[VPN] Universal VPN client

Dana J. Dawson djdawso at qwest.com
Thu Jul 22 13:26:47 EDT 2004


I keep hearing that SSL VPN's are better because they avoid the 
administrative issues and scaling limitations with IPSec clients, but I 
don't buy it.  Most IPSec clients today can be easily preconfigured, and 
if I can set up an accessible web server for SSL VPN clients, then I can 
also make my preconfigured client available to my users (assuming I 
don't already have a method of distributing software to clients, but 
most large organizations already have that).  Also, I've had more 
compatibility issues with Java-based apps than I've had with VPN 
clients, what with different supported browsers and different versions 
of JRE required.

SSL VPN's are fine if they fit your requirements, but they do not appear 
to me to be a complete substitute for a more general purpose IPSec VPN 
client solution.

Just my $.02

Dana

Dana J. Dawson                     djdawso at qwest.com
Sr. Staff Engineer                 CCIE #1937
Qwest Communications               (612) 664-3364
600 Stinson Blvd., Suite 1S        (612) 664-4778 (FAX)
Minneapolis  MN  55413-2620

"Hard is where the money is."

> On Fri, Jul 16, 2004 at 01:32:07AM -0700, Doug Dooley wrote:
> 
>>Just curious - why would you want to deal with the headaches of full client software configuration + management, all the various NAT traversal problems, and Proxy conflict issues associated with legacy Layer 3 tunneling clients (L2TP, PPTP, IPSec)?
>>
>> 
>>
>>SSL VPN devices provide "anytime anywhere" access in three forms:
>>
>>-          Pure clientless (web-based) - Internet caf?, kiosk, PDA, cell phone, anything with a first-class SSL enabled browser
>>
>>-          Semi clientless (client/server app support) via Java Applet or ActiveX/Win32
>>
>>-          Full Layer 3 access (windows network adapter over SSL)
>>
>> 
>>
>>No client software installation/configuration/management, No NAT traversal problems, No proxy conflicts.
>>
>>Sorry for the pitch but just thinking - right tool for the right job?
>>
>> 
>>
>>Maybe I'm missing something?
>>
>> 
>>
>>If cap-ex cost of the appliance is the issue, there are cost-effective choices out there.
>>
>>Just wait a couple of weeks when Juniper announces an extremely cost effective SSL VPN appliance that will resonant with those price-sensitive folks.
>>
>> 
>>
>>Your thoughts...
>>
>> 
>>
>>Doug Dooley
>>Security Products Group
>>Technical Marketing, Manager



More information about the VPN mailing list