Thin client vs. SSL VPN client

Unanswered Question
Apr 26th, 2007

I'm new to the ASA and I'm trying to figure out the specific functional differences between the thin client WebVPN approach and the full SSL VPN client approach. I've scoured every piece of Cisco documentation I can find and I haven't found the answer. I need to know because I think we're running into a problem that may be fixable by switching to the full SVC. We are currently using the thin client.

Any thoughts?

Thanks!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
sachinraja Thu, 04/26/2007 - 20:40

Hello John,

SVC is the latest development in Cisco SSL VPN, which works similar to the IPSEC VPN client, you would have worked before.. the only difference is that you do not need to install any SVC client on your PC. Once you https onto the ASA box, and if the authentication succeeds, the ASA automatically pushes this client onto your PC. Once connection is established, you will get an ip address on your laptop, from the pool configured in ASA. This is the key difference. Once you get an IP, u are inside your VPN network and access any application...

with the thin client -> web vpn model, you will not be assigned any ip address.. the tcp forwarding rules are downloaded from the ASA to your client over a java page. any request to the servers specified on that list, it goes through the ssl vpn connection and the ASA PROXIES ALL THE REQUESTS... so, no ip address in this case on your laptop.. hence if you need to access any new server, it isnt possible unless u add it in the "forwarding" rules of the ASA...

This is the critical difference between the two, but i would advice you to proceed with SSL VPN Client, because the webvpn type of connectivity is facing out and will be stopped soon :)

Hope this helps.. all the best.. rate replies if found useful..

Raj

ryderse69 Mon, 07/14/2008 - 10:55

Thank you for the info. I was trying to determine this too but I have another question related to this one.

We have several remote users who need RDP access to their desktops. We have no control over their local PCs so traditional VPN client is not an option.

These users need to have RDP access to their particular desktop but nothing else. Is there a way to lock down their access to just RDP to their PC and nothing else? I assume that is done via filters but I am not certain. These remote PC's are considered unsecure with respect to viruses etc and we need to ensure that each one is only allowed access to their PC.

It sounds like SSL VPN is the only way to go for this, correct?

Thanks in advance,

-Steve

whisperwind Mon, 07/14/2008 - 11:11

Steve,

Any vpn can accomplish what you are wanting i.e. vpn users only RDP to their desktop

In the user attributes section of the config do the following:

username USER attributes

vpn-group-policy USERS-ACL

were the place you want thtem to go to is defined in an acl

ryderse69 Mon, 07/14/2008 - 12:15

Thanks. I had a feeling that either method would work but I wanted to be certain.

The reason I ask is that we want to make sure that remote PC's can not spread any software to other machines, intentional or otherwise.

I think we are going to use the SSL VPN so we don't have to deal with installing VPN clients on end users PC's.

Actions

This Discussion