SSL VPN Design

45 pts.
VPN design
VPN hardware
Hi I am a Network Engineer working for a solution company. I need to provide vpn connectivity for a construction company. the workers in the company say site engineers and marketing staffs need connectivity with central site of the company . most of the workers are mobile users,they need to access the resources securely through Internet . I heard about ssl vpn , but no clear idea about the technology and devices used for creating ssl vpn. please give me solution for the above requirement . i am also expecting the details of different ssl vpn device vendors and a sample network design of ssl vpn implementation. please help me

Answer Wiki

Thanks. We'll let you know when a new response is added.

An SSL VPN uses https (TCP port 443) to provide the encryption between the end user and the Corporate network resources. The end user just uses their Internet browser (IE, Firefox, etc) to connect to the SSL VPN device, and they then authenticate, and a VPN client is downloaded to their PC (or handheld device) which then provides the VPN tunnel for the secure communication.

The SSL VPN device can be configured to provide access to only a few selected hosts, or can also provide full LAN access, in a similar way to an IPSEC VPN, but without the need to install a permanent VPN client on the end users device. The SSL VPN device can also check that the end user has the correct Anti-Virus software loaded, or many other things you may need, before it allows them to connect fully. Whether you need this function depends on your own security policy.

I have installed and configured a Juniper SA2500 SSL device to provide remote access for support engineers. It uses RADIUS to authenticate each user, and to also provide access control that restricts each individual to only access systems that they are responsible for, and not to any others.

Cisco, of course, also offer an SSL VPN solution, but I think their licencing is quite expensive per user.

Several other manufacturers offer this as well, but Juniper and Cisco are the only ones I have used.

The design is not really that difficult. It needs an Internet connection, and a connection to the Corporate LAN. If there are a lot of users, then authenticate them using RADIUS (you can use Windows IAS, which uses active directory, for this, which is included with the server software, you just need to enable it). You need to decide if they only need access to a few resources, or full LAN access. If the resources are web browser based (for example OWA) then the config should restrict them to this. Then you need to look at your security policy, and decide if you need to check the staus of the user device (anti-virus up to date ?, firewall working etc).

There are too many options to give a definitive answer, maybe you can give some more detail of what you need this to provide, but the above should help you make some of the decisions you need to make for this solution.

Hope this helps.

Discuss This Question: 2  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • mshen
    Of the SSL VPN devices out there, I think Juniper does the best job with their SA series SSL VPNs. You get granular security controls on everything and a VPN client that gives you full access to the internal network which can also be secured at a granular level. All you need to do is provide external http and https access to the device. In addition to RADIUS authentication, you can also set it up for Active Directory authentication.
    27,385 pointsBadges:
  • carlosdl
    We use a FORTIGATE firewall to our SSL VPN and it works well for us.
    84,580 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: