12 Replies Latest reply: Jul 10, 2010 7:53 AM by Michael Law RSS


    Michael Law

      Topic: SSL VPNs


      Question: When are they used? Do I see them often? I see SSL when browsing to major websites like CLN, MS Hotmail, MS OWA. Is this considered the same thing or is SSL VPN totally different than just viewing webpages? Is it called a VPN because of all the VPN-like features in the delivery of critical informaiton?





        • 1. Re: SSL VPN

          Hi Michael


          SSL is on virtual every PC in the world. So If I wanted to create a private tunnel between two parties I would need some security technology. And since SSL exists on every PC it is the idea candiate. I think tunnel throughput is not particulary high but with modern bandwidth that is not a problem.


          Regards Conwyn

          • 3. Re: SSL VPN
            Michael Law



            So are you saying that SSL VPN are abundant and portable for any application that needs to communicate over a secure connection provided that the two endpoints support SSL VPN? Therefore, transmission between my machine and the CLN uses an SSL VPN, correct? Does the SSL VPN terminate at the Web server or does it terminate prior at a device that can offload the burden?





            • 4. Re: SSL VPN
              Keith Barker - CCIE RS/Security, CISSP



              Topic: SSL VPNs


              Question: When are they used? Do I see them often? I see SSL when browsing to major websites like CLN, MS Hotmail, MS OWA. Is this considered the same thing or is SSL VPN totally different than just viewing webpages? Is it called a VPN because of all the VPN-like features in the delivery of critical informaiton?






              Hello Mike -


              An HTTPS session to a web server, is different than the Cisco concept of SSL VPN.   For example, with the anyconnect Cisco client, a client can begin by connecting to the head end SSL VPN server, using only SSL, and after authenticating can have the anyconnect client downloaded and installed on the PC.   The anyconnect client, then still using SSL (as opposed to ESP or AH, (IPSec protocols)), can be assigned a routeable virtual IP address from the head end server, and the client can tunnel traffic to the corporate network just as if they were running an IPSec VPN client.   The big difference, is the transport:  SSL vs IPSec.


              Best wishes,



              • 5. Re: SSL VPN

                Hi Michael




                Imagine SSL like TCP. Two user can run a TCP session between them. Two users can run SSL between them.


                The TCP carries HTTP  FTP Mail etc   and the SSL carries tunnel protocol at the conceptual level. HTTPS is an example. VPN-SSL is another.


                Please read the URL I cited.


                Regards Conwyn

                • 6. Re: SSL VPN

                  I am running a set up that Keith has describe.  Before the anyconnect client, the old 3000 series VPN concentrators had a SSL VPN client and what you did was go to a web portal, authenticate, and then the SSL VPN client would download on your computer and establish a VPN connection that used SSL as the transport instead of IPSec.


                  It was nice because we didn't have to worry about installing and configuring the Cisco VPN Client.... although I still do use the IPsec client as well.

                  • 7. Re: SSL VPN
                    Michael Law

                    Thanks  to Conwyn, Keith and Jared.


                    Conwyn - I'll read that article after I take my CCDA on Saturday and get back with you on this post. I need to stay focused on the exam first.


                    Thanks again everyone,



                    • 8. Re: SSL VPN
                      Michael Law

                      Conwyn - I tried to schedule my CCDA for Saturday morning and it turns out they're not open on Saturdays during the summer. What a bummer! It's the only time I can go without asking for time off. I guess the CCDA will have to wait for another day.


                      Anyhow, now that I'm released from the CCDA burden, I read the article you posted. From what I gather, also like Keith said, SSL VPNs are very similar to IPsec VPNs in their goal. Both are to provide secure connectivity over an unsecured network to reduce cost. I assume like the IPsec VPN, the SSL VPN can provide encryption, integrity and authentication? IPsec is a framework of different protocols, while SSL is one-size fits all for VPN--is that true?


                      The article mentions that all traffic flows through the web browser. Does this mean that all traffic is pushed via HTTP and secured via SSL?


                      I think I realize why I'm having trouble with this concept. The CCNA Security Course Booklet talks about IPsec VPN for many, many pages and just glances at SSL VPNs. You would think that if both technologies achieve the same goal through different means, would be documented equally. Oh well.


                      Thanks again Conwyn and Keith

                      • 9. Re: SSL VPN

                        Now, my use of VPNs is very limited, but after doing the ISCW which was very similar to CCNA Security, I realized that the focus was also on IPsec and very little on SSL VPNs.  I think the reason why is because there are different implementations or reasons to implement a VPN.  For example.  In ISCW and CCNA Security, point to point VPNs are discussed and focus on IPSec.  This would be great on a couple of routers if you wanted to secure/encrypt your WAN link traffic.  So an IPsec VPN makes sense.  For a client computer that wants to VPN into the corporate network, an SSL vpn makes more sense because every client has a web browser and there would be very little, if any setup required on the client station.


                        In those classes, the point to point vpn seems to be a major topic and the client vpn a lesser topic.


                        This is just an example I have been able to come up with as far as when you would want to use IPSec vs SSL.  I have not played with SSL Point to point VPNs and don't even know if its a feature, but I have used client vpn's and they are very nice.  This was my observation when I did ISCW way back in the day.

                        • 10. Re: SSL VPN
                          Paul Stewart  -  CCIE Security

                          I think it is really hard to understand what the SSL VPN is in the Cisco world until you see it in action.  SSL VPN includes several different use scenarios including:


                          HTTPS access to internal web sites

                          HTTPS access to CIFS (Microsoft) file shares

                          Browser Plugins (like Java app to allow SSL access to Terminal Services, or Java Plugin for SSH/Telnet)

                          Smart Tunnels--automagically tunnels traffic from certain apps

                          Port Forwarding--client connects to some tcp port on and that is tunnelled back to enterprise network

                          Anyconnect/SVC--allows EasyVPN like connectivity over DTLS or TLS using UDP or TCP respectively


                          As you can see, SSL VPN is a bunch of components.  Its really hard to visualize what it is until you see it in action.  I think Cisco would sell a lot more of their SSL VPN licenses if they would build a publicly accessible demo site for it.

                          • 11. Re: SSL VPN
                            Mohamed Sobair



                            With SSL VPN,  the connection between the host and the SSL Web server is encrypted. using the cryptograpghy concept , an SSL Web Server uses digitally signed cetificate to identify the host owner of the site. Those digitally signed certificates are obtained from third party Certification Authority CAs.


                            When a user tries to connect to SSL webserver, the user actually send information to the 3rd party CA, the CA identifies the Ownership of the site by confirming its public Key which was widely published. with its private key Only stays with the Webserver.


                            To conclude , an SSL VPN is a VPN tunnel is created but rather than the host having the public key published to remote hosts here, a 3rd party CA has its public key and confirms identity of the owner.





                            • 12. Re: SSL VPN
                              Michael Law

                              5 different responders.....This is why the CLN Is great!!


                              Thanks everyone for your response!