Alternative to Cisco VPN client?

Discussion in 'Cisco' started by admin too, May 5, 2004.

  1. admin too

    admin too Guest

    Are they working on something which can work over 443 or 80? I'm tried of
    traveling execs calling for support when they can't tunnel through someone
    else's corporate network or some hotels, for example Embassy Suites. I like
    that the Cisco VPN Client is free, and it works for all my users at home,
    but it can't tunnel through half the hotels broadband (Courtyard Marriott
    has worked well consistently, by the way) and most corporate networks, and
    most which Cisco firewalls.

    Any ideas?

    Thanks!
    admin too, May 5, 2004
    #1
    1. Advertising

  2. admin too

    Joce Guest

    admin too wrote:

    > Are they working on something which can work over 443 or 80? I'm tried of
    > traveling execs calling for support when they can't tunnel through someone
    > else's corporate network or some hotels, for example Embassy Suites. I
    > like that the Cisco VPN Client is free, and it works for all my users at
    > home, but it can't tunnel through half the hotels broadband (Courtyard
    > Marriott has worked well consistently, by the way) and most corporate
    > networks, and most which Cisco firewalls.
    >
    > Any ideas?
    >
    > Thanks!


    I thinks the new OS on VPN30XX support SSL/VPN (clientless VPN)

    Ciao
    Joce, May 5, 2004
    #2
    1. Advertising

  3. admin too

    admin too Guest

    "Joce" <> wrote in message
    news:eek:%8mc.27212$...
    > admin too wrote:
    >
    > > Are they working on something which can work over 443 or 80? I'm tried

    of
    > > traveling execs calling for support when they can't tunnel through

    someone
    > > else's corporate network or some hotels, for example Embassy Suites. I
    > > like that the Cisco VPN Client is free, and it works for all my users at
    > > home, but it can't tunnel through half the hotels broadband (Courtyard
    > > Marriott has worked well consistently, by the way) and most corporate
    > > networks, and most which Cisco firewalls.
    > >
    > > Any ideas?
    > >
    > > Thanks!

    >
    > I thinks the new OS on VPN30XX support SSL/VPN (clientless VPN)
    >


    I'm not familiar with that. Is that the concentrators only, and not on the
    PIX firewalls?

    Thanks!
    admin too, May 5, 2004
    #3
  4. admin too

    Scooby Guest

    "Joce" <> wrote in message
    news:eek:%8mc.27212$...
    > admin too wrote:
    >
    > > Are they working on something which can work over 443 or 80? I'm tried

    of
    > > traveling execs calling for support when they can't tunnel through

    someone
    > > else's corporate network or some hotels, for example Embassy Suites. I
    > > like that the Cisco VPN Client is free, and it works for all my users at
    > > home, but it can't tunnel through half the hotels broadband (Courtyard
    > > Marriott has worked well consistently, by the way) and most corporate
    > > networks, and most which Cisco firewalls.
    > >
    > > Any ideas?
    > >
    > > Thanks!

    >
    > I thinks the new OS on VPN30XX support SSL/VPN (clientless VPN)
    >
    > Ciao


    Well, it does and it doesn't. I've done a fair amount of research on this
    recently. The Cisco VPN30XX device really only does a "reverse proxy".
    That means that it will let you connect SSL and get a menu which will proxy
    web based applications. That means you can't really "tunnel". If you want
    true application support, you will need a true vpn or something like Citrix.
    There are quite a few of SSL/VPN devices out there, some with more features
    than others. I demo'd the Cisco, Netilla, Neoteris, BlueCoat and Aventail.

    In my opinion, the Neoteris had the best functionality and flexibility of
    them all. They too, offer the reverse proxy for web apps, files and a
    couple other things. But, for true vpn capability, they have a downloadable
    client - easy to download/install (must be admin). And the configs are
    stored on the server, so there is no setup for the client.

    These devices are pricy, in my opinion, especially when compared to
    traditional vpn solutions such as the Cisco VPN. However, I think they are
    worth it.

    BTW - Neoteris was bought by Netscreen, which was bought by Juniper. Here
    is info on their product:
    http://www.juniper.net/products/ssl/
    Scooby, May 5, 2004
    #4
  5. admin too

    Joce Guest

    admin too wrote:

    >
    > "Joce" <> wrote in message
    > news:eek:%8mc.27212$...
    >> admin too wrote:
    >>
    >> > Are they working on something which can work over 443 or 80? I'm tried

    > of
    >> > traveling execs calling for support when they can't tunnel through

    > someone
    >> > else's corporate network or some hotels, for example Embassy Suites. I
    >> > like that the Cisco VPN Client is free, and it works for all my users
    >> > at home, but it can't tunnel through half the hotels broadband
    >> > (Courtyard Marriott has worked well consistently, by the way) and most
    >> > corporate networks, and most which Cisco firewalls.
    >> >
    >> > Any ideas?
    >> >
    >> > Thanks!

