General Router FAQ
SSL VPN
|
General Router FAQSSL VPN |
|
VPNs (Virtual Private Networks) enable you to link two remote computers or networks securely using the public Internet. An encrypted tunnel is created to carry your private data between the two sites. Tunnels making use of PPTP, L2TP, AES and IPSec protocols have been available on Vigor routers for many years and provide a simple to set up solution for your site-to-site or teleworker VPNs. SSL VPNs provide a new method for teleworker to central site VPN, providing great convenience, low TCO and simplicity where other methods may not be possible.
Note : SSL VPN is available on the DrayTek Vigor 2950 and VigorPro models.
One potential drawback of using the above methods for a Teleworker-to-central site VPN is that they need compatiable protocol stacks at each end (e.g. an IPSec client or hardware) and most importantly those protocols need to be freely passed by your local host network. This isn't normally a problem where you own the computers and the network in use and you can install any client, software or hardware you choose, as well as allowing any traffic types you like. Where it can become a problem is where you are using someone else's computer or network where either you cannot use the O/S VPN client, or the host network blocks VPN protocols or makes them unreliable. This is most commonly a problem when using WiFi hotspots or other public Internet access methods (hotels, conference centres etc.).
You may already have heard of SSL previously, and you have almost certainly used it. SSL (Secure Sockets Layer) is the protocol used by all web browsers for accessing 'secure' web sites. You will have used secure web sites whenver you have used your credit card online or accessed your banking web sites, for example. SSL is supported by all web browsers, and as it is so commonly used, all hotspots and other public Internet will always allow SSL to pass properly. By using the SSL protocol for your telework VPN tunnel you therefore have some important benefits:
| Traditional VPN (e.g. AES/IPSec | SSL VPN |
|---|---|
| Requires VPN Client or Hardware | Uses Standard Web Browser SSL |
| Support for popular O/S's only | Compatible with all computers/browsers |
| Licence fees all for some vendor client software (Not DrayTek though!) | No client licence fees |
| Requires user to operate VPN Client | No special operator procedures. Just use your web browser. |
| At OSI 'network' layer | At OSI 'session' layer |
| AES/DES/3DES Encryption | SSL Encryption |
| Full network access (unless filtered) | Ability to easily restrict users to specific web applications |
| Network Level Access as standard. | Network level access via DrayTel Active-X SSL Tunnel Plug-in |
| Teleworker or Site-to-Site (LAN-to-LAN) | Teleworker-to-Host site only |
Another advantage of web based SSL VPN is that your host Vigor router presents the user with his/her login page to the network within their browser and then can provide access only to the web based applications or local servers which you allow as opposed to a regular VPN which connects the user to the network directly for access to any resource which is accessible locally. No TCP/UDP ports have to be opened on your host router; if the user cannot login to the VPN, they won't get access.
As mentioned previously, an SSL VPN uses your standard web browser; this means that for your web based applications running at your office (webmail, Intranet, Thin Clients etc.) SSL VPNs work really well for this access method, which is called 'SSL Web Proxy' mode. A very common application for SSL VPN is remote desktop. By using the Windows 'Remote Desktop Web Connection', your office desktop will be accessible from your web browser whereever you are and whoever's computer you're using. In addition, by using Vigor web proxy, you can browse external web sites via the tunnel, thus bypassing any local web site blocking policy (content filtering or local polcies). If you are familiar with 'port redirection' or 'open ports setup' on Vigor routers, SSL Proxy to your internal web services is very similar in concept to this except that the data passes through a secured tunnel, hence increasing security and privacy.
SSL VPNs beyond the BrowserUsing the web browser for your remote access is great for accessing web-based applications (intranet, webmail, remote web desktop etc.) but it does not provide access to the actual network directly, for example for shared directory access, network resources or other applications which are not browser based. Only data or applications which are available in your web browser locally are available remotely via the SSL Proxy (see above). For full network access, DrayTek provide an Active-X Tunnel plug-in (a VPN client, effectively) which can transfer at the network layer, making a fully VPN tunnel. This is called SSL Tunnel mode. This plug-in is downloaded automatically by your browser from the host Vigor router when you log into the SSL VPN and select Tunnel mode. You are then fully connected to the remote network for direct network resource access. In this way, you are no longer limited to running web-based applications and can access shares and other network resources. |  |
It is important to note that you can select between two access methods for SSL Web Proxy: SSL Web Proxy or Secured Port Redirection. SSL Web Proxy is a true SSL VPN method for web-based application access. All data is encrypted within an SSL Tunnel. Secured Port Redirection (SPR) uses SSL for the connection setup only, but your actual data then passes 'in the clear';. The performance of SPR might be slightly higher but is only suitable for non-sensitive data. Therefore, SSL Web Proxy is your most likely choice.
Firstly, you need to enable 'Remote Management' for the router under System Maintenance. Enable 'https' accesss. You don't need to tick anything else unless you do want remote management via those other means. HTTPS can be used for both SSL VPN and Remote management of the router:
The standard VPN Teleworker account setup screens are used for SSL VPNs. You define a username and password for any users you wish to provide access to and additionally select whether they have access to SSL Tunnel, SSL Web Proxy or both. In the case of SSL Web Proxy, you can additionally select which of your web applications they can have access to (as defined earlier):
The remote user accesses the VPN simply by entering your router's public IP address into their web browser, preceded by https://. If you have an actual hostname or DDNS account, you can use that instead. A DDNS account is necessary if you have a changing/dymanic public IP address at the host site, as otherwise you won't know what the current public IP address is.
After entering the IP address into your web browser, you will firstly see a warning message indicating that your site does not have a valid certificate. Certification is a method of being sure that you are accessing you think you are. It's important for public web sites, but as long as you're sure you're using the correct web/ip address, you can trust your own site and thus ignore this warning. Click the 'scary red cross' to continue to the web site:
You will next see a login dialogue. Here, you enter the SSL VPN username and password which you set up earlier. Once logged in, the router will present you with a DrayTek front page, offering you tabs for SSL VPN, SSL Web Proxy or both, depending on which you have set up for remote access previously:
The Web Proxy Tab will list all available web applications. In our example, we have the Widget Intranet:
If you select SSL Tunnel, you must firstly download the Active-X plugin which the web page will offer you. The Active-X blue bar will appear within your browser, as shown below. click on this to permit the download of the DrayTek Active-X component:
Another warning will pop up, this time asking your confirmation that the Active-X plug-in can be installed on your local computer:
Next, just to scare you even further, there's yet another warning message. This will warn you that the Active-X plug-in is a third party application has not been certified by Microsoft directly. Let it continue anyway:
That's it; your tunnel will now be active just like a regular VPN, and you should now have access to the remote resources on your host network. The DrayTek SSL VPN client window will show the current tunnel status:
The 'Remove Virtual Driver on disconnecting' checkbox is an option to have the Active-X component removed from your client PC after you disconnect. This is recommended for a shared computer, but otherwise leaving it unchecked will mean that you can connect more quickly next time.
NOTICE : This document is © SEG Communications and may not be distributed without specific written consent. Information and products subject to change at any time without notice.