1.2 Traditional and ESP-Enabled SSL VPNs

The NetIQ SSL VPN can be deployed as either an ESP-enabled SSL VPN or a traditional SSL VPN.

When the SSL VPN is deployed without the Access Gateway, an Embedded Service Provider (ESP) component is installed along with the SSL VPN. This deployment requires the Identity Server and the Administration Console to be installed. This type of deployment is called an ESP-enabled SSL VPN. You can deploy the ESP-enabled SSL VPN in the following scenarios:

When the SSL VPN is deployed with the Access Gateway, it is called a traditional SSL VPN. In this type of installation, the SSL VPN is deployed with the Identity Server, Administration Console, and the Access Gateway.

Deploy the traditional SSL VPN if you implement Access Manager for Web SSO and want secure access to native applications.

1.2.1 ESP-Enabled SSL VPN

In an ESP-enabled SSL VPN, the process involved in establishing a secure connection between a client machine and the different components of Access Manager is as follows:

  1. The user specifies the following URL to access the SSL VPN:

    https://<www.sslvpn.novell.com>/sslvpn/login
    

    <www.sslvpn.novell.com> is the DNS name of the SSL VPN, and /sslvpn/login is the path of the SSL VPN.

  2. The SSL VPN redirects the browser to the Identity Server for authentication.

  3. After successful authentication, the Identity Server redirects the browser back to the SSL VPN.

  4. The Identity Server propagates the session information to the SSL VPN through the Embedded Service Provider.

  5. The SSL VPN server injects the SSL VPN policy for that user into the SSL VPN servlet. The SSL VPN servlet processes the parameters and sends the policy information back to the server.

  6. The SSL VPN checks if the client machine has sufficient security restraints. For more information on client integrity checks, see Section 3.1, Configuring Policies to Check the Integrity of the Client Machine.

  7. When the user accesses the applications behind the protected network, the connection goes through the secure tunnel formed with the SSL VPN.

  8. The browser stays open throughout the SSL VPN connection to allow the keep alive packets.

  9. When the user clicks the logout button to close the SSL VPN session, all the client components are automatically uninstalled from the workstation.

1.2.2 Traditional NetIQ SSL VPN

The following figure shows the Access Manager components and the process involved in establishing a secure connection between a client machine and a traditional SSL VPN. In this type of deployment, the Access Gateway accelerates and protects the SSL VPN.

Figure 1-1 Traditional SSL VPN

  1. The user specifies the following URL to access the SSL VPN:

    https://<www.ag.novell.com>:8443/sslvpn/login
    

    <www.ag.novell.com> is the DNS name of the Access Gateway that accelerates the SSL VPN, and /sslvpn/login is the path of the SSL VPN.

  2. The Access Gateway redirects the user to the Identity Server for authentication, because the URL is configured as a protected resource.

  3. The Identity Server authenticates the user’s identity.

  4. The Identity Server propagates the session information to the Access Gateway through the Embedded Service Provider.

  5. The Access Gateway injects the SSL VPN policy for that user into the SSL VPN servlet. The SSL VPN servlet processes the parameters and sends the policy information back to the Access Gateway.

  6. The SSL VPN checks if the client machine has sufficient security restraints. For more information on client integrity checks, see Section 3.1, Configuring Policies to Check the Integrity of the Client Machine.

  7. One of the following actions takes place, depending on the mode of the SSL VPN connection:

    • In the Enterprise mode, a tunnel interface is created and is bound with the tunnel IP address assigned by the SSL VPN. A secure tunnel is established between the client machine and the SSL VPN, and the routing table is updated with the protected network configuration.

    • In the Kiosk mode, a secure tunnel is established between the client machine and the SSL VPN, and the protected network configuration is pushed to the client.

  8. When the user accesses the applications behind the protected network, the connection goes through the secure tunnel formed with the SSL VPN and not through the Access Gateway.

  9. The browser stays open throughout the SSL VPN connection to allow the keep alive packets to go through the Access Gateway.

  10. When the user clicks the logout button to close the SSL VPN session, all the client components are automatically uninstalled from the workstation.

1.2.3 High-Bandwidth and Low-Bandwidth SSL VPNs

NetIQ SSL VPN comes in high-bandwidth and low-bandwidth versions.

Low-Bandwidth Version: The default SSL VPN server is a low-bandwidth version. It is restricted to 249 simultaneous user connections and a transfer rate of 90 Mbits per second because of export restrictions.

High-Bandwidth Version: The high-bandwidth version does not have the connection and performance restrictions. It is essential to have the high-bandwidth SSL VPN installed if you want to cluster the SSL VPN servers.

If the export law permits, you can order the high-bandwidth SSL VPN RPM and get the high-bandwidth capabilities at no extra cost. After the export controls have been satisfied, the order will be fulfilled. You can install the high-bandwidth SSL VPN RPM on both the Traditional NetIQ SSL VPN server and on the ESP-enabled NetIQ SSL VPN server.

Your regular NetIQ sales channel can determine if the export law allows you to order the high-bandwidth version at no extra cost.

For more information on how to order and install the high-bandwidth SSL VPN, and to upgrade the high-bandwidth version to the latest build, see Installing the Key for the High-Bandwidth SSL VPN in the NetIQ Access Manager 3.2 SP1 Installation Guide.