What Is SSL VPN

This document introduces Secure Sockets Layer Virtual Private Network (SSL VPN). You will learn the concept of SSL VPN, the difference between SSL VPN and other VPN technologies, and the services SSL VPN can provide.

• This document uses Huawei USG series firewall products as an example to introduce the basis of SSL VPN. There may be differences in the implementation of different products and versions. Please refer to the specific version of the product documentation.
• FW is short for firewall.
• In this document, public IP addresses may be used in feature introduction and are for reference only unless otherwise specified.

SSL VPN is used to enable users to securely and efficiently access an enterprise's intranet resources from outside the enterprise.

SSL VPN is an SSL-based VPN remote access technology. SSL VPN allows users from any Internet-enabled location to launch a web browser to establish a remote access VPN connection, which is expected to increase productivity and increase availability, and further reduce the IT cost of VPN client software and support. With SSL VPN, mobile employees (called remote users in SSL VPN) can securely and efficiently access their intranet resources, improving the working efficiency.

As shown in Figure 1-1, the FW serves as the egress gateway of an enterprise and is connected to the Internet. It provides SSL VPN access services for remote users. Remote users can use mobile devices, such as laptops, Pads, and smart phones to access intranet resources through the FW at any time and any place.

Figure 1-1 SSL VPN application scenario

Before the emergence of SSL VPN, early VPN technologies, such as IPSec and L2TP can be used for remote access. However, these VPN technologies have the following disadvantages:

• Specific client software needs to be installed on remote user devices, complicating network deployment and maintenance.
• The IPSec/L2TP VPN configuration is complex.
• The network administrator cannot implement fine-grained control over the permissions of remote users on intranet resources.

SSL VPN has advantages over these early VPN technologies in remote access scenarios and has the following features:

• Adopts the B/S architecture design so that remote user devices can use web browsers to securely and efficiently access intranet resources without any additional client software.
• Allows the administrator to set fine-grained control over the permissions of remote users based on accessed resource types.
• Provides multiple identity authentication modes, such as local authentication, server authentication, certificate-anonymous authentication, and certificate-challenge authentication.
• Supports host check policies to check whether the operation systems, ports, processes, and antivirus software of remote user devices meet security requirements, and provides the anti-nested remote desktop connections and anti-snapshot functions to eliminate security risks from remote user devices.
• Supports cache clearing policies to clear the access history that remote users left during access to intranet resources, hardening user information security.

According to the types of intranet sources accessed by remote users, SSL VPN provides web proxy, file sharing, port forwarding, and network expansion extension services.

The function module used by the FW to provide SSL VPN access services for remote users is called a virtual gateway. The virtual gateway has a separate IP address. You can configure user information, resources, and user access permissions on the virtual gateway.

This section describes the service interaction procedure of the web proxy function and the mechanism of packet encapsulation in web proxy.

Service Interaction Procedure

Figure 1-2 shows the procedure for a remote user to access the web server on the enterprise network using the web proxy function.

1. The remote user accesses the FW using its domain name (https://svn).
2. After the login, the remote user views a list of the accessible web resources and clicks the link of the desired web resource.

   The FW rewrites the URLs of the web resources, including the one (http://website/resource.html) requested by the remote user, when listing the accessible web resource for the remote user. After the remote user clicks the URL of the desired web resource, an HTTPS request is sent to the rewritten URL, which is the combination of the URL of the FW (https://svn) and that of the requested web resource (http://website/resource.html).

3. After receiving the HTTPS request to the rewritten URL, the FW initiates a new HTTP request to the actual URL of the desired web resource (http://website/resource.html).
4. The web server returns the requested resource page to the FW using HTTP.
5. The FW returns the resource page from the web server to the remote user using HTTPS.

Figure 1-2 Service interaction procedure

Based on the procedure, the implementation of the web proxy function comprises two phases. In the first phase, an HTTPS session is established between the remote user and the FW. In the second phase, an HTTP session is established between the FW and the web server on the enterprise network. The FW rewrites and forwards the requests from remote users to the web server on the enterprise network.

The implementation of the web proxy function is classified into the web rewriting and web link functions.

• Web rewriting

  Rewriting in the term web rewriting has the following two meanings: The first meaning is encryption, that is, the FW encrypts the actual URL of the web resource requested by a remote user when the remote user clicks the URL of the requested web resource. As shown in the second step in Figure 1-2, the actual URL of the desired web resource is http://website/resource.html. The FW encrypts the URL by rewriting it to http://website/D%3A/0-2+resource.html. The rewritten URL is displayed instead of the actual URL so that the address of the web server on the enterprise network is hidden from outsiders. In web rewriting, the FW rewrites not only the URL of the requested web resource but also the URLs of the objects, such as Flash content, PDF files, or Java Applets, referenced by the web resources.

  The other meaning is adaptation. As the development of network technologies, terminals, such as smart phones, PADs, and laptops, are popularized among remote users. Various types of terminals use different types of operating systems and browsers and therefore support different types of Web resources. To eliminate the impacts brought about by such differences, the FW is required not only to encrypt requests from remote users but also adapt the requested web resources to the terminals used by remote users. In fact, the FW automatically adapts requested web resources to requesting terminals after the web proxy function is enabled. If anomalies persist for certain HTML objects or ActiveX controls after the web proxy is enabled, manually configure rewriting rules for them.

• Web link

  Using the web link function, the FW only forwards the requests from remote users.

Because encryption and adaptation are missing in the web link function, the service processing efficiency is higher than that in the web proxy function. Due to the encryption and adaptation, the security and adaptability of the web rewriting function is higher than those in the Web link function.

• Figure 1-2 shows the procedure for the web rewriting function. The procedure for the web link function is similar to that. However, the FW does not adapt web resources to requesting terminals when using the web link function.
• Note that the web link function is applicable to the scenario where the Internet Explorer is used in the Windows operating system. In other scenarios, only the web rewriting function is available.

Packet Encapsulation in Web Proxy

Figure 1-3 shows the packet encapsulation procedure when a remote user accesses web resources on the enterprise network. Such access comprises two sessions: One is the HTTPS session and the other is the HTTP session. In the HTTPS session, the source port is 6293, which is a random port, and the destination port is 443. In the HTTP session, the source port is 10091, which is also a random port, and the destination port is 80.

Figure 1-3 Packet encapsulation in Web proxy

This section describes the mechanism of file sharing.

In the file sharing service, the FW functions as a protocol convertor. This section uses the access to the intranet Windows file server as an example. Figure 1-4 illustrates the interactive process.

Figure 1-4 Interactive process of file sharing

This section describes the mechanism of port forwarding.

You need to run an ActiveX control on the client as the port convertor to monitor the connections to the specified port. Use a telnet connection from a user to the intranet server as an example. Figure 1-5 illustrates the interactive process of port forwarding.

Figure 1-5 Interactive process of port forwarding

The FW uses network extension to set up an SSL VPN tunnel between virtual gateways and remote users, enabling remote users to access intranet IP services.

Service Interaction Process

Figure 1-6 shows the service interaction process of remote users' access to intranet resources using SSL network extension.

Figure 1-6 Service interaction process

1. A remote user logs in to the virtual gateway using the web browser.
2. After login, the remote user enables network extension on the virtual gateway.

   After network extension is enabled:

   1. The remote user and the virtual gateway establish an SSL VPN tunnel.
   2. The local PC of the remote user automatically generates a virtual adapter. The virtual gateway assigns an IP address in the address pool to the virtual adapter for the communication between the remote user and intranet server. With the private IP address, the remote users can access intranet IP resources as an intranet user does.
   3. The virtual gateway delivers a route destined to the intranet server.

      The virtual gateway delivers routes to remote users based on network extension configurations.

