Designing and Building SSL Remote Access VPNs (WebVPN)

Providing remote access VPN connectivity is a relatively new application for the Secure Sockets Layer (SSL). SSL was designed to secure TCP-based protocols and applications such as HTTP (HTTPS), FTP (FTPS), POP3 (POP3S), and SMTP (SMTPS).

SSL is built in to most, if not all, web browsers, and this fact allows the deployment of SSL remote access VPNs without the requirement to install specific client software on remote user workstations or devicesonly a web browser is needed for basic (clientless) SSL remote access VPN connectivity.

Although clientless SSL remote access VPNs provide a basic level of access, more comprehensive access can be provided through the use of the Cisco SSL VPN Client. This software provides users with remote access VPN connectivity that is comparable to that provided by IPsec or Layer Two Tunneling Protocol (L2TP)/IPsec.

Figure 10-1 illustrates SSL remote access VPNs.

Figure 10-1. SSL Remote Access VPNs

In Figure 10-1, remote access users at an Internet café, airport Internet kiosk, and a hotel access the corporate network using variously HTTPS, POP3S, SMTPS, and port forwarding (TCP-based application traffic redirected over SSL). A telecommuter accesses the corporate network using the Cisco SSL VPN Client.

In this chapter, you will learn how SSL remote access VPNs compare to other types of remote access VPN. You will also find out the characteristics of SSL remote access VPNs, as well as how to design and implement them to provide exactly the type and level of functionality required.

Finally, you will learn how to properly secure SSL remote access VPNsa very important consideration, particularly when users may be accessing the corporate network from untrusted locations such as Internet cafés and airport kiosks.