Pages

Wednesday, December 2, 2015

Implementing Clientless SSL VPN


A clientless SSL VPN (Secure Sockets Layer Virtual Private Network) is a type of VPN that provides secure remote access to network resources and services without requiring the installation of a dedicated VPN client software on the user's device. Instead of using a standalone VPN client application, clientless SSL VPNs leverage web browsers to establish secure connections between remote users and corporate networks.

Here's how clientless SSL VPNs work:

1. **Web-Based Access**: Clientless SSL VPNs use a web-based interface to allow users to access internal network resources securely via a standard web browser, such as Google Chrome, Mozilla Firefox, or Microsoft Edge.

2. **HTTPS Encryption**: The SSL VPN gateway or concentrator acts as a proxy server that accepts incoming HTTPS connections from remote users. All communication between the user's web browser and the SSL VPN gateway is encrypted using SSL/TLS protocols, ensuring confidentiality and integrity of data transmission.

3. **Authentication and Authorization**: Users authenticate themselves to the SSL VPN gateway using standard authentication methods, such as username/password credentials, two-factor authentication (2FA), or digital certificates. Once authenticated, the SSL VPN gateway verifies the user's access permissions and authorizes access to specific network resources based on predefined policies.

4. **Web-Based Portal**: Upon successful authentication, users are presented with a web-based portal or dashboard that provides access to authorized network resources, applications, and services. The portal typically includes links to internal web applications, file shares, intranet sites, and other resources accessible over the VPN.

5. **Access Control and Security Policies**: Clientless SSL VPNs enforce access control and security policies to restrict users' access to authorized resources and prevent unauthorized access to sensitive information. Administrators can define granular access control policies based on user roles, groups, IP addresses, and other contextual attributes.

6. **Application Proxying**: Clientless SSL VPNs often use application-level proxies to provide access to specific applications and services that are not natively web-based. These proxies translate non-web protocols, such as RDP (Remote Desktop Protocol), SSH (Secure Shell), and SMB (Server Message Block), into HTTP/HTTPS traffic for secure transport over the SSL VPN tunnel.

7. **Endpoint Security Checks**: Some clientless SSL VPN solutions include endpoint security features, such as host checking and posture assessment, to verify the security compliance of remote devices before granting access to the network. This helps ensure that only secure and properly configured devices can connect to the VPN.

Clientless SSL VPNs offer several advantages over traditional VPN solutions:

- Simplified Deployment: No need to deploy and manage VPN client software on user devices.
- Broad Compatibility: Compatible with a wide range of devices and operating systems that support web browsers.
- Remote Access: Enables secure remote access to internal network resources from any location with internet access.
- Reduced Support Overhead: Requires minimal user training and support, as it leverages familiar web browser interfaces.
- Enhanced Security: Encrypts all traffic between the user's device and the corporate network, protecting against eavesdropping and interception.

Overall, clientless SSL VPNs provide a convenient and secure solution for remote access to corporate networks and resources without the need for dedicated VPN client software. They are widely used by organizations to enable remote work, telecommuting, and secure access for mobile users, contractors, and partners.

Sample Requirements:

Type of VPN
Random m/c on internet
they all support global PKI(SSL)
Not managed by compamy

Group level:

Banner message
custom bookmark
webType ACL
Allow portal URL browsing

User Level:
New user in new Sales group
Require use of specific connection profile

Connection Profile
use local AAA
Name: sales-con-prof
Alias: sales-con-alias
Custom url : http://192.168.1.171/sales
Connection supported: SSL clienteles only
connection profile linked to sales group

Steps for implementing Clientless SSL VPN :
Create a group
create connection profile
create user
We can configure in anyways but this way we can lock the user to connection profile and we can add then user to group.

Test and Verify
To see connection information
show vpn-sessiondb

No comments:

Post a Comment