IVO Networks · ContinuumVPN Series
ContinuumVPN Concentrator
Always-On VPN Concentrator Appliance
Seamless, always-on VPN connectivity for remote users — with zero-trust architecture, TPM-backed device authentication, and real-time conditional access enforcement.
Always-on connectivity, continuously verified
Traditional VPN grants broad network access after a single authentication event. ContinuumVPN implements a zero-trust model aligned with NIST SP 800-207 — where every connection is authenticated at the device level and the user level, and access is continuously evaluated against policy.
The device tunnel establishes before any user logs on, authenticating with a TPM-backed machine certificate via IKEv2. This gives IT immediate connectivity to the device for management, policy updates, and remote administration — regardless of whether a user is present.
The user tunnel establishes after the user authenticates with multi-factor authentication. Conditional access policies evaluate identity, device compliance, and endpoint health before granting access to resources appropriate for that user's role.
Both assertions — device identity and user identity — are required. Neither alone is sufficient. This dual-tunnel architecture maps directly to the zero-trust principle of separating machine identity from user identity.
RADIUS/NPS evaluates network policies and returns per-user tunnel configuration. Kerberos provides seamless single sign-on to domain resources after tunnel establishment.
What ContinuumVPN delivers
TPM-backed authentication
Machine certificates stored in the device's Trusted Platform Module provide hardware-attested device identity. Non-exportable keys ensure credentials cannot be copied, phished, or moved to another device.
Conditional access enforcement
Require managed devices to meet compliance standards before connecting. Evaluate device health, patch level, endpoint protection status, and disk encryption — denying or restricting access for non-compliant devices.
Traffic filtering
Per-user traffic filters enforce which destinations, ports, and protocols each VPN client can reach — implementing network-level least-privilege access based on identity and group membership.
App-triggered VPN
Specific applications can trigger VPN connections automatically when they need corporate resources. Non-corporate traffic goes directly to the internet, reducing concentrator load and attack surface.
Biometric & multi-factor auth
Integrates with modern authentication methods including biometric verification and phishing-resistant multi-factor authentication via EAP-TLS with TPM-backed certificates.
10GbE & array scaling
Scale from hundreds to tens of thousands of concurrent VPN connections through appliance arrays and clusters. 10GbE network interfaces support high-throughput deployments.
ASAFE Integration
Cloud-based management and monitoring
Every ContinuumVPN deployment integrates with the ASAFE platform — IVO Networks' cloud-based monitoring, high-availability, and security management system.
High-availability failover (FC4AO)
Proprietary failover client technology automatically redirects VPN connections to secondary concentrators when the primary becomes unreachable — without user intervention and without dropping the security controls.
Real-time monitoring & reporting
Track connection health, monitor client status, and receive alerts from a cloud-based dashboard — without deploying additional on-premise monitoring servers.
TPM security chip management
Centralized TPM health verification, certificate lifecycle management, and enforcement policies across the entire deployed device fleet.
Centralized configuration
Manage VPN client and concentrator configuration from a single interface. Push policy updates, NRPT rules, and traffic filter changes without touching individual devices.
ASAFE Platform
Monitoring, failover & security management
Authentication
Multi-protocol authentication
ContinuumVPN uses RADIUS for network access control and Kerberos for application-layer single sign-on — together implementing layered enforcement from network admission through resource authorization.
RADIUS / NPS integration
The concentrator acts as a RADIUS client, forwarding authentication to NPS. Network policies evaluate identity, group membership, and device health to determine tunnel configuration — IP pool, traffic filter, session timeout — per-user and per-connection.
EAP-TLS & PEAP support
Supports EAP-TLS with TPM-backed certificates for phishing-resistant authentication (aligned with OMB M-22-09), plus PEAP/MS-CHAPv2 for environments migrating to certificate-based authentication.
Kerberos single sign-on
After tunnel establishment, Kerberos provides seamless single sign-on to domain-joined resources. Users authenticate once and access file shares, applications, and databases without re-entering credentials.
Models
ContinuumVPN concentrator models
Purpose-built appliance hardware with integrated encryption, security-hardened Linux operating system, and high-performance network interfaces.
| Specification | CM-2800 | CM-4950 |
|---|---|---|
| Form factor | 1U rack-mount | 1U rack-mount |
| Network interfaces | Gigabit Ethernet | 10GbE |
| VPN protocol | IKEv2 / SSTP | IKEv2 / SSTP |
| Encryption | Hardware-accelerated AES | Hardware-accelerated AES |
| Authentication | EAP-TLS, PEAP, RADIUS/NPS | EAP-TLS, PEAP, RADIUS/NPS |
| High availability | Array / cluster, ASAFE FC4AO | Array / cluster, ASAFE FC4AO |
| Management | ASAFE cloud dashboard | ASAFE cloud dashboard |
| Target deployment | Small to mid-size enterprise | Large enterprise & government |
GET STARTED
Ready for always-on, zero-trust connectivity?
Contact our sales team to discuss your deployment requirements, schedule a demo, or request a proof of concept.
Or call us directly: +1 (650) 286-1300