Web Based VPN/SSH?

nitrobass24

[H]ard|DCer of the Month - December 2009
Joined
Apr 7, 2006
Messages
10,465
Im looking for something that will allow users to connect using VPN or SSH without having them install software on the remote computer.

We have a ton of users and we want them to able to use network resources, but dont want to support/be liable for peoples home computers.

What are my options?

Side Note: This is not for me, it is for uneducated computer users.
 
Last edited:
PuTTY Portable an option?

Too complicated for my user base.
These are not tech-savvy people using this by any standard.

Ideally my solution would be www.VPN.company.com
and they enter a user name and password.

Basic and easy to use are of most importance.
Cost is secondary.

Does Cisco have anything like this? They have an ASA 5500. Even if we need to buy more licensing to do it, that is fine.
 
Yea, the SSL VPN would accomplish what you want. You'd need the SEC Plus license to get a decent amount of SSL connections though.

Edit: Scratch that, the SEC Plus is still only two SSL. Looks like you need this bundle "ASA5505-SSL25-K9" for 25 SSL users, and a 5510 for more than that.
 
Cisco has WebVPN which is pretty awsome. It supports CIFS so you can get into file shares inside the network via a GUI. It was also let you setup a Full Client that will download, install,and configure itself.

The thin client will allow for port bindings internally so for example if you want to RDP to a desktop you setup the binding to go RDPPC:3389 ---> :1000, the run MSTSC and connect to RDPPC:1000 and it will connect through the tunnel.

It also support website redirection through the tunnel, so that if you have an intranet site it will browse through the tunnel.

All in all, pretty nice solutions. Don't know if it works on the ASAs or not, but must be licensed.

Edit: According to the above post it will work on the ASAs
 
If you want to use a free one....yeah check out "OpenVPN" linked above....I built a few boxes using an earlier version it branched from..."SSL Explorer"

If you want a "paid for" product with support, I'm a big fan of Junipers SSL VPN appliances, check out their SA series of dedicated SSL VPN boxes. They're so nice, rock solid, and great support.

At clients I've replaced their prior IPSec VPN stuff with....you also get rid of most of the headaches that come with end users machines.

Check out some of Junipers boxes
http://www.juniper.net/us/en/products-services/security/sa-series/
Dunno how many remote users you have...but starting with the SA700...
Depending on what options you have, you can even customize the web based portal for your users, and have "shortcuts" right on the web portal to network resources that you make available. VERY cool feature.
 
Yea, the SSL VPN would accomplish what you want. You'd need the SEC Plus license to get a decent amount of SSL connections though.

Edit: Scratch that, the SEC Plus is still only two SSL. Looks like you need this bundle "ASA5505-SSL25-K9" for 25 SSL users, and a 5510 for more than that.

Yeah, it kills me that they charge so much for the SSL VPN license, its a solid feature but to get of the initial 2 license's that are included is insanly expensive.

If you want user friendly, you want SSL VPN. Nothing easier lol
 
the asa5505 running 8.x code will do ssl vpn for 2 concurrent connections. if you want more you can ssl lite licensing fo 10 or 25 concurrent connection. the lite licenses are prfetty cheap
Posted via [H] Mobile Device
 
I don't know what your budget is....or how many users you need to have VPN concurrently...if you're getting scared at the price tag of some beefier SSL VPN solutions like Junipers or Ciscos, just to show you some offerings towards the bottom of the scale, check out this review on Netgears budget solution
http://www.smallnetbuilder.com/content/view/28920/109/

I'm normally not a huge fan of Netgear, I haven't worked with one of these units, but Tims site does some pretty straightup reviews.
 
I don't see any reason to introduce new devices to the network for SSL VPN when their current ASA5505 has the capability. The 10-user license for SSL Lite is only $100. The configuration isn't too bad either.
 
I don't see any reason to introduce new devices to the network for SSL VPN when their current ASA5505 has the capability. The 10-user license for SSL Lite is only $100. The configuration isn't too bad either.

O i thought someone said for more VPN users it was really expensive?
Do you have a link?
 
Logmein.com has a web based VPN client.

Its free for home use.

I've been using logmein for years.
 
O i thought someone said for more VPN users it was really expensive?
Do you have a link?

The traditional SSL VPN license is very expensive, about $800 for 10 concurrent users. However, enough customers bitched about it and Cisco not support x64 for the IPSec VPN client that they released an "AnyConnect Essentials" license that just does AnyConnect with no WebVPN capabilities and it's actually reasonably priced.

http://www.cisco.com/en/US/prod/col...094/ps6120/prod_brochure0900aecd80402e39.html


Here are the bundles:

10 SSL VPN users

Cisco ASA 5505 SSL/IPsec VPN Edition for 10 concurrent SSL VPN users (AnyConnect Premium-SSL VPN Edition)

ASA5505-SSL10-K9



25 SSL VPN users

Cisco ASA 5505 SSL/IPsec VPN Edition for 25 concurrent SSL VPN users (AnyConnect Premium-SSL VPN Edition)

ASA5505-SSL25-K9



And here is the part number for the license only, for adding to an existing ASA5505 firewall. The ASA5505 can only support a maximum of 25 concurrent SSL VPN sessions, so if you need more of that you'll have to upgrade to a 5510. Expect pricing in the neighborhood of $75-100.

ASA-AC-E-5505=
 
I don't see any reason to introduce new devices to the network for SSL VPN when their current ASA5505 has the capability. The 10-user license for SSL Lite is only $100. The configuration isn't too bad either.

