Traditional VPN vs SSL VPN

LeaUK · 22nd June 2008

Hi all

We're currently in the process of deciding upon a home working VPN platform, one that facilitates both users with personal PCs, and those supplied and under 'corporate control'.

There appears to be two predominant technologies, traditional VPN (home worker receives corporate LAN IP) and SSL VPN where the user receives a web SSL connection which can be used via a web browser.

I'm siding with the newer SSL VPN as it facilitates both home working (allowing use of staff's personal PC) and staff with corporate laptops, however most of our traditional apps are not web based. Currently we utilise Citrix for many apps and Citrix provides a web front end.

However some of our apps are not Citrix friendly, some are run locally (this will enevitably change), and some which require transparent sessions with no front end. For example we have local apps creating FTP sessions between user's laptops and our systems.

guess my questions are;

1. Can SSL VPN connections be used with traditional client/server non-web based apps, if so how?

2. Can traditional VPN like tunnels be created such to facilitate transparent FTP sessions. Of course this is no problem with traditional VPNs

3. Maybe I should read up more on Citrix CAGs !?

Any thoughts would be greatly appreciated, especially if anyone has trodden this path before.

Lea

JamesSykes · 23rd June 2008

1. Yes, depending on what you are using.
2. Yes, depending on what you are using.
3. Yes, depending on w.... er actually I don't know what a Citrix CAG is....

Check out SSL Explorer : http://3sp.com/showSslExplorer.do

I've just started playing around with this and have gotten it to do web vpn stuff as well as app stuff (remote desktop, ssh) and also traditional network type VPN.

LeaUK · 23rd June 2008

Hi James

Seems like SSLExplorer is extremely similar to a Citrix CAG. You can even create our file mappings in Explorer over SSL, great

Many thanks
Lea

heypresto · 23rd June 2008

We use SSL Explorer at $dayjob - very very good package, though we do go for the Enterprise version. Citrix works fine through it, as do a number of terminal applications (AS400/TN5250, SSH, Telnet), file shares (HTML and webdav), mail, web forwards (e.g. Intranets). Not SharePoint though - couldn't get it to work.

LeaUK · 23rd June 2008

Hi all

I want to understand how local client/server apps deal with connections through the SSL - as everything seems rather visual and of course through a web browser.

For example:

1. I want to create a transparent FTP connection from a local app through the SSL VPN without a browser.

2. I need to route all Internet traffic to our internal web proxy server - for logging and policy reasons.

this is for $dayjob too ;-)

Cheers
Lea

JamesSykes · 23rd June 2008

Quote:

Originally Posted by LeaUK2

Hi all

I want to understand how local client/server apps deal with connections through the SSL - as everything seems rather visual and of course through a web browser.

For example:

1. I want to create a transparent FTP connection from a local app through the SSL VPN without a browser.

2. I need to route all Internet traffic to our internal web proxy server - for logging and policy reasons.

this is for $dayjob too ;-)

Cheers
Lea

Well SSL explorer does a funny thing where your client connects to say 127.0.0.1:5829 which it then does the funky business of routing it through to the final ftp server.

2. then you probably need to use the network function (next) which will create a proper vpn network. Or you could do something like click this link to browse the net, which just forwards port 80 traffic to your proxy or something.

heypresto · 23rd June 2008

1 - FTP doesn't work through SSL Explorer because of the business with a control port and data port (20 & 21). I believe they're still working on support for this. I don't know if any other SSL VPN solutions work with FTP.
2 - Just publish your proxy server as an SSL Tunnel, e.g. localhost:8080 -> internal.proxy.com:8080. Then when users are external they must set their proxy server to localhost:8080 to get net access. However, what we do with some apps is use a DNS name that internally resolves to the actual server, but externally resolves to 127.0.0.1. As long as the port numbers are the same, it works wherever the user is, though of course the VPN will need to be established first when external.

LeaUK · 23rd June 2008

1. That's a shame, their blurb seems to mention FTP several times and certainly appears to indicate support.

2. I suppose I'm trying to work out how to identify whether the user is at home or internal, then suitably manipulate their browser's proxy address. Seems like you have managed this?

Quote:

SSL-Explorer’s nEXT (Network Extension) feature offers full network access to corporate resources.
A number of additional tasks can be performed when using nEXT over and above the functionality
offered by a basic, browser-launched SSL VPN tunnel.

Ah I see... just reading through the admin guide..

oooh,oooh,ooh...and

Quote:

An SSL Tunnel is simply a connection between two TCP enabled components. All of the data
transmitted over a tunnel is encrypted using the SSL protocol. This is done the same way as other
tunnelling technologies.
For example, a user may wish to create a secure tunnel to a TCP/IP enabled database that exist the
other side of an SSL-Explorer server. First of all, an administrator configures a new SSL-Tunnel that
uses 63389 as its source port and mysql.mycompany.com:3389 as the destination. The user may
then activate this tunnel and then specify localhost as the hostname and the 63389 as the port and
all traffic with then be secured.

Now I'm getting it.

Lea

LeaUK · 23rd June 2008

So we have two ways of securing FTP data (assuming FTP is now supported); SSL tunnelling, or nEXT which essentially acts as a traditional VPN - but using an SSL as an alternative to IPSec.

Tunnelling appears the most attractive as clients wont need to install TAPs and wont need admin, which of course if you're working in the Library you wont.

I'm liking this product.

Lea

LeaUK · 23rd June 2008

From their KB:

Quote:

Can I use FTP over SSL-Explorer?
There is currently no support for the forwarding of FTP connections through SSL Tunnels, this may be added in a future release.

But it does beg the question what other protocols are not supported through SSL tunnels. I still don't quite understand as I simplistically assumed it doesn't matter what the underlying protocol was as the tunnel simply wraps it then decrypts it..

Ah, it's not the protocol, it's because SSL-explorer cannot tunnel a range of defined ports and passive FTP needs several.

One more thing, it only support 100 concurrent users, no redundancy or expansion capabilities as yet

Oh well, that's the end of that then!

But, even with these minor issues it looks a GREAT product in terms of features/cost ratio.

Lea

Lea

Jon-NC · 23rd June 2008

If you have an AD network and exisiting citrix servers a CAG would be nice, you can also use VASCO for added security.

LeaUK · 24th June 2008

Hi John

Yes we have Citrix and its web interface product, we also have a CAG (strangely enough) but no one seems to understand it. I suspect after further reading and building some basic knowledge in this area we will choose to upgrade the CAG (it's getting on a bit) and take it from there.

Seems like the CAG will achieve everything SSLExplorer can and more, also it will allow phenomenal concurrent connections - must have a SSL card in the box ;-)

Cheers - I'll let you know how we progress.
Lea

Jon-NC · 24th June 2008

The CAG would be your best bet imo. You've already paid for it so may as well use it.

There is a new version of software for the CAG in which will allow single signon and application management. The name escapes me now but it is pretty slick.