NetIQ SSL VPN comes with a number of key features that make the product secure, easy to access, and reliable.
NetIQ SSL VPN has browser-based end user access that does not require users to preinstall any components on their machines. Users can access the SSL VPN services from any Web browser, from their personal computer, laptop, or from an Internet kiosk.
When users access SSL VPN through the Web browser, they are prompted to authenticate. On successful authentication, a Java applet or an ActiveX control is delivered to the client, depending on the browser. This establishes a secure tunnel between the user’s machine and the SSL VPN server.
The SSL VPN client is supported on Linux, Macintosh, and Windows environments. For a complete list of operating software and browsers that are supported by SSL VPN, see Client Machine Requirements
in the NetIQ Access Manager 3.2 SP2 SSL VPN User Guide.
The Enterprise mode SSL VPN can be installed on 64-bit client configurations.
The SSL VPN comes in high-bandwidth and low-bandwidth versions. The default low-bandwidth SSL VPN server is restricted to 249 simultaneous user connections and a transfer rate of 90 Mbits per second because of export restrictions.
If the export law permits, you can install the high-bandwidth SSL VPN RPM to get the high-bandwidth capabilities, because that version does not have connection and performance restrictions. You can order the high-bandwidth SSL VPN key at no extra cost. It is essential to have the high-bandwidth SSL VPN if you want to cluster the SSL VPN servers.
For more information on how to order and install the high-bandwidth SSL VPN, and to upgrade the high-bandwidth version to the latest build, see Installing the Key for the High-Bandwidth SSL VPN
in the NetIQ Access Manager 3.2 SP1 Installation Guide.
You can install SSL VPN in two ways:
As an ESP-enabled SSL VPN, which is installed with the Identity Server and the Administration Console.
As a Traditional SSL VPN, which is installed with the Identity Server, Administration Console, and the Access Gateway.
For more information on these methods, see Section 1.2, Traditional and ESP-Enabled SSL VPNs.
The NetIQ SSL VPN uses both clientless and thin-client access methods. The clientless method is called the Kiosk mode SSL VPN and the thin-client method is called the Enterprise mode SSL VPN.
In the Enterprise mode, all applications, including those on the desktop and the toolbar, are enabled for SSL, regardless of whether they were opened before or after connecting to SSL VPN. In this mode, a thin client is installed on the user’s workstation, and the IP Forwarding feature is enabled by default. For more information on Enterprise mode, see Section 1.3.1, Enterprise Mode.
In the Kiosk mode, only a limited set of applications are enabled for SSL VPN. In Kiosk mode, applications that were opened before the SSL VPN connection was established are not enabled for SSL. For more information on Kiosk mode, see Section 1.3.2, Kiosk Mode.
As SSL VPN server administrators, you can decide which users can connect in Enterprise mode and which users can connect in Kiosk mode, depending on the role of the user. Or you can let the client select the mode in which the SSL VPN connection is made. For more information on how to do this, see Section 4.0, Configuring How Users Connect to SSL VPN. Enterprise mode is available to a user who has the administrator right in a Windows workstation or a root user privilege on Linux or Macintosh workstations. If the user does not have administrator rights or root user privileges for that workstation, the SSL VPN connection is made in Kiosk mode.
The home page and the exit page of the SSL VPN can be customized to suit the needs of different customers. For more information, see Section 7.1, Customizing SSL VPN User Interface.
The SSL VPN servers can be clustered to provide load balancing and fault tolerance. When you form a cluster of SSL VPN servers, all members of a cluster should belong to only one type of SSL VPN and they should all be running the high-bandwidth SSL VPN. For example, all the members of a cluster should belong to either the ESP-enabled SSL VPN or the Traditional SSL VPN. For more information on SSL VPN clustering, see Section 5.0, Clustering the High-Bandwidth SSL VPN Servers.
The SSL VPN has a set of policies that can be configured to protect your network and applications from clients that are using insufficient security restraints and also to restrict the traffic based on the role of the client.
You can configure a client integrity check policy to run a check on the client workstations before establishing a tunnel to the SSL VPN. This check ensures that the users have specified software installed and running in their systems. Each client is associated with a security level, depending on the assessment of the client integrity check and the relevant traffic policies that are assigned. For more information on configuring end-point security, see Section 3.0, Configuring End-Point Security and Access Policies for SSL VPN.
If you have configured more than one rule for a user’s role, the rule that is placed first is applied first. The NetIQ SSL VPN allows you to change the order of rules by dragging and dropping them, based on their priority. For more information on rule ordering in the SSL VPN, see Ordering Traffic Policies.
The NetIQ SSL VPN allows you to export the existing configuration into an XML file through the Administration Console. You can reimport this configuration later. This is a very useful feature when you upgrade your servers from one version to another. For more information, see Exporting and Importing Traffic Policies
When a user accesses the protected resource from outside by using the SSL VPN, it also means that the sites that the user visited are stored in the browser history, or some sensitive information is stored in the cache or cookies. This is a potential security threat if it is not properly dealt with. The NetIQ SSL VPN client comes with the desktop cleanup feature, so the user has the option to delete all the browser history, cache, cookies, and files from the system, before logging out of the SSL VPN connection.
If the user uses Firefox to connect to SSL VPN, the browsing data that was stored after the SSL VPN connection was made is deleted. In Internet Explorer, all the browser data is deleted, including the data that was stored before the SSL VPN session was established.
When you connect to SSL VPN in either Kiosk mode or Enterprise mode, a folder named VPN-SANDBOX is created on your desktops You can manually copy files to this folder, including files that you create or files that you download from your corporate network. This folder is automatically deleted along with its contents when you logs out of the SSL VPN connection. This is a very useful feature if you are browsing from an Internet connection and you do not want any sensitive information to reach other persons. For more information on the sandbox feature of SSL VPN, see Using the Sandbox Feature
in the NetIQ Access Manager 3.2 SP2 SSL VPN User Guide.
When the custom login policy is configured, the SSL VPN redirects the custom login requests to different URLs based on the policy. This is a very useful feature when users want to access applications such as those on the Citrix application servers. For more information on how to configure a custom login policy, see Section 4.2.5, Configuring a Custom Login Policy for SSL VPN.