The Cisco® WebVPN Services Module (Figure 1) is a high-speed, integrated Secure Sockets Layer (SSL) VPN services module for Cisco Catalyst® 6500 Series switches and Cisco 7600 Series routers, complementing the existing capabilities in the Cisco portfolio of remote-access products.
Figure 1. The Cisco WebVPN Services Module
Today's increasingly sophisticated and mobile workforces are demanding remote access from multiple fixed and wireless devices, and want access as if they were on their local corporate networks. SSL VPNs offer users the benefit of "anywhere access." Because SSL is included in standard browsers like Microsoft Internet Explorer and Netscape, SSL VPNs offer the possibility of a clientless solution. Users can access their applications from anywhere they have Internet access: from an airport kiosk, from another person's computer, or even using a wireless device. SSL VPNs also work over broadband networks. In addition, SSL VPNs can successfully traverse firewalls and can handle network address translation (NAT) issues, which can be problematic with IP Security (IPsec)-based VPNs.
With the Cisco WebVPN Services Module based on SSL VPN technology, salespeople can download corporate customer relationship management data from the field. Manufacturing plant managers can track inventories and place orders before supplies reach critically low levels. Doctors can transmit prescription authorization from the bedside of a patient. Shop-floor managers at manufacturing firms can place on-the-spot orders.
The Cisco WebVPN Services Module provides easy access to a broad range of Web resources and Web-enabled applications, from almost any computer that can reach Secure HTTP (HTTPS) Internet sites. The module uses the SSL protocol and its successor, Transport Layer Security (TLS), to provide a secure connection between remote users and specific, supported internal resources that are configured at a central site.
The Cisco WebVPN Services Module delivers clientless, thin-client, and SSL tunneling client access methods, enabling the appropriate level of application access based on the end-system deployment environment, such as employees, extranets, and non-company-managed devices. With the SSL VPN Client for WebVPN, Cisco delivers a lightweight, centrally configured, easy-to-support SSL VPN tunneling client that allows access to virtually any application. The SSL VPN Client for WebVPN is compatible with any SSL-enabled browser and is dynamically pushed to the user. Clientless access with the Cisco WebVPN Services Module allows users to connect with few requirements beyond a basic Web browser; once connected, they can access Web servers or other resources such as shared files and e-mail through Microsoft Outlook Web Access 2003.
The Cisco WebVPN Services Module is an integrated services module for Cisco Catalyst 6500 Series and Cisco 7600 Series products. A single module is capable of supporting up to 8000 simultaneous users and up to 32,000 concurrent connections. Up to four modules can be supported in a single chassis to support up to 32,000 simultaneous SSL VPN users and 128,000 connections. The scalability and unique virtualization capabilities of the Cisco WebVPN Services Module make it an ideal solution for managed service providers, and simplify the policy creation and enforcement requirements in large enterprises with diverse user populations.
The Cisco WebVPN Services Module allows any port on a Cisco Catalyst 6500 Series or Cisco 7600 Series device to operate as an SSL VPN port. This is especially important when rack space is at a premium. With the module, the Cisco Catalyst 6500 Series truly emerges as the IP services switching platform of choice for customers that require intelligent services such as firewall services, intrusion detection, and VPN, along with multilayer LAN, WAN, and MAN switching capabilities.
Virtualization and VRF Awareness
Virtualization technology is a way to pool resources while masking the physical attributes and boundaries of the resources from the resource users. Up to 128 virtual routing and forwarding (VRF)-aware virtual contexts are supported per module.
Two primary models are used to map a user to a VRF context:
• Single-IP model-Users of different enterprises establish VPN sessions to the single HTTPS proxy. The actual user-to-VRF mapping is done through either the URL name used in the browser or the login name used in the login process.
• Multiple-IP model-Users of different enterprises establish VPN sessions to the multiple HTTPS proxies; one enterprise per HTTPS proxy. The user-to-VRF mapping is implied by the HTTPS proxy instance.
