Solved

Aventail SSL VPN vs. Cisco 3000 IPSec/WebVPN

Posted on 2004-03-22
6
994 Views
Last Modified: 2012-08-14
Our company has been doing extensive research into VPN technology.  We currently connect employees into our network using dialup, so are about to proceed with broadband access via VPN.  We have no requirement as yet for site-to-site connectivity via the Internet.  

After some digging, we concluded that an SSL VPN would be the easiest, most cost-effective option, and also has the added benefit of allowing kiosk-based access (which greatly impressed management).  We trialed Aventail's EX-1500 and decided it was a good thing - it allowed browser-based access to any Web-enabled application, allowed most client/server applications to be accessed via a Java port forwarding applet (no client on the desktop), and also had an SSL-based Windows client for "power" users.  We loved the idea that we wouldn't have to go with an IPSec client for our "power" users, because we feared the issues associated with IPSec clients like support for IPSec tunnels/NAT etc from behind firewalls in hotels and other remote environmnents - pluss, we didn't want to have to maintain all those network configuration settings on a client-based piece of software.

Having said that, Cisco have now gone and released an IPSec/SSL blended VPN offering, which allows remote access to Web-enabled and most TCP client/server applications without any client on the user's desktop (via the SSL VPN half of the concentrator), and "power" users still need an IPSec client on their desktop.  It gives us the flexibility of remote access from anywhere with any device to to most things, however does have the downside of needing an IPSec client to be deployed and managed for "power" users.

I want to be sure that I am not being swayed by the marketing hype surrounding SSL VPNs - their existence is based upon hilighting the perceived "issues" with IPSec-based clients on the desktop.  My questions are:
1). Does anyone have any REAL experience with the Cisco 3000 series WebVPN features - do they work, are they robust, and how do they compare to Aventail's offering?  
2). Are the issues with NAT and firewall support at remote locations (e.g. hotels) for IPSec REAL or are they just theoretical possibilities that SSL VPN vendors are using to market their products?
3). Finally, are IPSec clients really that complex to manage?  What if a network configuration changes - do all clients have to be updated?
0
Comment
Question by:freemchr
  • 2
6 Comments
 
LVL 2

Expert Comment

by:ministry92
ID: 10658368
who is Aventail ?
0
 
LVL 11

Accepted Solution

by:
PennGwyn earned 125 total points
ID: 10660913
I haven't explored the WebVPN side, but I've used the IPSEC side of the 3000 line, with very few problems.  The client does UDP encapsulation to get around most NAT issues that can interfere with VPN; I'd expect the web side to cover any that remain.  (For instance, it's not clear to me that UDP encapsulation can always cope with two VPN clients behind the same NAT device simultaneously, and some firewalls don't pass GRE, etc protocols.  Having a web/SSL fallback sounds like a great idea.)

As I recall, the primary client config was the FQDN/IP of the 3000 outside interface.  No sweat.

0
 
LVL 2

Assisted Solution

by:ministry92
ministry92 earned 125 total points
ID: 10667517
#1)  no expierence with Aventail, so I can't compare.  However, Cisco's offerings are usually pretty robust in flexibilty and features.  

#2) They are real. IPSecy no likey nattie

#3) One side of the VPN must be static.  IF not, you can use a dyndns.org type of a service.  Once its setup, it runs.  There isn't much to manage.

  I would recomend looking into Sonic wall.  I'm a huge Cisco fan but thier VPN's are just pain in the neck complex to administer.  Sonicwall is much more gui and easier to configure and offers ssl.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Port forwarding 14 116
Network Router- Access control List 4 53
How to make my old USB printer wireless? 71 152
Hyper-V VM not connected 1 77
Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now