Why does SSL VPN require client for full functionality?So What's the point?

Unanswered Question
May 3rd, 2007

I was interested in SSL VPN because I thought that I could have the same functionality I have when connecting via Cisco VPN 3000 concentrator (IPSec with AH and ESP enabled), but without the hassle to deploy and maintain client VPN's for thousands of users.

However, to my disappointment, based on the information below from www.cisco.com (and I believe that it is the case from other vendors, right?) SSL VPN offers limited functionality if deployed clientless. Why is like that?

Imagine I have a VPN (IPSec) solution functional today. If I deploy SSL VPN (clientless) what lack in functionality should I experience? Why a VPN client is required if SSL VPN can successfully establish the tunnel? I don't get it.

"...SSL VPNs provide two different types of access: clientless access and full network access. Clientless access requires no specialized VPN software on the user desktop; all VPN traffic is transmitted and delivered through a standard Web browser. Because all applications and network resources are accessed through a browser, only Web-enabled and some client-server applications-such as intranets, applications with Web interfaces, e-mail, calendaring, and file servers-can be accessed using a clientless connection. This limited access is suitable for partners or contractors that should be provided access to a limited set of resources on the network. And because no special-purpose VPN software has to be delivered to the user desktop, provisioning and support concerns are minimized."

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Danilo Dy Thu, 05/03/2007 - 19:37

Hi,

Clientless SSL VPN only able to access application through browser (i.e. HTTP and HTTPS). If you need to acces other application like RDC, you need full SSL client.

Full SSL Client is deployed automatically depends on how you configure the SSL VPN box (temporary or permanently);

1. From the SSL VPN box, you can configure it to download and be installed to user PC permanently (500KB+). When the user successfully authenticated by the SSL VNP box, it will download the client and install automatically/permanently without any help from the network administrator. The user need to login on his/her PC with administrator priviledge.

2. From the SSL VPN box, you can configure it to download and be installed to user PC temporary (500KB+). When the user successfully authenticated by the SSL VPN box, it will download the client and install temporary without any help from the network administrator. The user need to login on his/her PC with administrator priviledge.

In one of my deployment, I have 1000+ SSL VPN user. I just need to create a 10 page User Manual/Guide complete with troubleshooting on their own. I use the first option which is automatically download and permanently install in their PC. Patching the SSL VPN Full Client need to upload the new client in the SSL VPN box only and it will automatically patch the client in user PC.

Dandy

news2010a Thu, 05/03/2007 - 20:11

Thanks for your reply.

Sorry, what's RDC by the way?

If someone can explain why we need a SSL client in order to handle application execution, that would be very welcome. So far I was unable to find that explanation on what causes the SSL VPN to be limited when it comes to handle other executions other than http/https traffic.

Danilo Dy Fri, 05/04/2007 - 00:59

Hi,

RDC stands for Remote Desktop Connection by Microsoft.

It is not the answer to your question about clientless SSL VPN and full client SSL VPN, but the benefits of clientless SSL VPN ove full client SSL VPN is that, you will be able to access (at least HTTP/HTTPS application) using a computer which you don't have administrator priviledge to install full client SSL VPN (i.e. Internet Cafe).

Dandy

Actions

This Discussion