I misinterpreted the above post..when he mentioned "Cisco..they have an ASA blah blah"...I figured he was referring to Cisco offerings instead of the actual client/his office "currently owns" one.
 
The traditional SSL VPN license is very expensive, about $800 for 10 concurrent users. However, enough customers bitched about it and Cisco not support x64 for the IPSec VPN client that they released an "AnyConnect Essentials" license that just does AnyConnect with no WebVPN capabilities and it's actually reasonably priced.

http://www.cisco.com/en/US/prod/col...094/ps6120/prod_brochure0900aecd80402e39.html


Here are the bundles:

10 SSL VPN users

Cisco ASA 5505 SSL/IPsec VPN Edition for 10 concurrent SSL VPN users (AnyConnect Premium-SSL VPN Edition)

ASA5505-SSL10-K9



25 SSL VPN users

Cisco ASA 5505 SSL/IPsec VPN Edition for 25 concurrent SSL VPN users (AnyConnect Premium-SSL VPN Edition)

ASA5505-SSL25-K9



And here is the part number for the license only, for adding to an existing ASA5505 firewall. The ASA5505 can only support a maximum of 25 concurrent SSL VPN sessions, so if you need more of that you'll have to upgrade to a 5510. Expect pricing in the neighborhood of $75-100.

ASA-AC-E-5505=

Ok well they have a 5510 at each site.
I would prob need two 25 connection licenses.

ASA-AC-E-5505=
This part seems to be only for ASA's that are version 8.2 and above. These ASAs are 7.2(2)
 
Ok well they have a 5510 at each site.
I would prob need two 25 connection licenses.

ASA-AC-E-5505=
This part seems to be only for ASA's that are version 8.2 and above. These ASAs are 7.2(2)

If you have smartnet, go update them. 8.2 and the asdm updates are nice
 
You can't have the SSL VPN action with code less than 8.x. Hopefully you have SmartNet coverage, if so go download that crap and update those pigs.
 
The thin client will allow for port bindings internally so for example if you want to RDP to a desktop you setup the binding to go RDPPC:3389 ---> :1000, the run MSTSC and connect to RDPPC:1000 and it will connect through the tunnel.
Hi. Trying to follow your method here. We're using WebVPN on an ASA. Are you describing setting up the "port forwarding" feature of the Cisco when you talk about "setup the binding"? Thanks.
 
Hi. Trying to follow your method here. We're using WebVPN on an ASA. Are you describing setting up the "port forwarding" feature of the Cisco when you talk about "setup the binding"? Thanks.

You'd be better off starting your own thread instead of bringing up an old forum of a different topic aim. Welcome to the forum by the way.
 
Thanks for the suggestion of a fresh topic. But my aim is only to have one of the options discussed in this topic fully described.
 
Thanks for the suggestion of a fresh topic. But my aim is only to have one of the options discussed in this topic fully described.

Well, this is an 8 month old thread about what VPN service to choose from. You want to know about how to do something VPN related that was briefly mentioned in this thread. You will be better off and possibly get an answer sooner if you make a new thread. It doesn't cost anything to make one :p. Just click New Thread, make a title such as "Question about Cisco VPN" and make your message like "I'm trying to setup binding of ports on my Cisco VPN. I am using a Cisco blah blah and I want the functionality of it to work like blah blah."

A lot of people read the first post to see if they have something to discuss but don't read on. If they don't care about adding to the original discussion they will never see your post, even if they could help with it. If you make your own, you will get more help most likely from people who know.
 
The thing with web based VPN is often they still need to use stuff like activeX and java, which end up turning into a support nightmare too. Different browsers, people using Vista/7, or even macs, etc... sometimes it's something as simple as them allowing the site in some security setting, or clicking a checkbox somewhere, but trying to troubleshoot over the phone why they can't connect can be a real nightmare.

We deal with it all the time where I work because they insist on allowing everybody and their dog access to the network, instead of restricting to only people who have a company laptop. If it was my choice we'd never allow non managed PCs on the network, period. It's too much of a support nightmare, not to mention the potential security risk due to lack of control of these machines. If I was in charge people would probably call me network nazi lol.
 
My client has a software product that either can be licensed and installed on their customers' systems, or installed so that we host it and customers "just" need a browser to access it. Evidently the customers' own sysadmins (at some good-sized firms) are enough of a bother for the staff there that some of them prefer my client hosts the thing. But note the requirement here: nothing (much) is to be installed on their customer's system. They're buying the convenience of "nothing to install, works in a browser."

But it's really working via RDP, on a desktop on my client's systems. The ActiveX and Java RDP plugins Cisco distributes are clunky, particularly because it can take a few attempts to get the ActiveX one to even dowload, and the Java one doesn't do full screen. Cisco won't improve them because it claims, no joke, the GPL won't allow that. Not sure whether Cisco is being stupid or dishonest there, since it's plain not true about the GPL.

There are two ways to set up an ASA (which Cisco calls "port forwarding" and "smart tunneling") that reportedly allow a WebVPN connection, with merely the help of a smaller, less problematic bit of Java, to tunnel a real RDP session, using the standard Windows (or other OS) RDP client. This should be far better than those plugins. But Cisco's docs are vague - a mix of marketing-speak with some specific instructions that are incomplete, and no real conceptual background on the engineering behind the features. The hints are there, but it would take trial-and-error to make sense of them. It's a hosting firm we need to ask to make the trial-and-error in this case. That's why I'm looking for advice on a more precise recipe to pass on to them than the CIsco docs provide.
 
Back
Top