If you are running a dial-up VPN network, you know the nightmares about security, maintenance and the inevitable end-user problems from travelers. No matter how much time and effort you put into building that part of the network, it always becomes an source of irritation and constant frustration.
The first and last issue is always security. If any end-point has a VPN client installed, and your users know the access codes, they can build a tunnel. If that device has viruses, Trojans or other nasty stuff on it, then you are immediately vulnerable. Some administrators try to avoid this by limiting access only to company-issued computers. But in this day and age of smart-phones and other mobile devices, that is just not going to satisfy your user community. We have tried requirements using a security application being installed on the end-point, but the same argument holds. Not only that, but contractors and consultants need remote access and it can be expensive to extend that model to them.
Suppose you have come up with a workable solution that your CEO accepts. The next big hurdle is whether or not to allow a split tunnel. In this configuration, your users can access the Internet and the VPN simultaneously. Again, because of security, you cannot allow this. Why? Because the end-point now has an open connection to the Internet and a secure connection to your network. They are a conduit for trouble. If something get on that end-point device, it now has access to the secure connection. Your remote workers are going to argue that preventing Internet access while the VPN is open, is too limiting and they cannot get their job done. They need to access web sites, web-based E-mail systems, blogs, IM and other Internet-based systems at the same time the VPN is open. One option is to try and find a way to route all end-point traffic through the VPN. Depending on your network, this may or may not work but it will definitely put more burden on your edge router, cause latency issues depending on how remote some of the users are and complicates your security configurations and management for your corporate LAN. If it cannot be done, then the complaints rise and you are getting pressured to fix it.
So, how do you give reasonable access to a remote and mobile workforce and maintain a secure environment. Enter the SSL VPN or webvpn. This is a device that allows you to publish web-based applications and provide access to shared folders and systems. It can safely be used by any system with a web browser. This traffic is protected using SSL (https) during the life of the transactions and the connection cannot easily be exploited by malware on the end-point.
We tried using the SSL VPN features of the Cisco 3000 series VPN appliances but with very little success. Even publishing Cisco applications like MeetingPlace became impossible to implement. Talking with Cisco only led them to start pushing the Cisco ASA 5500 appliances at us. When questioned about features and capability, the phrase we kept hearing was, “just as good as Juniper“.
Further research, showed that Juniper was the gold standard for SSL VPN and so rather than try to find something “as good as” that, we decided to purchase a Juniper SA2500 SSL VPN appliance. The setup was very easy to navigate and the user interface for end-users is simple and straight-forward.
Users can be assigned to one or more roles depending on their needs and the web interface will only show them those applications that are available to that role. This makes security easy to manage and very flexible. Licensing is based on the number of concurrent users, so it keeps costs down. We set up RADIUS authentication which is actually backended with Active Directory so users have a single username/password to remember.
A lot of our users want access to internal services that are not published via a web-based interface. Not a problem with Juniper. We have the ability to publish Remote Desktops (Terminal Servers) through the interface giving them the ability to run any application. In fact, our remote offices find that the performance of accessing files on shared folders from Windows servers is better with the Juniper SSL VPN than mounting the disks directly to their desktop across the WAN. I think this has to do with all of the authentication and security exchanges that must occur between the client and the server. Since the SSL VPN appliance is local, it can execute this traffic quicker.
We have users all over the world and with SSL VPN, our success has skyrocketed. Our old VPN is all but decommissioned and will soon be a distant memory.