Traditional IPSec VPN solutions offer great access to internal network resources. One of the biggest problems with using IPSec VPN is that you need to install a piece of software on the local client, which in most cases increase complexity for the end user. IPSec also operates on the kernel level, often by creating a virtual network card (NIC) on the local client computer. Giving remote users access to internal network resources via a IPSec tunnel might also be a security risk, especially when you don't have control over the client computer. NAT traversal might often also be an issue, as well as other firewall issues in remote locations where you have no influence on the setup (Hotels, Airports and so on).
Contrary to IPSec VPN, SSL based VPN uses standard Web-based protocols. By running the connection over SSL, you limit the access through TCP port 443—the port encrypted Web pages use. In most cases port 443 (HTTPS) is open and allowed through the firewall, thus making it much easier to guarantee end users connectivity. SSL VPN doesn't have the NAT problems that IPSec and PPTP sometimes encounter.
There is a plethora of SSL VPN solutions available from vendors like Juniper, Citrix, Watchguard, Aventail and others. All of these are appliance boxes, which plugin to your network and provide access. Why not virtualize the appliance?
I wanted to try out a SSL VPN solution, but buying dedicated hardware for testing purposes doesn't really fit my budget. At first, I tried looking for a pre-built solution on the VMWare VMTN Virtual Appliances Directory, but all I could find was a trial version of Portwise. While that looks good, I continued looking and stumbled across SSL-Explorer Community Edition. I wonder why no-one has made a prebuilt VMWare Virtual Appliance for it? Seems like something 3sp.com should look into doing.
Since there was no prebuilt VM for it, I had to make one. VMWare Server was installed, so all I had to do was to download Debian Sarge, minimal (netinstall), and finish off the installation. To be able to get a new version of Apache ANT and Java (Both required by SSL-Explorer) the Debian install was changed from Stable to Testing and both requirements was installed.
After a 3 minute compile of the package, the software was up and running and I could start testing it. The final setup was done via the browser, and in a couple of minutes it was up an running.
For details on how to install, check the Getting Started Guide (PDF), which is pretty comprehensive.
So far, it's working perfectly as a VMWare Appliance. I run it on my XP desktop, with the VMWare NIC running in Bridged mode. Setting up RDP back to the desktop computer was a snap, and I now have full remote access to my own desktop computer via SSL. It's grrreat! All administration is done via a very intuitive web interface, and you can set up role based access rules based on policies you define.
SSL-Explorer also offers a lot of other features, read about them here. Actually, it's working so perfectly that I'll probably move the virtual machine over to the new ESX servers when thats set up and start providing our users with SSL based VPN instead of the traditional IPSec tunnels. I haven't tried the Active Directory integration yet though, but I doubt it will cause that much trouble. After all, the rest of this application looks rock solid.
I really wish 3sp.com will set up a prebuilt VM though, it would make testing their application that much quicker and easier for everyone.
More screenshots here