1.1 SSL VPN Features

Novell SSL VPN comes with a number of key features that make the product secure, easy to access, and reliable.

Browser-Based End User Access

Novell SSL VPN has browser-based end user access that does not require users to preinstall any components on their machines. Users can access the SSL VPN services from any Web browser, from their personal computer, laptop, or from an Internet kiosk.

When users access SSL VPN through the Web browser, they are prompted to authenticate. On successful authentication, a Java applet or an ActiveX control is delivered to the client, depending on the browser. This establishes a secure tunnel between the user’s machine and the SSL VPN server.

Support on Linux, Macintosh, and Windows

The SSL VPN client is supported on Linux, Macintosh, and Windows environments. For a complete list of operating software and browsers that are supported by SSL VPN, see Client Machine Requirements in the Novell Access Manager 3.1 SP5 SSL VPN User Guide.

Support on 64-Bit Clients

Enterprise mode SSL VPN can be installed on 64-bit client configurations.

High-Bandwidth and Low-Bandwidth Versions

Novell SSL VPN comes in high-bandwidth and low-bandwidth versions. The default low-bandwidth SSL VPN server is restricted to 249 simultaneous user connections and a transfer rate of 90 Mbits per second because of export restrictions.

If the export law permits, you can install the high-bandwidth SSL VPN RPM to get the high-bandwidth capabilities, because that version does not have connection and performance restrictions. You can order the high-bandwidth SSL VPN key at no extra cost. It is essential to have the high-bandwidth SSL VPN if you want to cluster the SSL VPN servers.

For more information on how to order and install the high-bandwidth SSL VPN, and to upgrade the high-bandwidth version to the latest build, see Installing the Key for the High-Bandwidth SSLVPN in the Novell Access Manager 3.1 SP4 Installation Guide.

Traditional and ESP-Enabled Installation

You can install SSL VPN in two ways:

For more information on these methods, see Section 1.2, Traditional and ESP-Enabled SSL VPNs.

Enterprise and Kiosk Modes for End User Access

The Novell SSL VPN uses both clientless and thin-client access methods. The clientless method is called the Kiosk mode SSL VPN and the thin-client method is called the Enterprise mode SSL VPN.

In Enterprise mode, all applications, including those on the desktop and the toolbar, are enabled for SSL, regardless of whether they were opened before or after connecting to SSL VPN. In this mode, a thin client is installed on the user’s workstation, and the IP Forwarding feature is enabled by default. For more information on Enterprise mode, see Section 1.3.1, Enterprise Mode.

In Kiosk mode, only a limited set of applications are enabled for SSL VPN. In Kiosk mode, applications that were opened before the SSL VPN connection was established are not enabled for SSL. For more information on Kiosk mode, see Section 1.3.2, Kiosk Mode.

As SSL VPN server administrators, you can decide which users can connect in Enterprise mode and which users can connect in Kiosk mode, depending on the role of the user. Or you can let the client select the mode in which the SSL VPN connection is made. For more information on how to do this, see Section 4.0, Configuring How Users Connect to SSL VPN. Enterprise mode is available to a user who has the administrator right in a Windows workstation or a root user privilege on Linux or Macintosh workstations. If the user does not have administrator rights or root user privileges for that workstation, the SSL VPN connection is made in Kiosk mode.

Customized Home and Exit Pages for End Users

The home page and the exit page of SSL VPN can be customized to suit the needs of different customers. For more information, see Section 7.1, Customizing the SSL VPN User Interface.

Clustering SSL VPN Servers

The SSL VPN servers can be clustered to provide load balancing and fault tolerance, When you form a cluster of SSL VPN servers, all members of a cluster should belong to only one type of SSL VPN and they should all be running the high-bandwidth SSL VPN. For example, all the members of a cluster should belong to either the ESP-enabled SSL VPN or the Traditional SSL VPN. For more information on SSL VPN clustering, see Section 5.0, Clustering the High-Bandwidth SSL VPN Servers.

End-Point Security Checks

The Novell SSL VPN has a set of policies that can be configured to protect your network and applications from clients that are using insufficient security restraints and also to restrict the traffic based on the role of the client.

You can configure a client integrity check policy to run a check on the client workstations before establishing a tunnel to SSL VPN server. This check ensures that the users have specified software installed and running in their systems. Each client is associated with a security level, depending on the assessment of the client integrity check and the relevant traffic policies that are assigned. For more information on configuring end-point security, see Section 3.0, Configuring End-Point Security and Access Policies for SSL VPN.

Ability to Order Rules

If you have configured more than one rule for a user’s role, the rule that is placed first is applied first. Novell SSL VPN allows you to change the order of rules by dragging and dropping them, based on their priority. For more information on rule ordering in SSL VPN, see Ordering Traffic Policies.

Ability to Import and Export Policies

Novell SSL VPN allows you to export the existing configuration into an XML file through the Administration Console. You can reimport this configuration later. This is a very useful feature when you upgrade your servers from one version to another. For more information, see Exporting and Importing Traffic Policies

Desktop Cleanup Feature

When a user accesses the protected resource from outside by using SSL VPN, it also means that the sites that the user visited are stored in the browser history, or some sensitive information is stored in the cache or cookies. This is a potential security threat if it is not properly dealt with. The Novell SSL VPN client comes with the desktop cleanup feature, so the user has the option to delete all the browser history, cache, cookies, and files from the system, before logging out of the SSL VPN connection.

If the user uses Firefox to connect to SSL VPN, the browsing data that was stored after the SSL VPN connection was made is deleted. In Internet Explorer, all the browser data is deleted, including the data that was stored before the SSL VPN session was established.

Sandbox Feature

When you connect to SSL VPN in either Kiosk mode or Enterprise mode, a folder named VPN-SANDBOX is created on your desktops You can manually copy files to this folder, including files that you create or files that you download from your corporate network. This folder is automatically deleted along with its contents when you logs out of the SSL VPN connection. This is a very useful feature if you are browsing from an Internet connection and you do not want any sensitive information to reach other persons. For more information on the sandbox feature of SSL VPN, see Using the Sandbox Feature in the Novell Access Manager 3.1 SP5 SSL VPN User Guide.

Custom Login Policy

When custom login policy is configured, SSL VPN redirects the custom login requests to different URLs based on the policy. This is a very useful feature if users want to access applications such as those on the Citrix application servers. For more information on how to configure a custom login policy, see Section 4.2.5, Configuring a Custom Login Policy for SSL VPN.