29-4
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 29 Managing Remote Access VPNs: The Basics
Understanding Remote Access VPNs
Figure 29-1 Secure SSL VPN Access Example
SSL VPN Access Modes
SSL VPN provides three modes of remote access on IOS routers: Clientless, Thin Client and Full Client.
On ASA devices, there are two modes: Clientless (which includes Clientless and Thin Client port
forwarding) and AnyConnect Client (a full client).
Clientless Access Mode
In Clientless mode, the remote user accesses the internal or corporate network using a Web browser on
the client machine. No applet downloading is required.
Clientless mode is useful for accessing most content that you would expect in a Web browser, such as
Internet access, databases, and online tools that employ a Web interface. It supports Web browsing (using
HTTP and HTTPS), file sharing using Common Internet File System (CIFS), and Outlook Web Access
(OWA) email. For Clientless mode to work successfully, the remote user’s PC must be running Windows
2000, Windows XP, or Linux operating systems.
Browser-based SSL VPN users connecting from Windows operating systems can browse shared file
systems and perform the following operations: view folders, view folder and file properties, create,
move, copy, copy from the local host to the remote host, copy from the remote host to the local host, and
delete. Internet Explorer indicates when a Web folder is accessible. Accessing this folder launches
another window, providing a view of the shared folder, on which users can perform web folder functions,
assuming the properties of the folders and documents permit them.
Thin Client Access Mode
Thin Client mode, also called TCP port forwarding, assumes that the client application uses TCP to
connect to a well-known server and port. In this mode, the remote user downloads a Java applet by
clicking the link provided on the portal page. The Java applet acts as a TCP proxy on the client machine
for the services configured on the SSL VPN gateway. The Java applet starts a new SSL connection for
every client connection.
The Java applet initiates an HTTP request from the remote user client to the SSL VPN gateway. The
name and port number of the internal email server is included in the HTTP request. The SSL VPN
gateway creates a TCP connection to that internal email server and port.
Thin Client mode extends the capability of the cryptographic functions of the Web browser to enable
remote access to TCP-based applications such as Post Office Protocol version 3 (POP3), Simple Mail
Transfer Protocol (SMTP), Internet Message Access protocol (IMAP), Telnet, and Secure Shell (SSH).