VPN without VPN software?
January 29, 2010 9:48 AM Subscribe
How to do a VPN without client VPN software?
There was once an excellent product called SSL Explorer which used Java to establish a VPN to an internal network via a web-page, so basically a clientless VPN. Although Barracuda Networks purchased that product and made it proprietary, the old version is still downloadable and there was a fork called Adito, but development seems to have stalled.
To the nub of the question: I've tried getting my remote users to install OpenVPN to connect to a campus network, but they are having difficulties, especially where Windows Vista is involved (UAC mostly). Is there a simpler way to join remote clients to my network without requiring client software, something like SSL Explorer?
I have one or two users who take a triumphalist approach to the fact that they can't set up OpenVPN on Vista, kind of like it was an achievement -- beat you again, geek boy! So something which requires zero installation would be ideal, believe me. These are senior people so I don't get to be all BOFH with them.
There was once an excellent product called SSL Explorer which used Java to establish a VPN to an internal network via a web-page, so basically a clientless VPN. Although Barracuda Networks purchased that product and made it proprietary, the old version is still downloadable and there was a fork called Adito, but development seems to have stalled.
To the nub of the question: I've tried getting my remote users to install OpenVPN to connect to a campus network, but they are having difficulties, especially where Windows Vista is involved (UAC mostly). Is there a simpler way to join remote clients to my network without requiring client software, something like SSL Explorer?
I have one or two users who take a triumphalist approach to the fact that they can't set up OpenVPN on Vista, kind of like it was an achievement -- beat you again, geek boy! So something which requires zero installation would be ideal, believe me. These are senior people so I don't get to be all BOFH with them.
Best answer: SSL VPNs usually fit the bill pretty well - if the client's browser is supported, the access is usually accomplished via a Java plugin or ActiveX control.
NB: my employer sells a product in the SSL VPN space.
posted by jquinby at 9:54 AM on January 29, 2010
NB: my employer sells a product in the SSL VPN space.
posted by jquinby at 9:54 AM on January 29, 2010
Best answer: SSL VPNs:
Top products in this space are from F5, Nortel, Cisco. Everyone pretty much has one these days.
Alternatives, tunneling over ssh, pptp, ipsec vpn..
Free stuff, well you've already tried OpenVPN, I'd spend some cash and get a cheepo low end Cisco ASA or 1800 series router with SSL VPN licenses...
posted by iamabot at 10:15 AM on January 29, 2010
Top products in this space are from F5, Nortel, Cisco. Everyone pretty much has one these days.
Alternatives, tunneling over ssh, pptp, ipsec vpn..
Free stuff, well you've already tried OpenVPN, I'd spend some cash and get a cheepo low end Cisco ASA or 1800 series router with SSL VPN licenses...
posted by iamabot at 10:15 AM on January 29, 2010
was there a reason not to go with the Barracuda product? it seems to do the things you want - it gives you the SSL VPN functionality, so you don't necessarily have to install a client. Juniper and Cisco also make appliances that provide this sort of thing. if it's just web apps they need to get to, you could also set up a SOCKS proxy or something of that nature as well, and then use the built-in proxy support (or a Web browser downloadable with their stuff already set up - maybe a copy of Portable Firefox?) to connect.
posted by mrg at 10:34 AM on January 29, 2010
posted by mrg at 10:34 AM on January 29, 2010
Response by poster: Thanks for the responses so far -- SSL VPNs are a class of product I wasn't aware of, with my admittedly limited networking knowledge. To answer the points raised:
1. Windows PPTP would work but there is some setting up to do, so that might be a bit awkward. I had problems setting it up on my own Vista PC with a problem for which there seemed to be no resolution.
2. The Barracuda box is probably fine but it is a dedicated box so I would prefer to try the software solutions first. But I'm not adverse to using a commercial product if necessary.
3. @iamabot, thanks for the names, I'll look into those.
Would still welcome other suggestions if anyone has anything else to contribute!
posted by BrokenEnglish at 10:44 AM on January 29, 2010
1. Windows PPTP would work but there is some setting up to do, so that might be a bit awkward. I had problems setting it up on my own Vista PC with a problem for which there seemed to be no resolution.
2. The Barracuda box is probably fine but it is a dedicated box so I would prefer to try the software solutions first. But I'm not adverse to using a commercial product if necessary.
3. @iamabot, thanks for the names, I'll look into those.
Would still welcome other suggestions if anyone has anything else to contribute!
posted by BrokenEnglish at 10:44 AM on January 29, 2010
What do you need to do on this vpn? Have you thought of joining live mesh and using that to remote desktop into the computers you need?
posted by majortom1981 at 10:54 AM on January 29, 2010
posted by majortom1981 at 10:54 AM on January 29, 2010
Depending on the number of users (or more accurately, concurrent sessions) you will need to support, SSL VPN appliances can be had for around $400. The more users you have, the more work for the box, the bigger the hardware, and so goes the price.
posted by jquinby at 11:04 AM on January 29, 2010
posted by jquinby at 11:04 AM on January 29, 2010
oh its for a campus. The best way i would say is the windows built in client. It would be the easiest client to walk people through on the phone.
With most vpn software though you should be able to include a config file that all they have to do is setup the software on there machines.
posted by majortom1981 at 11:48 AM on January 29, 2010
With most vpn software though you should be able to include a config file that all they have to do is setup the software on there machines.
posted by majortom1981 at 11:48 AM on January 29, 2010
Add Checkpoint to your list of vendors.
posted by GJSchaller at 2:02 PM on January 29, 2010
posted by GJSchaller at 2:02 PM on January 29, 2010
Best answer: I know you don't want an appliance... but to be honest, Iv'e looked high and low for a good, open, flexible solution - I've never found one.
The best one I've ever used, and still do, is a Juniper SSLVPN device.
The name is somewhat misleading - they don't necessarily only rely on SSL - and they aren't strictly "clientless" - to allow full network tunnelling, they do install a client, but it will be either an activex applet or signed java applet, to which you give full permission to the system. I believe in full tunnel mode it will attempt to use other protocols if availailable (ipsec, etc) - but fall back on a tcp/ssl tunnel if it has to (there are performance gains to the former).
They are extremely flexible, and they work in windows, osx, and linux (linux requires some tweaking occasionally, depending). They also provide plent of other options besides actual network tunnelling - partial tunneling, reverse-web-proxy, SMB file browsing, and so on - with great logging and security. (I know I sound like a Juniper plant, but I'm not - I just like them).
Getting that thing put in just made handling remote access SO easy....
posted by TravellingDen at 6:17 PM on January 29, 2010
The best one I've ever used, and still do, is a Juniper SSLVPN device.
The name is somewhat misleading - they don't necessarily only rely on SSL - and they aren't strictly "clientless" - to allow full network tunnelling, they do install a client, but it will be either an activex applet or signed java applet, to which you give full permission to the system. I believe in full tunnel mode it will attempt to use other protocols if availailable (ipsec, etc) - but fall back on a tcp/ssl tunnel if it has to (there are performance gains to the former).
They are extremely flexible, and they work in windows, osx, and linux (linux requires some tweaking occasionally, depending). They also provide plent of other options besides actual network tunnelling - partial tunneling, reverse-web-proxy, SMB file browsing, and so on - with great logging and security. (I know I sound like a Juniper plant, but I'm not - I just like them).
Getting that thing put in just made handling remote access SO easy....
posted by TravellingDen at 6:17 PM on January 29, 2010
This thread is closed to new comments.
Windows natively supports PPTP. Client-side setup is pretty easy. Why not just have them use that?
posted by damn dirty ape at 9:52 AM on January 29, 2010