    >>
    >> I thinks the new OS on VPN30XX support SSL/VPN (clientless VPN)
    >>

    >
    > I'm not familiar with that. Is that the concentrators only, and not on the
    > PIX firewalls?
    >
    > Thanks


    SSL VPN is on concentrator only. With the PIX all you can have is IPSec in
    UDP (starting with version 6.3.1)
    Joce, May 5, 2004
    #5
  6. admin too

    Rik Bain Guest

    On Wed, 05 May 2004 10:11:51 -0500, admin too wrote:

    > Are they working on something which can work over 443 or 80? I'm tried
    > of traveling execs calling for support when they can't tunnel through
    > someone else's corporate network or some hotels, for example Embassy
    > Suites. I like that the Cisco VPN Client is free, and it works for all
    > my users at home, but it can't tunnel through half the hotels broadband
    > (Courtyard Marriott has worked well consistently, by the way) and most
    > corporate networks, and most which Cisco firewalls.
    >
    > Any ideas?
    >
    > Thanks!


    WebVPN is supported on the VPN3000. Works somewhat like SSH in that you
    can forward TCP ports from localhost to a device on the other side. The
    3000 can also do TCP tunneling in 3.6.x and up.

    NAT-T is most likely what you would benefit from the most. It will start
    ISAKMP on UDP/500 then jump to UDP/4500 if NAT is detected anywhere in
    between. Supported on PIX, IOS and 3000.

    Rik Bain
    Rik Bain, May 5, 2004
    #6
  7. admin too

    Joce Guest

    Scooby wrote:

    > "Joce" <> wrote in message
    > news:eek:%8mc.27212$...
    >> admin too wrote:
    >>
    >> > Are they working on something which can work over 443 or 80? I'm tried

    > of
    >> > traveling execs calling for support when they can't tunnel through

    > someone
    >> > else's corporate network or some hotels, for example Embassy Suites. I
    >> > like that the Cisco VPN Client is free, and it works for all my users
    >> > at home, but it can't tunnel through half the hotels broadband
    >> > (Courtyard Marriott has worked well consistently, by the way) and most
    >> > corporate networks, and most which Cisco firewalls.
    >> >
    >> > Any ideas?
    >> >
    >> > Thanks!

    >>
    >> I thinks the new OS on VPN30XX support SSL/VPN (clientless VPN)
    >>
    >> Ciao

    >
    > Well, it does and it doesn't. I've done a fair amount of research on this
    > recently. The Cisco VPN30XX device really only does a "reverse proxy".
    > That means that it will let you connect SSL and get a menu which will
    > proxy
    > web based applications. That means you can't really "tunnel". If you
    > want true application support, you will need a true vpn or something like
    > Citrix. There are quite a few of SSL/VPN devices out there, some with more
    > features
    > than others. I demo'd the Cisco, Netilla, Neoteris, BlueCoat and
    > Aventail.
    >
    > In my opinion, the Neoteris had the best functionality and flexibility of
    > them all. They too, offer the reverse proxy for web apps, files and a
    > couple other things. But, for true vpn capability, they have a
    > downloadable
    > client - easy to download/install (must be admin). And the configs are
    > stored on the server, so there is no setup for the client.
    >
    > These devices are pricy, in my opinion, especially when compared to
    > traditional vpn solutions such as the Cisco VPN. However, I think they
    > are worth it.
    >
    > BTW - Neoteris was bought by Netscreen, which was bought by Juniper. Here
    > is info on their product:
    > http://www.juniper.net/products/ssl/


    Thanks a lot... this is very instructive for me.
    Joce, May 5, 2004
    #7
  8. Scooby <> wrote:

    > Well, it does and it doesn't. I've done a fair amount of research on this
    > recently. The Cisco VPN30XX device really only does a "reverse proxy".
    > That means that it will let you connect SSL and get a menu which will proxy
    > web based applications. That means you can't really "tunnel". If you want
    > true application support, you will need a true vpn or something like Citrix.
    > There are quite a few of SSL/VPN devices out there, some with more features
    > than others. I demo'd the Cisco, Netilla, Neoteris, BlueCoat and Aventail.


    Actually Cisco's WebVPN does claim to do arbitrary port-forwarding; also
    there's native support for proxying email apps through the concentrator
    (imaps/pop3s/smtps proxy). The email and https proxies work OK, in my
    trial run the application forwarding was totally broken -- presumably
    the bugs in their Java code will get worked out at some point.

