© 2005,2006 NeoAccel Inc. Training Access Modes. © 2005,2006 NeoAccel Inc. Agenda 2. Access Terminals 6. Quick Access Terminal Client 3. SSL VPN-Plus.

© 2005,2006 NeoAccel Inc.

Training

Access Modes


Agenda

2. Access Terminals

6. Quick Access Terminal Client

3. SSL VPN-Plus Access Terminalsa) Introductionb) Usage scenario

4. Network extension concepts

5. Full Access Client

1. Need of SSL VPN


What Users Want

Access Business Applications• Web based applications: Intranets,…• Client-Server applications: VOIP, SAP,…• Hybrid Web applications: Oracle forms,… On Demand Access• Take work home: in-office experience, full productivity• At customer site: need mission critical application to run• Roaming: Email, Intranet portal, least productivity


What Users Want…contd…

No more classes n trainings!!• Simplified, one click access … like web…• In office experience • Don’t rely on us


What Users Want…contd…

Securely Access Anything

from Anywhereusing Any device

That’s what SSL VPN are about !


Wireless/mobile user

Home user/ consultant/partner

Other corporate office/ Partners

Encrypted SSL VPN tunnels

Firewall

NeoAccel SSL VPN-Plus Gateway

Private network services

Authentication Server- Radius/AD/LDAP

Internal data-centre

SSL VPN Deployment


Access Terminals

•Entry points to private corporate network

•Requirement• Usability• Accessibility• Security


Common Access Terminals

1.1 SSL VPN Web portal (with terminal emulators)

1.2 Port Forwarding Client

1.3 Network extension Client


SSL VPN-Plus Access Terminals

• SSL VPN-Plus has three Access Modes

• Web Access Terminal (WAT)• Browser based SSL VPN access mode• Commonly known as Clientless SSL VPN access

• Private Hyper Access Transport (PHAT)• A native client for full access to corporate network• Commonly known as Full Access Client

• Quick Access Terminal (QAT)• An agent based terminal that enables access to all TCP applications without installing any software on machine• Commonly known as Port Forwarding Client

Access Terminals are modes through which remote users can access corporate resources


Web Access Terminal

•Only a browser is required to initiate a VPN and access corporate resources

•known as Clientless VPN also•A browser that supports javascript can setup

VPN connection•For a user, accessing VPN services is like

accessing a company portal or company web•Zero management/Maintenance•Administrator configures the resources

available on portal for users•Per Group portal customization


Web Access Terminal…contd.

•VPN resources accessible through WAT are:• Web servers; e.g.

• Corporate Intranet/portal• Sharepoint

• Web-based application servers; e.g.• Outlook Web Access• Lotus Domino• Web-based databases like Oracle 9i, SQL

• Portal can be configured to provide Documents/Manuals to users



•User opens WAT login page• https://companyvpn/sslvpn-plus/



•Upon successful login, the WAT portal is available to user to access private network resources


Web Portal - Thin Applications

•Terminal emulators are provided on portal to access terminal servers and legacy hosts

•RDP, VNC, SSH and Telnet java clients are available

•Useful to access legacy applications without installing any software on user machine or access from kiosk, hotel, etc.


Why Web portal is not enough

•Business application are not just web-based application. They include client – server components.

•Application implementation dependent

•URL rewriting is more than just HTML rewriting: Applets, flash, exe, …

•No in-office experience


Private Hyper Access Transport PHAT

• IPSec replacement client which provides IPSec like full access but with zero configuration on client machine

• Support for all TCP/IP based application and protocols (TCP, UDP, IP) is provided.

• Best use for • In office experience for maximum productivity• VOIP and video conferencing

• Full Access client is configured from management console• Administrative rights are required to install the client• Client auto-updates without administrative rights• Complete and strong endpoint security• Supported on

• Windows (2000 and above)• Linux (Redhat, Knoppix, Debian)• MAC OS-X (beta)


Network extension technology

Establish a SSL connection with SSL gateway

Intercept Application Traffic transparently

Encapsulate the control commands and data in proprietary protocols

Encrypt the data and send through SSL connection to gateway

Pass the data to applications transparently

Decode the control commands

Decrypt the data received on SSL connection from gateway

TRANSMISSION RECEPTION


SSL VPN Network extension technology

SSL VPN

App

TCP

IP

SSL

TCP

IP

Enet

#1#2

User

Kernel


SD DD

A

SD A

D

ASASA

D: Application TCP data packetA: application TCP ACK packetSD: SSL tunnel data packetSA: SSL tunnel ACK packet

DA

This is what will be achieved.This happens when the user is working in office, i.e. connected to LAN

Private network servers

SSL VPN GatewaySSL VPN client agent running on remote users machine

Other SSL VPNs: Packet flow


SSL VPN-Plus technologySSL VPN

App

ICAA-TSSL

IP

TCP

Enet

#1

User

Kernel


NextNext

Architecture: Other SSL VPN Architecture: SSL VPN-Plus

OS Network Stack

Application Level

To private Network

SSL ModuleSSL Module

Network ModuleNetwork Module

From Application

To private Network

OS Network Stack

User Mode

ICAA-TSSL Module

From Application

Remote User Resource GatewayRemote User Resource Gateway

ICAA-TSSL Module

Architecture difference


What not so good about PHAT

• PHAT client can not be used “Anywhere”. It has to get installed

• Administrative rights are required on user machine

• Secure transport for malware, spyware, trojans and viruses

• Where is my portal?


Quick Access Terminal

•A Java enabled browser is required to initiate a VPN and access corporate resources

•known as Port forwarding client also•A Java applet gets downloaded on user

machine and initiate VPN•User can access TCP based client-server

appliance off the portal•Zero management/Installation/Maintenance•Works like Full access client with only limitation

of support for IP, UDP and MS File shares•Administrator configures the network resources

for users•Access to QAT client can be controlled from

NMC on per group basis.


Quick Access Terminal…contd.

•VPN resources accessible through QAT are:• Any TCP based Application servers

• Web Servers, E-mail servers, Citrix, SAP, Lotus Domino, Direct database from anywhere• Terminal Servers• SSH, Telnet and other legacy terminal emulators like TN5250 for IBM Mainframes access

•True Anything from Anywhere access

•In 2.0 beta, QAT runs only on Windows 2000 & above.



•User opens WAT login page• https://companyvpn/sslvpn-plus/



•Upon successful login, the QAT link is provided on WAT portal

Access QAT using this link



•Upon successful login, the QAT link is provided on WAT portal

Status of QAT.



•Access your TCP applications the normal way your work

Access any TCP based application


Questions ?

© 2005,2006 NeoAccel Inc. Training Access Modes. © 2005,2006 NeoAccel Inc. Agenda 2. Access Terminals 6. Quick Access Terminal Client 3. SSL VPN-Plus.

Documents

web access terminalcontd

demand access

ssl vpn access mode

client access terminals

access corporate resources

ssl vpn slide

ssl vpn web portal

common access terminals