SSL VPN Virtual Appliance

A virtual appliance is a ready-to-use virtual machine image usually intended to run on a specific virtualization platform(optimized for better performance). It includes an already installed, hardened, and configured operating system along with ready-to-run software.

• » It provides a way to try, use and buy software by simply downloading the virtual appliance and evaluate it; when ready it can be moved into the virtualized production environment.
• » Removes the responsibility from the administrator of creating the virtual machine, installing the OS, VPN software and hardening the VM.
• » Typically is remote access oriented concerned with associated VPN inbound traffic; cannot be used by local corporate hosts as default gateway.
• » Likely deployed along with an existing network firewall(this may be virtualized too).
• » Has limitations imposed by the hypervisor and its underlying hardware(e.g. throughput) or firmware(e.g. supported number of users).
• » The VM can be moved from one hypervisor to another(live migration) if needed(e.g the underlying physical hardware becomes over utilized).
• » In case of upgrades when VM replacement is needed, the process is simpler and cheaper since it may not require any physical hardware changes.
• » Offers a high level of application inspection intelligence and it is feature-rich.

Given the SSL VPNs increased popularity many vendors rushed into the SSL VPN arena. When choosing a SSL VPN solution, there are certain aspects to be considered. At a minimum all SSL VPNs have in a form or another:

• » Reverse web proxy(incorporating some level of application inspection)
• » Portal
• » Authentication and authorization
• » Port forwarding
• » Network extension or tunnel mode
• » Client endpoint detection and control

Key Features of a SSL VPN

However it's all about how these features and possible extra ones are implemented.

1. Compatibility – browser and OS broad support

Although dubbed as a clientless remote access solution, SSL VPN uses the browser as the base VPN client to access a portal on the VPN gateway. In addition when full network access is required a SSL VPN client will be used.

2. Portal and portal customization capabilities

The portal is the door to corporate resources.
The layout, shortcuts(bookmarks), ease of navigation or load time(performance) can play an important role. Furthermore in order to improve user experience features like automatically start upon user login a port forwarding rule will help.

Cosmetic customization capabilities, like changing the layout, adding logos, etc. might be important for some companies.

3. Authentication and authorization

Good support for popular authentication methods including Active Directory, LDAP, RADIUS and SecurID.
Some VPN gateways may function well authenticating against Active Directory but not so well with SecurID for example.

3. Connectivity options

Five important ones(discussed below):

• » reverse web proxy
• » protocol translation
• » port forwarding
• » network extension or tunnel model; full network access
• » Java or ActiveX based clients for popular applications

4.1. Advanced reverse web proxy

One of the core features of SSL VPNs is to provide secure access to web applications, popular or custom web applications; achieved through a reverse web proxy.
This has some key functions:

• provide functionality; proxying web applications is not an easy task given the dynamic nature of web applications and multitude of features used like AJAX, Flash and JavaScript.
• provide security; by incorporating a WAF(Web Application Firewall) the VPN gateway can protect the published web applications against various attacks and also limit access to various application features for specific users.
• SSO(Single Sign-on) capabilities; delegate credentials to the backend application after the user was pre-authenticated and authorized at the portal level; avoid multiple logins.

4.2. Protocol Translation

From the portal the users can access FTP directories and CIFS shares.
On the browser side the users view a web page that looks like a file directory from where they can download, upload or manage FTP or CIFS shares.

This is possible since the VPN gateway can translate from HTTP to the native protocol of the backend server.

4.3. Port forwarding

To access non-web applications the users will load a Java applet or ActiveX control on their machines that will intercept traffic destined to certain (TCP) ports and will forward this traffic to the VPN server.

4.4. Application forwarding

Some SSL VPN gateways can forward the application instead of the port; elegant solution.

4.5. Network Extension

Some power users may still need full network access. This is achieved using a full blown SSL VPN client.
Some SSL VPN solutions allow(improved user experience):

• download from the portal this client and automatically install it without requiring administrative credentials; then automatically connect it to the VPN gateway. Minimum of user intervention.
• automatically connect this VPN client at OS logon.
• network roaming awareness for an always on VPN connection.

4.6. Java or ActiveX based clients for popular applications

Sometimes on the user's machine the client for a certain application might not be installed or available.

4. Client endpoint detection and control plus user authorization for granular access to resources

A VPN might be private but not secure.

5. Ease of deployment

Boils down to:

• integrating into the existing architecture; this includes a virtualized environment, check if the SSL VPN gateway is offered as a virtual appliance. Also some forms of SSL VPNs are part of UTM gateways solutions, no extra appliance needed.
• management capabilities for easy setup and configuration.
• monitoring and logging tools for troubleshooting.

6. Extra features

Like antivirus on the VPN gateway side for scanning uploaded files.

Frequently Asked Questions

Q. Where do I install this appliance on my network? A. With the SSL VPN appliance you can plug it into your network almost anywhere. Depending on how you want to deploy the appliance (see our Single Arm or Two-Arm deployment guides) will dictate the best place to install it.

Q. What does concurrent users mean?

A. SSL VPN solutions are based on the number of active, or concurrent, users connected to the device at any one time. Example, you may have 200 employees on the road, but you know you will only only 20-30 people connected to the SSL VPN at any time. Therefore, you will only need 30 concurrent licenses.

Q. Should I setup a DMZ for my appliance?

A. This varies depending on how you implement the solution. Best practice dictates your should install the appliance into a DMZ or dedicated zone. This will allow you to have a wide range of control over data traversing the network.

Q. How are applications run over a SSL VPN connection?

A. Most applications are web based. This type of application can be easily run through the client's browser. Other applications, such as remote desktop, telnet servers and other non-HTTP based applicatins can be accessed using a special client application or browser plug-in (e.g. ActiveX or Java)

Q. Can I access Windows shared folders and printers over SSL VPN?

A. Yes. There are a couple of options as to how this can be done. You can use a web-based application that allows you to access shared folders or use a small client that will provide a direct connection to the company network.

Q. How is SSL VPN different than a traditional IPSEC VPN

A. We have an entire article dedicated to explaining the difference between SSL VPN and IPSec VPN.

Q. Are there yearly subscriptions requried to use a SSL VPN?

A. Sort of. You can run a SSL VPN appliance without any subscriptions for support or firmware upgrades. However, just like your servers and desktops, software updates and security patches should always be applied when available. With an active support agreement you are entitled to these features.

Q. Can I get help setting up a SSL VPN solution?

A. Absolutely, that is what we do best. You can contact our sales team and they will be able to assist you in any manner to ensure you successfully roll out your SSL VPN solution.

Q. Can we use Active Directory for authentication of our users?

A. Yes. All SSL VPN solutions include support for Active Directory authentication using either RADIUS or LDAP.