Clientless SSL VPN

burbankmarc · February 2010

Does anyone have experience with this? Everything on Cisco's website is rather ambiguous. Can the Clientless SSL VPN be used in a similar fashion as the IPSec remote VPN connection? IE when a user connects it's like they're physically attached to the network, or does it just allow HTTP/CIFS access to internal machines?

Forsaken_GA · February 2010

burbankmarc wrote: »

Does anyone have experience with this? Everything on Cisco's website is rather ambiguous. Can the Clientless SSL VPN be used in a similar fashion as the IPSec remote VPN connection? IE when a user connects it's like they're physically attached to the network, or does it just allow HTTP/CIFS access to internal machines?

I don't have any experience with Cisco's Clientless SSL VPN stuff, only Juniper's, and only then as a user. With Juniper, it's a simple as logging into a web page, clicking a button that pops a little applet (Java or something of the like I assume) that created a network connection that I could use to ssh around to machines that would only take connections from internal machines.

veritas_libertas · February 2010

Forsaken_GA wrote: »

I don't have any experience with Cisco's Clientless SSL VPN stuff, only Juniper's, and only then as a user. With Juniper, it's a simple as logging into a web page, clicking a button that pops a little applet (Java or something of the like I assume) that created a network connection that I could use to ssh around to machines that would only take connections from internal machines.

Does anyone know if there is an open source version of Clientless SSL VPN? I have seen this type of VPN with some of the Business Linksys wireles routers.

mikem2te · February 2010

burbankmarc wrote: »

Does anyone have experience with this? Everything on Cisco's website is rather ambiguous. Can the Clientless SSL VPN be used in a similar fashion as the IPSec remote VPN connection? IE when a user connects it's like they're physically attached to the network, or does it just allow HTTP/CIFS access to internal machines?

I've had a play with it. It's quite nice but not as nice as some dedicated SSL boxes I've played with.

It operates in three modes, a clientless proxy mode where it proxies into internal HTTP/CIFS resources, a thin tunnel mode (which I've not tried) and a full tunnel mode which uses small piece of client software, AnyConnect. When you login to the https page a number of menu options are presented depending on what resources are published.

For the clientless mode you would specify a number of internal URLs to publish which will be presented as a list of options after logging into the SSL VPN Page.

For the Full Tunnel the AnyConect client is downloaded to the client and the tunnel is set up. The client is assigned an IP address from a an IP address pool and thus allows full VPN similar to an IPSec tunnel. When the user logs out the client will be removed from the client PC if configured to. It is possible to specify split tunneling so only interesting traffic hits the tunnel, DNS is similar so it is would still be possible to resolve both internet and hosts in the remote network.

mikem2te · February 2010

veritas_libertas wrote: »

Does anyone know if there is an open source version of Clientless SSL VPN? I have seen this type of VPN with some of the Business Linksys wireles routers.

I have used SSL-Explorer: Community Edition & OpenVPN ALS in the past. Look pretty cool.

burbankmarc · February 2010

Thanks all. I guess I'll give it a try. I'm having some problems with my Oracle admin wanting to VPN from home. Unfortunately he's on 64-bit Windows 7 and Cisco has no desire to make a 64-bit client.

Time to go through some docs...

mikem2te · February 2010

burbankmarc wrote: »

Thanks all. I guess I'll give it a try. I'm having some problems with my Oracle admin wanting to VPN from home. Unfortunately he's on 64-bit Windows 7 and Cisco has no desire to make a 64-bit client.

Time to go through some docs...

I wondering if the "Thin Client" mode will do it, according to the configuration page in CCP it "forwards application requests to the appropriate server and port. Thin cliant can forward requests only for the applications that use fixed ports, such as Telnet, IMAP......".

I read somewhere it uses a small java applet so should be not fussy on the platform.

creamy_stew · February 2010

burbankmarc wrote: »

Thanks all. I guess I'll give it a try. I'm having some problems with my Oracle admin wanting to VPN from home. Unfortunately he's on 64-bit Windows 7 and Cisco has no desire to make a 64-bit client.

Time to go through some docs...

Well, I spent some time trying to get ssl vpn working on a 1812 the way it does on an ASA. No luck. (Probably by design since cisco charge per user in the ASA if I understand it correctly)

If you're just looking for a 64-bit client, Shrew Soft Inc : Download : VPN Client For Windows works and is free. If you want a better interface there's NCP which is pretty pricey if you're used to the free cisco client.

edit: I'm using the latest version on 64-bit win7 and importing a config file (pcf?) from a cisco vpn client just works! So you won't have to tinker with settings on the client. Although I haven't tried cTCP.

Forsaken_GA · February 2010

From the brief bit of research I did after this question was posted, yeah, it seems the IOS's deployment of SSL VPN is a pain in the rear, and that you'll be using an ASA if you want to do it 'right'. Or you'll deploy a Juniper, whom Cisco seems to be playing catch up to in this arena.

astorrs · February 2010

Forsaken_GA wrote: »

From the brief bit of research I did after this question was posted, yeah, it seems the IOS's deployment of SSL VPN is a pain in the rear, and that you'll be using an ASA if you want to do it 'right'. Or you'll deploy a Juniper, whom Cisco seems to be playing catch up to in this arena.

+1 just buy a Juniper SA series and be done with it.

burbankmarc · February 2010

I have 6 (3 sites, all in failover mode) ASA 5520s, so that's what I'll be using.

Thanks for the link to the 64-bit client, I'm gonna check it out. I have to implement end to end QoS and I don't really want to have this SSL VPN on top of that.

APA · February 2010

Yep used\configured the Clientless SSL VPN in both URL mode and ThinClient mode...

Think of thinclient mode as a little app that is portforwarding to your internal servers over the VPN connection.I hate using the URL based VPN.... very frustrating sometimes..

If your going to deploy a VPN that allows your staff to feel as if they are on the staff network from home.... then just deploy it with the Anyconnect full client solution.

We use this at our work...... Feels exactly the same as the IPSec full client.

Clientless SSL VPN

Comments