Remote Access

Securing Remote Access with SSL VPNs
Part 2: Deploying an SSL VPN appliance

In part 2 of our SSL VPN series, we illustrate this "anywhere" remote access approach by taking the SonicWALL Aventail EX-1600 out for a test drive.

by Lisa Phifer VP Core Competence, Inc. [July 8, 2008]

Series Summary
Securing remote access with SSL VPNs

Part 1: Reinventing remote access
Part 2: Deploying an SSL VPN appliance
Part 3: Defining SSL VPN access policies
Part 4: Adding SSL VPN endpoint controls
Part 5: Using SSL VPN access methods

In Part 1 of this series, we explored the appeal of SSL VPNs and why many organizations are using them to augment or replace older IPsec VPN remote access concentrators. Next, we will illustrate how SSL VPN appliances work by taking you on a guided tour of the SonicWALL Aventail EX-1600.

Aventail EX-1600 (from $9,995)
SonicWALL, Inc. Sunnyvale, CA

Not your father's VPN
The remote access market has evolved considerably over the years, as pure-play SSL VPN vendors like Aventail made a splash and were then acquired by larger network companies. Today, enterprise SSL VPN appliances are available from over a dozen vendors, including SonicWALL (acquired Aventail), Juniper (acquired Neoteris), F5 (acquired uRoam), Citrix (acquired Net6), Cisco (acquired Twingo), and Microsoft (acquired Whale). For roll-your-own fans, SSL VPN software is also available as open source (e.g., OpenVPN).

We chose to illustrate SSL VPNs with the SonicWALL Aventail EX-1600 appliance because many of the managed security service providers we surveyed over the years used this product line. This well-known appliance also supported the diverse collection of SSL-based access methods that we wanted to illustrate in this series.

We installed the EX-1600—a SonicWALL "e-class" SSL VPN appliance for mid-sized companies and enterprise departments with up to 250 concurrent users. Organizations with 50 users or less can buy the smaller EX-750, while large enterprises can cluster up eight EX-2500s, supporting up to 2000 users apiece. Our EX-1600 ran Aventail 9.0 software and was priced at $9,995 for 25 users.

Appliance installation
The EX-1600 is a 1U appliance powered by an Intel Pentium 2.4 GHz CPU. We dropped this into our DMZ, operating in dual-homed mode. That means that we connected the unit's outside 10/100 Ethernet port (through the DMZ) to the public internet, while connecting an inside Ethernet port to a private network containing resources we wanted authorized users to access.

Alternatively, we could have deployed the EX-1600 in single-homed mode, sending and receiving all traffic through one DMZ port. But single-homed deployment would not have given users access to LAN resources that we wanted to expose—most notably Windows fileshares—because those assets were not DMZ-reachable. The appliance also needed to reach our LDAP and RADIUS authentication servers, our private DNS, and (optionally) SNMP and Syslog servers. Dual-homing seemed easier and safer.

Most SSL VPN appliances—including the EX-1600—are not designed to terminate site-to-site VPN tunnels. SSL VPN appliances serve as access concentrators; they should be placed behind (and protected by) a perimeter firewall. However, that firewall must let Internet traffic arriving on TCP ports 80 and 443 reach the appliance for most SSL VPN access methods to operate correctly.

Next, we identified the public IP address and hostname used to reach the appliance. All users visit this URL, and the appliance must prove its own identity using a digital certificate bound to this hostname. As we later learned, when custom SSL VPN portal pages are presented to different user communities, you may actually prefer to reach those through their own unique virtual IPs, hostnames, and certificates.

For our test purposes, a single appliance was plenty. However, when SSL VPN is deployed in a production network, high availability may be needed. The EX-1600 can be deployed in identical load balanced active/active pairs, using a third GigE port to continuously synchronize configuration and state between them.

We completed installation by supplying the usual pre-requisites using a Set-Up Wizard (see figure). They only tricky question concerned routing mode: dual gateway, single gateway restricted, single gateway unrestricted, or no gateway. We ended up trying this more than one way before settling on single gateway unrestricted so that remote users could access the internet through the appliance.

Go to page two: Who goes there? >