    --
    Eric Sorenson - Systems / Network Administrator, MIS - Transmeta Corporation
    Eric Sorenson, May 10, 2004
    #8
  9. admin too

    Scooby Guest

    "Eric Sorenson" <> wrote in message
    news:...
    > Scooby <> wrote:
    >
    > > Well, it does and it doesn't. I've done a fair amount of research on

    this
    > > recently. The Cisco VPN30XX device really only does a "reverse proxy".
    > > That means that it will let you connect SSL and get a menu which will

    proxy
    > > web based applications. That means you can't really "tunnel". If you

    want
    > > true application support, you will need a true vpn or something like

    Citrix.
    > > There are quite a few of SSL/VPN devices out there, some with more

    features
    > > than others. I demo'd the Cisco, Netilla, Neoteris, BlueCoat and

    Aventail.
    >
    > Actually Cisco's WebVPN does claim to do arbitrary port-forwarding; also
    > there's native support for proxying email apps through the concentrator
    > (imaps/pop3s/smtps proxy). The email and https proxies work OK, in my
    > trial run the application forwarding was totally broken -- presumably
    > the bugs in their Java code will get worked out at some point.
    >
    > --
    > Eric Sorenson - Systems / Network Administrator, MIS - Transmeta

    Corporation

    Yes, they do this port forwarding through JSAM. It is a popular trick that
    most of the vendors are trying. In my opinion, it is not a good method of
    doing things and not even worth considering as a robust solution. The true
    vpn that the neoteris device uses is much, much, much better. Also, when
    they do this java port forwarding, it is not really clientless, as they all
    advertise. The client will need to download a java applet to make this
    work.
    Scooby, May 10, 2004
    #9
  10. Scooby <> wrote:

    > Yes, they do this port forwarding through JSAM. It is a popular trick that
    > most of the vendors are trying. In my opinion, it is not a good method of
    > doing things and not even worth considering as a robust solution. The true
    > vpn that the neoteris device uses is much, much, much better. Also, when
    > they do this java port forwarding, it is not really clientless, as they all
    > advertise. The client will need to download a java applet to make this
    > work.


    All true.

    How does Neoteris do it?

    --
    Eric Sorenson - Systems / Network Administrator, MIS - Transmeta Corporation
    Eric Sorenson, May 11, 2004
    #10
  11. admin too

    Scooby Guest

    "Eric Sorenson" <> wrote in message
    news:...
    > Scooby <> wrote:
    >
    > > Yes, they do this port forwarding through JSAM. It is a popular trick

    that
    > > most of the vendors are trying. In my opinion, it is not a good method

    of
    > > doing things and not even worth considering as a robust solution. The

    true
    > > vpn that the neoteris device uses is much, much, much better. Also,

    when
    > > they do this java port forwarding, it is not really clientless, as they

    all
    > > advertise. The client will need to download a java applet to make this
    > > work.

    >
    > All true.
    >
    > How does Neoteris do it?
    >
    > --
    > Eric Sorenson - Systems / Network Administrator, MIS - Transmeta

    Corporation

    There is a client that downloads, similar to installing an ipec client.
    However, it is very simple. You click on the link (button), the client
    installs and away it goes. All permissions are handled on the server, so
    there is no client config to load. Currently, there isn't a split tunnel
    option, per se. You can check a flag that allows access to the local
    network, but you can't define what routes are local and what routes are
    across the vpn. That supposedly will be upgraded in the next release. Once
    the connection is made, it is no different than a regular ipsec client, you
    get an ip address of the remote network, you have full access (or access as
    defined) to all network resources. It even resolves dns and wins based on
    settings you put in the server, so it can find your servers by name. This
    is a very nice setup. Netilla also has something very similar. The
    downside was that you only have one ip pool on the netilla and you have no
    control over who gets what ip. On the Neoteris, you still don't have the
    inherent capability of saying give this person this ip, but you can assign
    them to a pool. End result is you can make a pool for each person as
    needed. Again, this is something that is supposed to be changed in the next
    release.

    Neoteris does have the same email client setup and they have "meetings"
    where you can share desktop apps, etc... Overall, it is a nice solution.

    Let me know if you have any specific questions about how this works.

    Jim
    Scooby, May 11, 2004
    #11
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. MP
    Replies:
    2
    Views:
    12,264
  2. jarcar
    Replies:
    0
    Views:
    591
    jarcar
    Feb 12, 2004
  3. John Capleton
    Replies:
    3
    Views:
    1,953
  4. Ned
    Replies:
    0
    Views:
    549
  5. Matt Williamson
    Replies:
    2
    Views:
    419
    Helge Olav Helgesen
    Nov 26, 2007
Loading...

Share This Page