3. The remote user sends a service request packet to the intranet server. The packet reaches the virtual gateway over an SSL VPN tunnel.
4. After receiving the request packet, the virtual gateway decapsulates the packet and then forwards it to the intranet server.
5. The intranet server returns a service response packet to the remote user.
6. After receiving the response packet, the virtual gateway forwards it to the remote user over the SSL VPN tunnel.

After receiving the response packet, the remote user decapsulates the packet to obtain required information.

Packet Encapsulation Process

In network extension, an SSL VPN tunnel can be established in either reliable or quick transmission mode. In reliable transmission mode, SSL VPN uses SSL encapsulate packets and TCP to transmit packets. In quick transmission mode, SSL VPN used UDP to transmit packet.

• Packet encapsulation in reliable transmission mode

  Figure 1-7 shows the packet encapsulation in reliable transmission mode. The remote user uses its adapter card IP address (SRC: 192.168.1.1) to communicate with the intranet server (the SIP server is used as an example). Exchanged packets reach the communication parties after being encrypted and decrypted. In the inner packet sent by the remote user to the SIP server, the source port is 5880 (random), the destination port is 5060, and the transport protocol is UDP. The outer packet is encapsulated by SSL and transmitted by TCP.

Figure 1-7 Packet encapsulation in reliable transmission mode

• Packet encapsulation in quick transmission mode

  Figure 1-8 shows the packet encapsulation in quick transmission mode. The encapsulation mechanism in quick transmission mode is the same as that in reliable transmission mode, except that the transmitted by UDP.

Figure 1-8 Packet encapsulation in quick transmission mode

SecoClient is a VPN client software launched by Huawei to provide secure and convenient access services for mobile users to remotely access enterprise network resources. The SecoClient has the following characteristics:

• Powerful access ability

  The SecoClient integrates SSL VPN, L2TP VPN, and L2TP over IPSec VPN access technologies and can meet the VPN access requirements in different scenarios. The enterprise does not need to purchase diversified terminal software for different VPN access scenarios, reducing investment costs.

• Flexible tunnel splitting

  The SecoClient enables mobile users to access enterprise network resources and Internet and LAN resources at the same time using different tunnels. The traffic of different services is not mutually affected.

• Preferential gateway selection

  A large enterprise usually provides multiple VPN gateways for external users to access. If one of the VPN gateways has a large number of access users, the system resources of the gateway may become exhausted, users' access may be delayed, and excess users may be forced to log out, affecting user experience. If the SecoClient is installed, the VPN gateway with the highest response speed is automatically selected for mobile users. When the preferential gateway selection function is used, gateways may be selected randomly for mobile users, and the users' access requests are distributed to different VPN gateways, which effectively alleviate the performance bottleneck of a single VPN gateway from massive user access. In addition, this function improves user access speed and success rate.

• Reliable link backup

  In SSL VPN access scenarios, one VPN gateway may provide multiple IP addresses (one IP address corresponds to one link) for mobile users to connect to. If an SSL VPN tunnel is disconnected unexpectedly, the SecoClient automatically re-establishes a VPN tunnel with another IP address of the gateway. After the new VPN tunnel is established, service traffic will be continuously transmitted using the new tunnel. This mechanism reduces network fault influence on services and ensures service continuity.

• Diverse authentication methods

  In most cases, the VPN gateway provides multiple methods for authenticating mobile users. Therefore, the number of authentication methods supported by the VPN terminal software determines the number of application scenarios of this software. The SecoClient provides various authentication methods, including user name and password authentication, certificate-anonymous authentication, certificate-challenge authentication, and two-factor authentication. Therefore, the SecoClient can be applied to most VPN access scenarios.

For network administrators who manage the VPN and Firewall, you can refer to the SecoClient Administration Guide.

For mobile device users who need to establish VPN connections through the SecoClient, refer to SecoClient User Access Guide.

• SSL VPN Mechanisms - part 1, part 2
• File Sharing
• Web Proxy
• Port Forwarding
• Network Extension - part 1, part 2
• Configuring Role Authorization
• Configuring SSL VPN Security Policies
• Integrated Use of the Four Major SSL VPN Functions
• Troubleshooting SSL VPN