Given the SSL VPNs increased popularity many vendors rushed into the SSL VPN arena. When choosing a SSL VPN solution, there are certain aspects to be considered. At a minimum all SSL VPNs have in a form or another:

• reverse web proxy(incorporating some level of application inspection)
• portal
• authentication and authorization
• port forwarding
• network extension or tunnel mode
• client endpoint detection and control

Key Features of a SSL VPN

However it’s all about how these features and possible extra ones are implemented.

1. Compatibility – browser and OS broad support

Although dubbed as a clientless remote access solution, SSL VPN uses the browser as the base VPN client to access a portal on the VPN gateway. In addition when full network access is required a SSL VPN client will be used.

2. Portal and portal customization capabilities

The portal is the door to corporate resources.
The layout, shortcuts(bookmarks), ease of navigation or load time(performance) can play an important role. Furthermore in order to improve user experience features like automatically start upon user login a port forwarding rule will help.

Cosmetic customization capabilities, like changing the layout, adding logos, etc. might be important for some companies.

3. Authentication and authorization

Good support for popular authentication methods including Active Directory, LDAP, RADIUS and SecurID.
Some VPN gateways may function well authenticating against Active Directory but not so well with SecurID for example.

3. Connectivity options

Five important ones(discussed below):

• reverse web proxy
• protocol translation
• port forwarding
• network extension or tunnel model; full network access
• Java or ActiveX based clients for popular applications

4.1. Advanced reverse web proxy

One of the core features of SSL VPNs is to provide secure access to web applications, popular or custom web applications; achieved through a reverse web proxy.
This has some key functions:

• provide functionality; proxying web applications is not an easy task given the dynamic nature of web applications and multitude of features used like AJAX, Flash and JavaScript.
• provide security; by incorporating a WAF(Web Application Firewall) the VPN gateway can protect the published web applications against various attacks and also limit access to various application features for specific users.
• SSO(Single Sign-on) capabilities; delegate credentials to the backend application after the user was pre-authenticated and authorized at the portal level; avoid multiple logins.

4.2. Protocol Translation

From the portal the users can access FTP directories and CIFS shares.
On the browser side the users view a web page that looks like a file directory from where they can download, upload or manage FTP or CIFS shares.

This is possible since the VPN gateway can translate from HTTP to the native protocol of the backend server.

4.3. Port forwarding

To access non-web applications the users will load a Java applet or ActiveX control on their machines that will intercept traffic destined to certain (TCP) ports and will forward this traffic to the VPN server.

4.4. Application forwarding

Some SSL VPN gateways can forward the application instead of the port; elegant solution.

4.5. Network Extension

Some power users may still need full network access. This is achieved using a full blown SSL VPN client.
Some SSL VPN solutions allow(improved user experience):

• download from the portal this client and automatically install it without requiring administrative credentials; then automatically connect it to the VPN gateway. Minimum of user intervention.
• automatically connect this VPN client at OS logon.
• network roaming awareness for an always on VPN connection.

4.6. Java or ActiveX based clients for popular applications

Sometimes on the user’s machine the client for a certain application might not be installed or available.

4. Client endpoint detection and control plus user authorization for granular access to resources

A VPN might be private but not secure.

5. Ease of deployment

Boils down to:

• integrating into the existing architecture; this includes a virtualized environment, check if the SSL VPN gateway is offered as a virtual appliance. Also some forms of SSL VPNs are part of UTM gateways solutions, no extra appliance needed.
• management capabilities for easy setup and configuration.
• monitoring and logging tools for troubleshooting.

6. Extra features

Like antivirus on the VPN gateway side for scanning uploaded files.