Global, Reliam, Ransnet and Lexcom Systems Group.

• NeoAccel is competing against big companies with broader channel reaches.

• More native client support for smartphone VPNs is needed.

• The company could be an acquisition target — being small, having a complete product and exploiting geographies that could appeal to market players seeking new growth.

PortWise (formerly Lemon Planet) was founded in Sweden in 2000, and was among the earliest companies offering SSL VPNs. In August 2010, PortWise merged with Technology Nexus. This has established a broader product portfolio, as well as added to financial stability. Nexus was previously listed on the stock exchange in Stockholm but has been bought out and taken private. The investors acquired PortWise to merge the two companies into a new entity, Nexus Group. A virtual server is available, built on a hardened version of Red Hat.

• PortWise is a stable, positive cash-flow vendor with healthy indirect, distributor and OEM sales. It has been profitable since 2006, and grew LOB revenue by about 10% and seat penetration by about 12% during the prior year. Their VPN is resold by Stonegate and WatchGuard Technologies.

• Sales in North America are approaching Asia/Pacific levels, and it has also built an e-banking presence in Latin America; however, its products sell most strongly in Europe. The primary buying criteria include extranet/contractor access, nonbrowser SSL tunnels and business continuity management. PortWise is also working on penetration of the Russian market.

• PortWise is among a few vendors that offer in-house, integrated, one-time password tokens in the user interface.

• PortWise has extensive experience in delivering secure services and applications to handheld wireless devices, including a long track record with sensitive applications, including retail banking and credit card terminals, and industrial applications, such as vehicle management.

• Gartner clients have been unlikely to report PortWise as a shortlist candidate or to recognize the company at all; however, verified case studies are of high quality.

• PortWise's reported seat sales are sufficient for inclusion, but at the bottom end among surveyed vendors. Revenue is viable, and in keeping with a long-term market player. Gartner had remarked in the past that PortWise would make a good acquisition target, and this event has come to pass. Existing customers and prospective buyers should review their PortWise contracts with Nexus Group and request assurances of continuing support and access to a new product road map.

• PortWise does not currently provide a trusted time and date source to validate the audit trail from its management system.

• Seat pricing is above average and is not competitive with market leaders.

Sangfor Technologies, the newest entrant to the Magic Quadrant process, provides VPN products and services originating in China, exclusively to the Asia/Pacific region. In addition to SSL VPNs, Sangfor provides IPsec VPNs, WAN optimization, Internet access management, IT governance audits and Internet law assistance. Sangfor has extended its operations with local presence in the U.K., Singapore, Thailand, Malaysia and Hong Kong.

• Sangfor is a native Chinese company, and claims to have presence in 70% of domestic top 500 businesses.

• Revenues in the SSL VPN LOB are viable and on par with some of the established smaller long-term companies in this Magic Quadrant. Seat sales are relatively low but sufficient to meet inclusion requirements.

• Buyers respond most strongly to IPsec replacement, extranet/contractor access solutions and SSL on-demand client security features.

• Sangfor can offer advantages for companies that wish to operate VPNs going in and out of China. Companies that wish to do business in China will need to comply with China's regulations for privacy and security. Sangfor's Chinese-specific auditing and compliance services could help.

• Pricing is sufficiently below average to be competitive with many of the incumbent vendors tracked in this market, particularly where expertise in China is a factor.

• Sangfor encryption and key management are regulated under Chinese laws and approved by Chinese approval authorities, including the Ministry of Public Security and OSCCA (Certification of Commercial Password Product).

• If Sangfor's penetration claims are correct, then to maintain healthy growth the company will need to expand its reach to smaller domestic companies and must show more progress in 2011 to develop sales opportunities outside of Asia/Pacific regions.

• Sangfor has a broad product portfolio on spec, but its limited geographic presence evaluates as Niche Player in this report.

• Sangfor does not yet have provisions for rapid surge access to the VPN, requiring fast scaling, to support business emergency situations.

SonicWALL was a leader in selling SSL and IPsec VPNs into small and midsize businesses before acquiring Aventail in 2007. The Aventail products continue as a brand and provide access into midsize to large enterprise buying centers. SonicWALL was acquired by Thoma Bravo in 2010, and operates again as private company for the first time in 10 years. The transaction will provide SonicWALL with protection and a stable base for future growth.

• SonicWALL sells primarily in North America and Europe, but has a global presence. Buyers respond to SonicWALL's endpoint security features and target business continuity, IPsec alternative VPN scenarios and smartphone VPNs as buying motivations.

• In 2010, Aventail products achieved functional parity across all SonicWALL product lines from small to large models.

• SonicWALL's 2009 seat penetrations are on par with F5 Networks, as a point of comparison, with LOB revenue consistent with Visionary companies. SonicWALL's preliminary seat sales in 2010 are not sufficient to predict upward movement in the ranking.

• SonicWALL has a long track record for successfully selling to carriers. Also, it gained preferred status to sell its products to other companies in the Thoma Bravo portfolio, some of which are already customers. Reinvestment opportunities from Thoma Bravo will enable SonicWALL to continue to develop its SuperMassive platform with contingent benefits to the SSL VPN.

• The negative economic impact of 2009 on small and midsize buyers caused a considerable drop in LOB sales at SonicWALL. Gartner does not believe this to be a long-term threat to viability.

• SonicWALL is finally pursuing the midsize to large enterprise segments, and larger enterprise clients seem more confident to consider Aventail. SonicWALL must prove that it can profit from that momentum to improve execution in future Magic Quadrants. A pricing review will help; entry-level devices have an attractively low seat cost, but there is a price jump when shifting to the Aventail lineup.

• SonicWALL can integrate security policy management with ActiveSync on popular smartphones, but needs to go farther to build a leadership position for mobile devices. SonicWALL's R&D efforts to date are mainly filling in old gaps and keeping up with the status quo.

• SonicWALL is missing opportunities by not leveraging intelligence in the information it collects from more than 1 million managed customer gateways to analyze and publicize Internet security and performance statistics in business-relevant remote-access contexts.