beautypg.com

Ssl vpn, Overview – Amer Networks E5Web GUI User Manual

Page 636

background image

9.6. SSL VPN

9.6.1. Overview

cOS Core provides an additional type of VPN connection called SSL VPN. This makes use of the
Secure Sockets Layer (SSL) protocol to provide a secure tunnel between a remote client computer
and a Clavister Security Gateway. Any application on the client can then communicate securely
with servers located on the protected side of the security gateway.

The Advantage of SSL VPN

The key advantage of SSL VPN is that it enables secure communications between a client and a
security gateway using the HTTPS protocol. In some environments where roaming clients have to
operate, such as hotels or airports, network equipment will often not allow other tunneling
protocols, such as IPsec, to be used.

In such cases, SSL VPN provides a viable, simple, secure client connection solution.

The SSL VPN Disadvantage

A disadvantage of SSL VPN is that it relies on tunneling techniques that make extensive use of
TCP protocol encapsulation for reliable transmission. This leads to extra processing overhead
which can cause noticeable latencies in some high load situations.

SSL VPN therefore demands more processing resources than, for example, IPsec. In addition,
hardware acceleration for IPsec is available on some hardware platforms to further boost
processing efficiency.

A Summary of SSL VPN Setup Steps

SSL VPN setup requires the following steps:

On the Clavister Security Gateway side:

i.

An SSL VPN Interface object needs to be created which configures a particular Ethernet
interface to accept SSL VPN connections.

ii.

An Authentication Rule needs to be defined for incoming SSL VPN clients and the rule
must have the Interface property set to be the name of the SSL VPN object created
above.

The Authentication Agent of the rule must be set to L2TP/PPTP/SSL VPN and the rule's
Terminator IP must be set to the external IP address of the security gateway's listening
interface.

The PPP Agent Options for the rule can be any combination of PAP, CHAP, MS-CHAP,
MS-ChAPv2 and no authentication. The SSL client will go through all the options until it
finds a method that works. By default, all options are enabled except for no
authentication.

This topic is discussed further in Section 8.2.5, “Authentication Rules”.

iii.

If only a specific IP address, network or network range is to be made available to the
client through the tunnel then this can be specified as an option on the SSL VPN
interface. Otherwise, it is assumed that all client traffic will be routed through the tunnel.

Chapter 9: VPN

636

This manual is related to the following products:
See also other documents in the category Amer Networks Computer Accessories: