SSL-Explorer - Clientless VPN via SSL

Traditional IPSec VPN solutions offer great access to internal network resources. One of the biggest problems with using IPSec VPN is that you need to install a piece of software on the local client, which in most cases increase complexity for the end user. IPSec also operates on the kernel level, often by creating a virtual network card (NIC) on the local client computer. Giving remote users access to internal network resources via a IPSec tunnel might also be a security risk, especially when you don't have control over the client computer. NAT traversal might often also be an issue, as well as other firewall issues in remote locations where you have no influence on the setup (Hotels, Airports and so on).

Contrary to IPSec VPN, SSL based VPN uses standard Web-based protocols. By running the connection over SSL, you limit the access through TCP port 443—the port encrypted Web pages use. In most cases port 443 (HTTPS) is open and allowed through the firewall, thus making it much easier to guarantee end users connectivity. SSL VPN doesn't have the NAT problems that IPSec and PPTP sometimes encounter.

There is a plethora of SSL VPN solutions available from vendors like Juniper, Citrix, Watchguard, Aventail and others. All of these are appliance boxes, which plugin to your network and provide access. Why not virtualize the appliance?

I wanted to try out a SSL VPN solution, but buying dedicated hardware for testing purposes doesn't really fit my budget. At first, I tried looking for a pre-built solution on the VMWare VMTN Virtual Appliances Directory, but all I could find was a trial version of Portwise. While that looks good, I continued looking and stumbled across SSL-Explorer Community Edition. I wonder why no-one has made a prebuilt VMWare Virtual Appliance for it? Seems like something 3sp.com should look into doing.

Since there was no prebuilt VM for it, I had to make one. VMWare Server was installed, so all I had to do was to download Debian Sarge, minimal (netinstall), and finish off the installation. To be able to get a new version of Apache ANT and Java (Both required by SSL-Explorer) the Debian install was changed from Stable to Testing and both requirements was installed.

After a 3 minute compile of the package, the software was up and running and I could start testing it. The final setup was done via the browser, and in a couple of minutes it was up an running.

SSL-Explorer Logon Screen


SSL-Explorer Applications

For details on how to install, check the Getting Started Guide (PDF), which is pretty comprehensive.

So far, it's working perfectly as a VMWare Appliance. I run it on my XP desktop, with the VMWare NIC running in Bridged mode. Setting up RDP back to the desktop computer was a snap, and I now have full remote access to my own desktop computer via SSL. It's grrreat! All administration is done via a very intuitive web interface, and you can set up role based access rules based on policies you define.

SSL-Explorer also offers a lot of other features, read about them here. Actually, it's working so perfectly that I'll probably move the virtual machine over to the new ESX servers when thats set up and start providing our users with SSL based VPN instead of the traditional IPSec tunnels. I haven't tried the Active Directory integration yet though, but I doubt it will cause that much trouble. After all, the rest of this application looks rock solid.

I really wish 3sp.com will set up a prebuilt VM though, it would make testing their application that much quicker and easier for everyone.

More screenshots here

June 28, 2006 at 1:37pm | 27 Comments
Tagged: , , , , , , , and

27 Comments so far

  1. VirtuaMag.net, on January 1, 1970 at 1:00am, said:

    : bonzo | freebsd | tech-diary |... LDAP-Driven RADIUS Appliance 28 juin 2006 Because one of our clients thinks that two Radius servers are not enough, I’m creating a couple of VMware appliances which will be hosting an... SSL-Explorer - Clientless VPN via SSL 28 juin 2006 Traditional IPSec VPN solutions offer great access to internal network resources. One of the biggest problems with using IPSec VPN is that you need to... VMware Tools for FreeBSD Guests

    Edit Comment

  2. Martin's personal blog, on July 6, 2006 at 6:49am, said:

    SSL-Explorer - Clientless VPN via SSL...

    Traditional IPSec VPN solutions offer great access to internal network resources. One of the biggest problems with using IPSec VPN is that you need to install a piece of software on the local client, which in most cases increase complexity for the end ...

