[Info-vax] SSL VPNs

jbriggs444 jbriggs444 at gmail.com
Wed Nov 3 11:37:15 EDT 2010 

On Nov 2, 7:34 pm, "Richard Maher" <maher... at hotspamnotmail.com>
wrote:
>  Hi John,
>
> "jbriggs444" <jbriggs... at gmail.com> wrote in message
>
> news:d10ace22-f55e-4d3a-b1a1-da8e2f6cec4a at u17g2000yqi.googlegroups.com...
>
> I can create a session a LOT more quickly by sitting at a
> DOS command prompt and doing "putty <devicename>"
> than by bringing my Juniper window to the foreground,
> finding the appropriate terminal services icon and clicking
> on it.
> <<<<<<<<<<<
>
> But I thought that was the main benefit of these Juniper (and other)
> SSL/VPNs in [split]tunnel mode. Once the thin(ish) client is downloaded and
> the connection to the network appliance created, isn't all (configured)
> network traffic tunneled over the VPN?

No.  There are a number of modes of operation that can be used.
They can even be used at the same time.

One mode of operation is "full tunnel".  Juniper refers to this as
"Network Connect".  You log in through the https GUI as usual
and land at the client home page.  You push the "Network Connect"
button and a tunnel is created.  This is a perfectly ordinary VPN
tunnel, complete with a network adapter on the client side that
shows up under C:\> ipconfig /all

This tunnel may or may not use SSL on port 443 as its transport
protocol.  More typically it is using a variant of IPsec/NAT-T over
UDP port 4500, although SSL on port 443 may also be used.

In my lexicon, that's no longer "SSL VPN".  That's just plain
VPN.

Another mode of operation is traditional SSL VPN.  You
authenticate to the SSL VPN server and have the client
home page displaying.  You then click onto hot-links
representing web-based applications on the company
network.  Your browser is sending HTTP requests (over a
TLS stream) to the SSL VPN appliance.  The SSL VPN
appliance is acting as an HTTP gateway and forwarding
these requests to the target application.  This is more
difficult than it sounds, since URL rewriting needs to
occur within the HTTP stream and security rules may
be imposed.

Outlook Web Access would come under this heading.

A third mode of operation involves custom applets that
can leverage the SSL connection to provide, for instance,
terminal emulation.  This includes a remote desktop
(RDP) client, an SSH client, a telnet client and probably
a few more.

To emphasize -- the Juniper appliance is handling these
clients as a proxy gateway, not as a VPN router.  The
SSH connection will appear to the VMS target as if it
came from the Juniper appliance, not as if it came from
an assigned VPN client virtual IP.

Juniper also supports two additional modes but it's been
too long since training and I've not had responsibility for
dealing with them.  I won't attempt to characterize them
here.

> So you can continue to putty or ftp
> or telnet or odbc and if the downloaded config says it goes over the
> encrypted tunnel then that's where it goes.
>
> Have I got that wrong?

Yes.

More information about the Info-vax mailing list