h0bbel.p0ggel.org

In June I tested SSL-Explorer as an inexpensive "clientless" SSL VPN solution, and in August 3dsp announced the availability of a pre-built Virtual Appliance.

With the new VMware Infrastucture 3 implementation we are deploying at work, I figured it would be a great chance to get the Virtual Appliance tested in a live environment. The last time I looked at SSL-Explorer, I tested it inside a VM on my workstation at home, but this time around I wanted to run it on ESX Server 3.0.

The downloadable appliance from 3dsp.com is, naturally, a VMware player image so I had to convert and import it into my ESX cluster. Enter VMimporter from VMware which is currently a Release Candidate. VMimporter allows you to convert third party virtual machines and images from Symantec Backup Exec System Recovery and Microsoft Virtual Server into VMware compatible VMs. It can also be used to convert VMs across different VMware product formats, which is what I needed to put the appliance on my ESX servers.

The process is very straight forward, all you need to do is to point the software to the image/VM you want converted, and where you want it converted to. It then proceeds to copy the converted VM to your VMware storage area and registers it in the VMware Virtual Infrastructure Client.

The conversion of the SSL-Explorer Appliance proceeded without any problems at all, and after it booted all I needed to get it up and running was to configure the network settings appropriate for my network. This includes giving the converted VM the correct NIC setup in VMware to place it in our DMZ zone. All in all, it took about 10 minutes to get it up and running on VMware Infrastructure 3, including setting up an initial RDP based access application inside SSL-Explorer.

Be sure to read the README file included in the appliance download, as that contains usernames/passwords as well as the initial network setup that it ships with.

All in all, the SSL-Explorer Appliance does a wonderful job, and it's easy to set up. The appliance gives end users a great way of testing the application and do a very quick implementation of the software.

The only problem I had with it, was the fact that I want to test it's Active Directory integration. As far as I can tell, you can't reconfigure the appliance to have AD support since thats a install time option. 3sp should have included some tool that lets you reinitialize the software and let you go through the installation wizard if you want to do so.

Update:

After sending an email to 3sp, I got the following reply:

First stop the SSL-Explorer service; this can be done through the web interface Shutdown option. Now navigate to the SSL-Explorer directory and run the following command: ./install-sslexplorer This launches the Installation Wizard, now point your web browser to http://192.168.1.245:28080, during the wizard you will be prompted to select the type of database to be used, select Active Directory on the next page you have to enter your AD details, due to a bug in the current version please ensure that these are correct the first time. Once you complete the Wizard setup mode will stop, to restart the service enter the following command. service sslexplorer start

So, they do have a reinit option. Great!

A while ago I tested SSL-Explorer inside a VMware session. While doing this I wondered why 3sp.com didn't have a pre-built VMware Appliance available for testers. Now my request has been answered. In a comment on my original post, Richard Pernavas from 3sp.com has commented that a VMware Appliance is now ready for download.

Great news, and well done 3sp! I hope more companies follow your example and make software installation as easy and manageable as you do now that you provide the whole setup in one simple downloadable package!

Traditional IPSec VPN solutions offer great access to internal network resources. One of the biggest problems with using IPSec VPN is that you need to install a piece of software on the local client, which in most cases increase complexity for the end user. IPSec also operates on the kernel level, often by creating a virtual network card (NIC) on the local client computer. Giving remote users access to internal network resources via a IPSec tunnel might also be a security risk, especially when you don't have control over the client computer. NAT traversal might often also be an issue, as well as other firewall issues in remote locations where you have no influence on the setup (Hotels, Airports and so on).

Contrary to IPSec VPN, SSL based VPN uses standard Web-based protocols. By running the connection over SSL, you limit the access through TCP port 443—the port encrypted Web pages use. In most cases port 443 (HTTPS) is open and allowed through the firewall, thus making it much easier to guarantee end users connectivity. SSL VPN doesn't have the NAT problems that IPSec and PPTP sometimes encounter.

There is a plethora of SSL VPN solutions available from vendors like Juniper, Citrix, Watchguard, Aventail and others. All of these are appliance boxes, which plugin to your network and provide access. Why not virtualize the appliance?

I wanted to try out a SSL VPN solution, but buying dedicated hardware for testing purposes doesn't really fit my budget. At first, I tried looking for a pre-built solution on the VMWare VMTN Virtual Appliances Directory, but all I could find was a trial version of Portwise. While that looks good, I continued looking and stumbled across SSL-Explorer Community Edition. I wonder why no-one has made a prebuilt VMWare Virtual Appliance for it? Seems like something 3sp.com should look into doing.

Since there was no prebuilt VM for it, I had to make one. VMWare Server was installed, so all I had to do was to download Debian Sarge, minimal (netinstall), and finish off the installation. To be able to get a new version of Apache ANT and Java (Both required by SSL-Explorer) the Debian install was changed from Stable to Testing and both requirements was installed.

After a 3 minute compile of the package, the software was up and running and I could start testing it. The final setup was done via the browser, and in a couple of minutes it was up an running.

For details on how to install, check the Getting Started Guide (PDF), which is pretty comprehensive.

So far, it's working perfectly as a VMWare Appliance. I run it on my XP desktop, with the VMWare NIC running in Bridged mode. Setting up RDP back to the desktop computer was a snap, and I now have full remote access to my own desktop computer via SSL. It's grrreat! All administration is done via a very intuitive web interface, and you can set up role based access rules based on policies you define.

SSL-Explorer also offers a lot of other features, read about them here. Actually, it's working so perfectly that I'll probably move the virtual machine over to the new ESX servers when thats set up and start providing our users with SSL based VPN instead of the traditional IPSec tunnels. I haven't tried the Active Directory integration yet though, but I doubt it will cause that much trouble. After all, the rest of this application looks rock solid.

I really wish 3sp.com will set up a prebuilt VM though, it would make testing their application that much quicker and easier for everyone.

More screenshots here