    Edit Comment

  3. Chris, on July 14, 2006 at 10:55am, said:

    After a 3 minute compile?? After 5 hours of Installing one preqs after another I was up and running too. How is it possible that it is actually easier to install this on Linux than it is to install on Windows? Why is there no precompiled executable install like the previous version? Bahhh this was not acceptable. Free or not this is just wayyy to frustrating for your average geek. why cant this be packaged as a nice lil .exe file for windows users or atleast include all of the setup files. This was a terrible experience. PS I blew this shit away since it only installed on a test server and decided to use the old version to install quickly on my "production" server.

    Edit Comment

  4. h0bbel, on July 14, 2006 at 12:09pm, said:

    I didn't try it on Windows, I did it inside a small debian based VM I had set up. Worked out perfectly and compiled in, probably less than, 3 minutes.

    Edit Comment

  5. Sanchez, on July 17, 2006 at 7:55pm, said:

    I've been running the previous version very successfully but have been having a heck of a time getting it to compile in Windows.. cant gat ANT working.. but it's a great product..

    Edit Comment

  6. Sanchez, on July 17, 2006 at 7:55pm, said:

    I've been running the previous version very successfully but have been having a heck of a time getting it to compile in Windows.. cant gat ANT working.. but it's a great product..

    Edit Comment

  7. h0bbel, on July 17, 2006 at 9:42pm, said:

    As I said earlier, I've never set it up on windows.

    Edit Comment

  8. Lickeh, on July 18, 2006 at 5:36pm, said:

    I set this up on Windows 2003 Server and it couldnt have been simpler.

    Donwload ANT, place it in a folder, set the path variables.
    Download JDK, install it, set the path variables.
    Unpack the sslexplorer zip package to a folder, run cmd, type ant install and 30 seconds later it brings up the configuration browser and away you go.

    The only problem I do have at the moment is getting the applications configration wizard to load as I am geting a Java error, the rest seems fine.

    Nicely integrated with Active Directory, only took a few seconds.

    Very nice piece of software.

    Edit Comment

  9. h0bbel, on July 18, 2006 at 8:43pm, said:

    Excellent, pretty much the same experience I had on linux. You do need to have the prerequisites installed of course.

    Edit Comment

  10. Lickeh, on July 19, 2006 at 10:14am, said:

    Solved the application issue, the server I was using didnt have access to the web, once I gave it access (as i am running it internally for testing atm) it gave me a list of applications to install then I was able to create putty and Windows remote desktop client connections to the servers.

    I thoroughly recommend all organisations look at this product, we have been evaluating numerous bought sollutions running into thousands of pounds, and this does the same stuff, and in some cases more then those being offered.

    Edit Comment

  11. h0bbel, on July 19, 2006 at 10:18am, said:

    Nice! I do agree, SSL-Explorer offers a lot of the same things commercial SSL VPN solutions do. I'll probably test it in an enterprise environment over the summer.

    Edit Comment

  12. Sanchez, on July 20, 2006 at 9:37pm, said:

    DId get it to work right and setup usernames/pw's and then all of a sudden the website doesnt load, just a blank page after the CERT warning. I've tried deleting/re-downloading it.. loading the page locally etc.. same result.. It looks like a problem with the web server.. but I dont know JETTY.. any ideas?

    Edit Comment

  13. Lickeh, on July 21, 2006 at 3:02pm, said:

    do you have anything else running on the box such as IIS or Apache?

    Edit Comment

  14. Sanchez, on July 21, 2006 at 6:00pm, said:

    yeah.. I'm running IIS on it.. but not https- port 443. SSL-Explorer was working fine and while updating users it just stopped showing the page.. even after I"ve deleted it and put it back.. I got 16.1 working though now...

    Edit Comment

  15. Henri, on August 1, 2006 at 1:45pm, said:

    Ok, so now we have a prebuilt VMWare Apliance?
    From you?

    That would be really nice ..... ;O)

    Edit Comment

  16. h0bbel, on August 1, 2006 at 6:49pm, said:

    Well, my "Appliance" is not that generic, nor is the base debian install small enough to distribute. I hope someone who really knows how to build VMware appliances will pick this up though.