Each VRF context supports the following network resources:
• Per-VRF authentication, authorization, and accounting (AAA) server-For user authentication
• Per-VRF domain name system (DNS) server-For enterprise-level name resolving
• Per-VRF default gateway-For routing IP packets within the VRF domain
• Per-VRF maximum-user-allowed-For enterprise-level admission control
Advanced Endpoint Security
A primary component of the Cisco WebVPN Services Module, Cisco Secure Desktop offers pre-connection security posture assessment and seeks to minimize data such as cookies, browser history, temporary files, and downloaded content from being left behind after an SSL VPN session terminates.
Broad Application Support for SSL VPN
The Cisco WebVPN Services Module offers extensive application support through its dynamically downloaded SSL VPN client, enabling network-layer connectivity to virtually any application. The module's truly clientless support for Web-based applications allows a low-overhead extension of network resources to VPN users through a standard Web browser. Pure clientless and thin-client port forwarding options may be deployed for environments with limited application access requirements, such as extranets.
IPsec and SSL are complementary technologies that address unique user access requirements; both may be necessary in order for a company to meet the needs of a diverse user base. Support for both IPsec and SSL VPN allows businesses to choose the most appropriate technology for users accessing the network through different scenarios. This provides maximum flexibility and application access all on one platform, alleviating the need to deploy and manage separate infrastructures.
Ease of Deployment
The Cisco WebVPN Services Module comes with integrated device manager support. This helps configure and provision the module without the need for an external element management system, providing a ready-to-deploy solution.
Modes of Operation
The following applications are supported in clientless mode (they all rely on the Web browser as the client):
• Web browsing (HTTP/HTTPS)
• File sharing (Common Internet File System [CIFS])
• Web e-mail such as Microsoft Outlook Web Access (HTTP/HTTPS) with WebDAV extensions
The applications supported in the thin-client mode (TCP Port Forwarding, for example) support TCP/IP client server applications such as mail-based applications (SMTP, POP3, and IMAP4, for example), terminal services, instant messaging, and Telnet.
Tunnel mode redirects a user's VPN traffic at the network layer through an SSL tunnel, providing support for most IP-based applications. While other SSL VPN operation modes offer a limited set of application support, the tunnel mode supports almost all of the popular corporate applications, including Meeting-Maker, Microsoft Outlook, Microsoft Exchange, Lotus Notes E-Mail, and Telnet. Even some legacy applications, such as 3270 terminal emulation, can be supported.
Table 1 lists the features of the Cisco WebVPN Services Module, and Table 2 lists system requirements.
Table 1. Feature Availability
• Up to 8000 users
• Up to 300 Mbps
• Up to 64 SSL VPN virtual contexts and 64 gateways
• Up to 4 modules in a chassis
Ability to divide into multiple contexts, with each context as a complete logical representation of the WebVPN Services Module, complete with separate policies and configuration
• VRF mapping
• Single-IP model (URL-based or login-name-based)
• Multiple-IP model
• Per-VRF AAA server
• Per-VRF DNS server
• Per-VRF gateway
• Per-VRF number of users
• Windows NT, Active Directory, UNIX NIS
• Group-based access control using Cisco Secure Access Control Server (ACS)
WebVPN Services Module for Cisco Catalyst 6500 Series and Cisco 7600 Series
WebVPN Services Module (spare)
WebVPN Services Module Software 1.1
WebVPN Services Module Software 1.1 (spare)
Cisco WebVPN Services Module comes with the 2500 users configured with the base system. There is no additional licensing required for 2500 users. For additional users, please use the following part numbers.
Table 4. User Licensing
Cisco Catalyst 6500 and Cisco 7600 WebVPN 5000 user license
Cisco Catalyst 6500 and Cisco 7600 WebVPN 8000 user license
Cisco offers a wide range of services programs to accelerate customer success. These innovative services programs are delivered through a unique combination of people, processes, tools, and partners, resulting in high levels of customer satisfaction. Cisco services help you to protect your network investment, optimize network operations, and prepare your network for new applications to extend network intelligence and the power of your business. For more information about Cisco Services, see Cisco Technical Support Services or Cisco Advanced Services.