Implementing Full Network Access Using the Cisco SSL VPN Client

By this stage, you will know that the type of access offered by clientless SSL remote access VPNs is much more restricted than that offered by IPsec remote access VPNs. If you do want to offer more functionality via an SSL remote access VPN, you can use the Cisco SSL VPN Client.

The Cisco SSL VPN Client is loaded on the VPN 3000 concentrator and then dynamically downloaded from the VPN 3000 concentrator by remote access VPN users. The Cisco SSL VPN Client offers remote access connectivity comparable to that offered by IPsec remote access VPNs.

One advantage of the Cisco SSL VPN Client is that it does not have to be permanently installed on client workstations and does not require particular configuration or administration, unlike IPsec remote access VPN client software. The Cisco SSL VPN Client software package is also relatively small in size.

It is worth mentioning, however, that for the SSL VPN Client software to be downloaded and installed, the remote access user must have administrative privileges on the workstation. Cisco does, however, provide an install enabler utility (STCIE.EXE) that must itself be installed by an administrator but will then allow other users to download and install the Cisco SSL VPN Client on-demand.

When compared to IPsec remote access VPNs, the disadvantages of an SSL VPN Client include the fact that the client software is downloaded from the VPN 3000 concentrator, which takes a variable amount of time depending on connection speed. Having said that, it is possible to configure the VPN 3000 concentrator to leave the SSL VPN Client software installed on the client workstations rather than causing it to be uninstalled whenever the SSL VPN connection between is terminated (the default).

Installing and Enabling the Cisco VPN Client Software

The first step in enabling use of the SSL VPN Client is to upload it to the VPN 3000 concentrator. You can accomplish this by going to Configuration > Tunneling and Security > WebVPN > Cisco SSL VPN Client (see Figure 10-37).

Figure 10-37. Installing the SSL Cisco VPN Client

Choose Install a new Cisco SSL VPN Client, click the Browse button, browse to the location of the Cisco SSL VPN client software, and click Apply to install the software on the VPN 3000 concentrator.

After the client software is installed, the next step is to enable the use of the SSL VPN Client software for the appropriate user groups, as well as configure IP address pools (described in Chapters 8 and 9).

You can enable the user of the SSL VPN Client software by going to Configuration > User Management > Groups, choosing the appropriate group(s), clicking Modify, and clicking the WebVPN tab. The page shown in Figure 10-38 will then appear.

Figure 10-38. Enabling the Use of the Cisco SSL VPN Client

Checking the Enable Cisco SSL VPN Client box will, as it suggests, enable the use of the SSL VPN Client for the group.

It is also possible to require the use of the SSL VPN client by checking the Require Cisco SSL VPN Client box.

As discussed earlier in this section, the default behavior when using the SSL VPN Client is that the SSL VPN client software is removed when the client disconnects from the VPN 3000 concentrator. If the Keep Cisco SSL VPN Client box is checked, however, the client software remains on the client workstation even after disconnect. This clearly obviates the requirement to dynamically download the client software each time the client workstation connects to the VPN 3000 concentrator.

Understanding Remote Access Connectivity When Using the Cisco SSL VPN Client

When the Cisco SSL VPN Client is enabled for a particular user group, and when a user in that group connects to the VPN 3000 concentrator and logs in via the WebVPN login page, the Cisco VPN SSL Client will begin to download (assuming it is not installed already). After the SSL VPN client has downloaded, it extracts and installs (see Figure 10-39).

Figure 10-39. Cisco SSL VPN Client Extracts and Installs

One thing to notice in Figure 10-39 is the text shown in the upper left (Click here to skip installation of the Cisco SSL VPN Client and proceed to the WebVPN Home page). This text does not appear if the Require Cisco SSL VPN Client box is checked in the WebVPN tab of group settings (see Figure 10-38).

After the SSL VPN Client software has been installed, a key symbol will appear on the right of the taskbar. Clicking the key will display information about the Cisco SSL VPN Client and SSL connection, as shown in Figure 10-40.

Figure 10-40. Information About the Cisco SSL VPN Client Connection

There are three tabs:

  • Statistics tab Displays information about the connection, including address information (the IP address of the VPN 3000 gateway and the IP address assigned by the VPN 3000 concentrator to the SSL VPN Client tunnel interface/adapter); the number of bytes and frames sent and received over the tunnel; the encryption and hashing algorithms used by the cipher suite negotiated by the client and VPN 3000 concentrator; whether the client is allowed to access its local LAN and whether split tunneling is enabled; and how long the connection has been up
  • Route Details tab Shows information about local LAN routes and secure routes that have been installed
  • About tab Shows the version of the Cisco SSL VPN Client software that is installed

The Reset button on the Statistics tab can be used to reset to zero statistics relating to the number of bytes and frames sent and received over the SSL connection.

The Close and Disconnect buttons cause the Cisco SSL VPN Client information dialog box to close and cause the SSL connection to terminate respectively.


Part I: Understanding VPN Technology

What Is a Virtual Private Network?

Part II: Site-to-Site VPNs

Designing and Deploying L2TPv3-Based Layer 2 VPNs

Designing and Implementing AToM-Based Layer 2 VPNs

Designing MPLS Layer 3 Site-to-Site VPNs

Advanced MPLS Layer 3 VPN Deployment Considerations

Deploying Site-to-Site IPsec VPNs

Scaling and Optimizing IPsec VPNs

Part III: Remote Access VPNs

Designing and Implementing L2TPv2 and L2TPv3 Remote Access VPNs

Designing and Deploying IPsec Remote Access and Teleworker VPNs

Designing and Building SSL Remote Access VPNs (WebVPN)

Part IV: Appendixes

Designing and Building SSL Remote Access VPNs (WebVPN)

Appendix B. Answers to Review Questions



Comparing, Designing, and Deploying VPHs
Comparing, Designing, and Deploying VPNs
ISBN: 1587051796
EAN: 2147483647
Year: 2007
Pages: 124
Authors: Mark Lewis

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net