Catalyst 6500 Series WebVPN Services Module Configuration Guide, 1.1
Overview
Download this chapter
OverviewOverview
Download the complete book
Whole Book PDF: Catalyst 6500 Series WebVPN Services Module Configuration Guide, Release 1.1Whole Book PDF: Catalyst 6500 Series WebVPN Services Module Configuration Guide, Release 1.1 (PDF - 3 MB)
give_us_feedback

Table Of Contents

Overview

Understanding WebVPN

Modes of Remote Access

Clientless Mode

Thin-Client Mode

Tunnel Mode


Overview

This chapter provides an overview of the WebVPN Services Module, features, and modes of remote access, and has the following sections:

Understanding WebVPN

Modes of Remote Access

Understanding WebVPN

The WebVPN Services Module is a Layer 4-through-Layer 7 services module that you can install into the Catalyst 6500 series switch. WebVPN allows end users to establish a secure, remote-access VPN tunnel using a web browser. A software or hardware client is not required. WebVPN provides easy access to a broad range of web resources and web-enabled applications from almost any computer that can reach HTTPS Internet sites. WebVPN uses Secure Socket Layer Protocol and its successor, Transport Layer Security (SSL/TLS1) to provide a secure connection between remote end users and specific, supported internal resources that you configure at a central site. The WebVPN Services Module recognizes connections that need to be proxied, and the HTTP server interacts with the authentication subsystem to authenticate end users.

The network administrator provides access to WebVPN resources to end users on a group basis. End users have no direct access to resources on the internal network.

Connections on the WebVPN Services Module are very different from remote access IPsec connections. In a WebVPN connection, the WebVPN Services Module acts as a proxy between the end user's web browser and target web servers. When a WebVPN end user connects to an SSL-enabled web server, the WebVPN Services Module establishes a secure connection and validates the server's SSL certificate. The end user's browser never receives the presented certificate, so it cannot examine and validate the certificate.

Modes of Remote Access

End user login and authentication is done by the web browser to the secure gateway using an HTTP request. This process creates a session that is referenced by a cookie. After authentication, the end user is shown a portal page that allows access to the WebVPN networks. All requests sent by the browser include the authentication cookie. The portal page provides all the resources available on the internal networks. For example, the portal page could provide a link to allow the end user to download and install a thin-client Java applet (for TCP port forwarding) or a tunneling client.

Figure 1-1 shows an overview of the remote access modes.

Figure 1-1 Modes of Remote Access Overview

A
Clientless Mode
B
Thin-client Mode
C
Tunnel Mode

Browser-based (clientless)

Web-enabled applications, file sharing (CIFS), Outlook Web Access (OWA)

Gateway performs address or protocol conversion and content parsing and rewriting

TCP port forwarding

Uses Java Applet

Extends application support

Telnet, e-mail, SSH, Meeting Maker, Sametime

Static port-based applications

Works like "clientless" IPsec

Tunnel client loaded through Java or ActiveX (approximately 500 kB)

Application agnostic—supports all IP-based applications

Scalable

Administrator permission for installation


The three supported modes of remote access are described in the following sections:

Clientless Mode

Thin-Client Mode

Tunnel Mode

Clientless Mode

In clientless mode, the end user accesses the internal or corporate network using the web browser on the client machine.

The following applications are supported in clientless mode:

Web browsing (using HTTP and secure HTTP [HTTPS])—provides a URL box and a list of web server links in the portal page that allows the end user to browse the web.

File sharing (using common Internet file system [CIFS])—provides a list of file server links in the portal page that allows the end user to do the following operations:

Browse a network (listing of domains)

Browse a domain (listing of servers)

Browse a server (listing of shares)

List the files in a share

Create a new file

Create a directory

Rename a directory

Update a file

Download a file

Remove a file

Rename a file

Web-based e-mail, such as Microsoft Outlook Web Access (OWA) 2003 (using HTTP and HTTPS) with Web Distributed Authoring and Versioning (WebDAV) extensions—provides a link that allows the end user to connect to the Exchange server and read web-based e-mail.

Thin-Client Mode

Thin-client mode, also called TCP port forwarding, assumes that the client application uses TCP to connect to a well-known server and port.

In thin-client mode, the end user downloads a Java applet by clicking on the link provided on the portal page. The Java applet acts as a TCP proxy on the client machine for the services that you configure on the gateway.

The applications that are supported in thin-client mode are mainly e-mail-based (SMTP, POP3, and IMAP4) applications.

Note The TCP port forwarding proxy works only with the Sun 1.4 Java virtual machine (JVM) or later releases. The HTML will be specified to have the browser attempt to download the 1.4 JVM. The applet also checks for the particular version of the JVM and will refuse to run if it is not using a compatible version.

The Java applet initiates an HTTP request from the end user client to the WebVPN gateway. The name and port number of the internal Email server is included in the HTTP request (POST or CONNECT). The WebVPN gateway creates a TCP connection to that internal Email server and port.

The Java applet starts a new SSL connection for every client connection.

You should observe the following restrictions when using thin-client mode:

The end user must allow the Java applet to download and install.

You cannot use thin-client mode for applications such as FTP, where the ports are negotiated dynamically. You can use TCP port forwarding only with static ports.

For applications to work seamlessly, you should give administrative privileges to end users. If you do not give administrative privileges to end users, then the end users must manually change the client program settings so that applications work properly.

Tunnel Mode

In a typical clientless remote access scenario, end users establish an SSL tunnel to move data to and from the internal networks at the application layer (for example, web and Email). In tunnel mode, end users use an SSL tunnel to move data at the network (IP) layer. Therefore, tunnel mode supports most IP-based applications. Tunnel mode supports many popular corporate applications (for example, Microsoft Outlook, Microsoft Exchange, Lotus Notes E-mail, and Telnet).

The tunnel connection is determined by the group policy configuration. The SSL VPN client (SVC) is downloaded and installed to the end user's PC, and the tunnel connection is established when the end user logs into the WebVPN gateway.

By default, the SVC is removed from the client PC after the connection is closed. However, you have the option to keep the SVC installed on the client PC.