NetIQ Documentation: NetIQ Access Manager Appliance 4.0 SSL VPN Server Guide - NetIQ SSL VPNs

1.2 NetIQ SSL VPNs

The following figure shows the Access Manager components and the process involved in establishing a secure connection between a client machine and the SSL VPN. In this deployment, the Access Gateway accelerates and protects the SSL VPN.

Figure 1-1 NetIQ SSL VPN

The user specifies the following URL to access the SSL VPN:
```
https://<www.ag.novell.com>:8443/sslvpn/login
```
<www.ag.novell.com> is the DNS name of the Access Gateway that accelerates the SSL VPN, and /sslvpn/login is the path of the SSL VPN.
The Access Gateway redirects the user to the Identity Server for authentication, because the URL is configured as a protected resource.
The Identity Server authenticates the user’s identity.
The Identity Server propagates the session information to the Access Gateway through the Embedded Service Provider.
The Access Gateway injects the SSL VPN policy for that user into the SSL VPN servlet. The SSL VPN servlet processes the parameters and sends the policy information back to the Access Gateway.
The SSL VPN checks if the client machine has sufficient security restraints. For more information on client integrity checks, see Section 3.1, Configuring Policies to Check the Integrity of the Client Machine.
One of the following actions takes place, depending on the mode of the SSL VPN connection:
- In the Enterprise mode, a tunnel interface is created and is bound with the tunnel IP address assigned by the SSL VPN. A secure tunnel is established between the client machine and the SSL VPN, and the routing table is updated with the protected network configuration.
- In the Kiosk mode, a secure tunnel is established between the client machine and the SSL VPN, and the protected network configuration is pushed to the client.
When the user accesses the applications behind the protected network, the connection goes through the secure tunnel formed with the SSL VPN and not through the Access Gateway.
The browser stays open throughout the SSL VPN connection to allow the keep alive packets to go through the Access Gateway.
When the user clicks the logout button to close the SSL VPN session, all the client components are automatically uninstalled from the workstation.

If your organization has native applications that require secure Internet access and you do not need acceleration of Web applications.
You have implemented a different solution for Web SSO and need the SSL VPN for tunneling native applications.
You do not want Web SSO but you need secure access to the native applications or Web server.

Deploy the traditional SSL VPN if you implement Access Manager for Web SSO and want secure access to native applications.

1.2.1 High-Bandwidth and Low-Bandwidth SSL VPNs

NetIQ SSL VPN comes in high-bandwidth and low-bandwidth versions.

Low-Bandwidth Version: The default SSL VPN server is a low-bandwidth version. It is restricted to 249 simultaneous user connections and a transfer rate of 90 Mbits per second because of export restrictions.

High-Bandwidth Version: The high-bandwidth version does not have the connection and performance restrictions. It is essential to have the high-bandwidth SSL VPN installed if you want to cluster the SSL VPN servers.

If the export law permits, you can order the high-bandwidth SSL VPN RPM and get the high-bandwidth capabilities at no extra cost. After the export controls have been satisfied, the order will be fulfilled. You can install the high-bandwidth SSL VPN RPM on both the Traditional NetIQ SSL VPN server and on the ESP-enabled NetIQ SSL VPN server.

Your regular NetIQ sales channel can determine if the export law allows you to order the high-bandwidth version at no extra cost.