SSL VPNs

VPNs (Virtual Private Networks) enable you to link two remote computers or networks securely using the public Internet. An encrypted tunnel is created to carry your private data between the two sites. Tunnels making use of PPTP, L2TP, AES and IPSec protocols have been available on Vigor routers for many years and provide a simple to set up solution for your site-to-site or teleworker VPNs. SSL VPNs provide a new method for teleworker to central site VPN, providing great convenience, low TCO and simplicity where other methods may not be possible.

The benefits of SSL VPNs

One potential drawback of using the above methods for a Teleworker-to-central site VPN is that they need compatiable protocol stacks at each end (e.g. an IPSec client or hardware) and most importantly those protocols need to be freely passed by your local host network. This isn't normally a problem where you own the computers and the network in use and you can install any client, software or hardware you choose, as well as allowing any traffic types you like. Where it can become a problem is where you are using someone else's computer or network where either you cannot use the O/S VPN client, or the host network blocks VPN protocols or makes them unreliable. This is most commonly a problem when using WiFi hotspots or other public Internet access methods (hotels, conference centres etc.).

SSL (Secure Sockets Layer) is the protocol used by all web browsers for accessing 'secure' web sites (banking etc.). SSL is supported by all web browsers, and as it is so commonly used, all hotspots and other public Internet will always allow SSL to pass through (whereas other VPN protocols may be blocked or have difficulty). By using the SSL protocol for your teleworker VPNs you have some real benefits:

Traditional VPN (e.g. AES/IPSec	SSL VPN
Requires VPN Client or Hardware	Uses Standard Web Browser SSL
Support for popular O/S's only	Compatible with all computers/browsers
Licence fees all for some vendor client software (Not DrayTek though!)	No client licence fees
Requires user to operate VPN Client	No special operator procedures. Just use your web browser.
At OSI 'network' layer	At OSI 'session' layer
AES/DES/3DES Encryption	SSL Encryption
Full network access (unless filtered)	Ability to easily restrict users to specific web applications
Network Level Access as standard.	Network level access via DrayTel Active-X SSL Tunnel Plug-in
Teleworker or Site-to-Site (LAN-to-LAN)	Teleworker-to-Host site only

Another advantage of web based SSL VPN is that your host Vigor router presents the user with his/her login page to the network within their browser and then can provide access only to the web based applications or local servers which you allow as opposed to a regular VPN which connects the user to the network directly for access to any resource which is accessible locally. No TCP/UDP ports have to be opened on your host router; if the user cannot login to the VPN, they won't get access. Remote user profiles can be stored within the router or integrated with an LDAP or Radius server.

As an SSL VPN uses your standard web browser, web based applications running at your office (webmail, Remote Desktop, Terminal Services, Intranet, Thin Clients etc.) work really well for this SSL VPN access method, which is called 'SSL Web Proxy' mode. In addition, by using the Vigor 2955 web proxy, you can browse external web sites via the tunnel, thus bypassing any local web site blocking policy at your current remote location (content filtering or local polcies). If you are familiar with 'port redirection' or 'open ports setup' on Vigor routers, SSL Proxy to your internal web services is very similar in concept to this except that the data passes through a secured tunnel, hence increasing security and privacy.

DrayTek's SSL VPNs can work with LDAP services so that your users' login credentials can be controlled by your Windows Server instead of using user profiles stored in the DrayTek router.

MOTP (Mobile One-time Passwords)

As an alternative to a fixed password for remote teleworkers, you can make use of DrayTek's Mobile One-Time Password (MOTP) system to add Two-layer authentication. A One-time password is generated dynamically each time you want to connect, works once only and expires immediately. For DrayTek MOTP, the authentication device is your mobile phone; MOTP applets are available for Symbian mobile phones (e.g. Nokia), most phones supporting Java and the Apple iPhone™. For more details of MOTP, click here.

SSL VPNs beyond the Browser Using the web browser for your remote access is great for accessing web-based applications (intranet, webmail, remote web desktop etc.) but it does not provide access to the actual network directly, for example for shared directory access, network resources or other applications which are not browser based. Only data or applications which are available in your web browser locally are available remotely via the SSL Proxy (see above). For full network access, DrayTek provide a Java applet (a VPN client, effectively) which can transfer at the network layer, making a fully VPN tunnel. This is called SSL Tunnel mode. This plug-in is downloaded automatically by your browser from the host Vigor router when you log into the SSL VPN and select Tunnel mode. You are then fully connected to the remote network for direct network resource access. In this way, you are no longer limited to running web-based applications and can access shares and other network resources. As the soft client is Java based, not Active-X, it is cross platform/browser compatible. If you'd like to see just how easy it is to set up a DrayTek SSL VPN, Click Here. SSL VPNs are supported on the DrayTek Vigor 2860, Vigor 3200, Vigor 2960, Vigor 3900 (exact feature support varies by model). There is no licencing limit or 'per user' licence on the number of SSL clients on DrayTek routers (up to the maximum capacity of the respective product).