IPsec VPNs are the clear choice for secure site-to-site communication, independent of application. The more difficult question is how to map remote user applications onto IPsec and/or SSL VPN access methods.
IPsec VPNs can support any IP-based application. But SSL VPNs can actually offer up to four methods: simple Web proxies, application translators, port-forwarding agents and network extension clients.
- Simple proxies are great for applications that have Web front ends, like webmail or enterprise application portals.
- SSL VPN translators can do more, but a specific translator must be created for each application. Most products include translators for common business applications like enterprise mail, file sharing and remote terminal sessions. However, translator plug-ins must be developed to support less common or proprietary applications.
- Port-forwarding agents treat every application the same way. That means they can support most user-initiated TCP client/server applications. However, they often require the user to have admin rights.
- Finally, like IPsec clients, SSL network extension clients can tunnel any IP-based application. These clients are needed to support server push and real-time applications, but that requires installed software.
VARs must understand that all SSL VPNs are not alike. Work closely with your VPN vendors to understand the applications they can support and the limitations of each access method offered. When in doubt, ask your vendor if they have actually tested the specific applications and versions required by a customer.
This was first published in December 2007