    Edit Comment

  17. Lutin_Blanc, on August 3, 2006 at 5:15pm, said:

    Hello thanks for your experience, but i have a question i install a debian do you have a tuto or links for this distribution ??

    Thanks

    Edit Comment

  18. h0bbel, on August 4, 2006 at 2:04am, said:

    The debian base install I used, is linked to in the main article. Other than that, I just followed SSL-Explorers documentation.

    Edit Comment

  19. VMTN Blog, on August 4, 2006 at 6:35pm, said:

    podcast from Leo Laporte and Steve Gibson. (Not very much material on what we currently think of as virtualization, but I'm waiting on part 2.) Virtual appliances rock: one, two, three part 1, three part 2, four P2V for VMware: tools, experiences, articles Installation of VMware VirtualCenter 2.0. (Lots of screenshots) Two articles from Alessandro Perilli on SearchServerVirtualization: The Kutz Q&A on security and futurescapes

    Edit Comment

  20. Richard Pernavas, on August 18, 2006 at 12:46pm, said:

    Hey h0bbel,

    Thanks for the article! We appreciate this sort of thing.

    We now have a VMWare build of our SSL-Explorer: Enterprise Edition available from our website.
    http://3sp.com/showSslExplorer.do

    Before anyone starts complaining about it being non-free - this version starts in Community Edition mode until you request a license from us for the Enterprise components.

    If you DO chose to install an EE license (it is optional) - even after the license expires, the software won't quit working, it just reverts back to the CE feature set.

    So, if anyone wants an SSL-Explorer VM and doesn't like the thought of compiling nasty source code then they might want to try out our VMWare appliance. It's free after all!

    Thanks,

    Richard Pernavas
    3SP Ltd

    Edit Comment

  21. h0bbel, on August 18, 2006 at 3:01pm, said:

    Excellent news, I'll try that as soon as we have ESX 3.0 running at work.

    Edit Comment

  22. h0bbel, on August 18, 2006 at 3:16pm, said:

    SSL-Explorer Clientless VPN Appliance...

    A while ago I tested SSL-Explorer inside a VMware session. While doing this I wondered why 3sp.com didn’t have a pre-built VMware Appliance available for testers. Now my request has been answered. In a comment on my original post, Richard Pernav...

    Edit Comment

  23. Running the SSL-Explorer Appliance on VMware Infrastructure 3 - h0bbel, on September 12, 2006 at 10:18am, said:

    [...] In June I tested SSL-Explorer as an inexpensive “clientless” SSL VPN solution, and in August 3dsp announced the availability of a pre-built Virtual Appliance. [...]

    Edit Comment

  24. steven, on January 10, 2007 at 1:51am, said:

    On the sourceforge.net's website you can download the newest .EXE Installer. It's the simplest and quickest way of installing SSL-Explorer. There are also cool extensions like removing the branding on the logon page for more security. Enjoy!

    Edit Comment

  25. coComment - Site comments by h0bbel, on March 16, 2007 at 10:32am, said:

    View this article on its blog

    Edit Comment

  26. Favoriten | mister-wong.de | Social Bookmarking Tool, on May 16, 2007 at 12:09pm, said:

    [...] vpn virtualisierung tecresearch Hinzugefügt vor 2 Tagen von C0lP4nic, 1 Benutzer speichern SSL-Explorer - Clientless VPN via SSL - h0bbel ssl linux vpn Hinzugefügt vor 2 Tagen von C0lP4nic, 1 Benutzer speichern Veeam Reporter for [...]

    Edit Comment

  27. VirtuaMag.net, on August 2, 2007 at 2:46pm, said:

    : bonzo | freebsd | tech-diary |... LDAP-Driven RADIUS Appliance 28 juin 2006 Because one of our clients thinks that two Radius servers are not enough, I’m creating a couple of VMware appliances which will be hosting an...SSL-Explorer - Clientless VPN via SSL28 juin 2006 Traditional IPSec VPN solutions offer great access to internal network resources. One of the biggest problems with using IPSec VPN is that you need to... VMware Tools for FreeBSD Guests

    Edit Comment

Leave a Comment?


« Internet Explorer Isolation  —  GreenBorder Pro: A quick test »

Recent Comments