As written in the previous entry, SSL VPN solutions have not entirely replaced IPSec VPN solutions. But they sure are trying hard to.
Where IPSec VPNs would open the entire network at once, SSL VPNs have slowly but surely undertaken the task of moduling the possibilities. Should a user only have access to an internal Web server, the administrator can limit him to just that. Should he only have access to a specific Terminal Server, or his office PC, he can also limit him to just that. But it also means that the SSL VPN must have the correct tools to make the connection to these allowed targets.
Imagine a restricted building where a card can either open all doors or be entirely rejected, that's your IPSec gateway. Imagine now an improved system where you can code each card to open certain doors, great! But what good is this if there is no elevator, or hallway to go the doors you have clearance to?
Where the IPSec solutions mostly rely on the software installed on the client computer for access (use your own feet, a climbing rope, or a flying jetpack if you can – clearance is there, you provide the connection), SSL VPN appliances want to provide this software itself. The goal is to limit the requirement on the client PC to what is probably already installed on it (namely a Web browser and tools like Java or ActiveX – we don't assume you have anything else than 2 legs, feet and well... some shoes). This makes the administrators' work easier (working on a single, familiar, accessible point) and the users' interface more independent of their PC. So these appliances come with plenty of tools which cover most of the needs of a regular user. But then some rooms are not used so often, or some client PC are even more different than your usual unusual PC, and these cases are not covered by the « out-of-the-box » appliance (« Sorry, you're too tall for this safety elevator and there's no stair »!). Then all of a sudden the advantages of the solution become a difficulty: The administrator is limited by the appliance's possibilities, and the user can't do anything on his homebrewed client system to change anything. The software on the appliance has to evolve.
It is this way that we are receiving more and more interest from SSL VPN customers in our Java RDP client: HOBLink JWT.
Most SSL VPN appliances come with a usual RDP client, Microsoft, Citrix, and an open source Java client. This basically covers the needs of Microsoft OS clients, and if ever you are connecting from a Mac, or a Linux, well this open source client should cover your basic needs until you can find better.
More and more customers' answer to this is “that's not good enough”. Surely it must be possible to connect from my Mac to my office PC without having to give up on my keyboard layout, printer, dual-screen, or any normal option you need to work correctly. What about 64-bit OS? they are not a rarity anymore and should be covered (The average human population is getting bigger with time and there is no doubt that the computer world is changing much faster!).
HOBLink JWT is our answer. A Java RDP client that can be hosted on a Web server behind your SSL VPN appliance (ie no installation either on the client nor on the Terminal Server / Office PC), with full functionality and running independently of the platform.
We followed the demand and started with the world leader of SSL VPNs: Juniper. More and more customers hosted HOBLink JWT on a Web server behind the VPN, and it would act as it normally does with a link (bookmark) on the users' interface. But we wanted to push it a bit further, using the possibility in the Juniper VPN to host Java applets directly on the appliance. This does not only save on a Web server, but also improves the speed of the connection. Working together with Juniper, this was made possible for JWT 3.2, and now further improved for JWT 3.3 on the Juniper releases 6.4R1+.
Soon HOBLink JWT will be integrated directly in the appliance, to ease the process for the end customers.
SSL VPNs are going one step further in replacing IPSec VPN solutions, and your elevators are about to become much more flexible – no less secure.
Laurent « Chipper » Vaucheret
Support Engineer, HOB Inc.