It would be great if there were a clientless SSL VPN product like
SSL-Explorer that used a java applet for the client side but had the
server written in something like C that would be far less resource
intensive on the server and would run on pfsense. Does anyone know of
such a beast?
Digger
Fuchs, Martin wrote:
Watchguard also has some "SSL-VPN" and I know the sales-man entering the boss'
office...
But pfSense won...
We use OpenVPN cause the boss looks at the bucks it costs... and that was the
argument :-)
Try OpenVPN on pfSense... you'll love it...
Only thing with WatchGuard: it uses SSL-VPN via browser... some kind like
SSL-Explorer...
If your boss likes that, trya the SSL-Exploer Community edition...
Regards,
MArtin
-----Ursprüngliche Nachricht-----
Von: Michel Servaes [mailto:[EMAIL PROTECTED]
Gesendet: Dienstag, 8. Juli 2008 21:57
An: [email protected]
Betreff: Re: [pfSense Support] SSL VPN
I totally agree with you, but you know what happens if an external IT
man enters your office, and tells your boss that a solution like Juniper
is better than anything else...
So I am going to use your comments to discourage this kind of use... I
still like to have control of what comes in, and what goes out.
I haven't enabled OpenVPN on my pfSense... I have no knowledge about
OpenVPN.
I only use IPSEC for endpoint to endpoint, and PPTP for mobile
solutions, or collegues who don't have an out-of-the box VPN capable
router at home.
Thank you for your response already ;)
RB wrote:
Does pfSense offer an alternative to the Juniper SSL VPN solutions ?
<rant>
It is unfortunate that Juniper seems to have somewhat subverted the
meaning of the phrase "SSL VPN". IMO, the nomenclature indicates a
VPN that uses SSL for its authentication and encryption as opposed to,
say, IKE and ESP. It has nothing to do with whether the technology is
browser-based or not. OpenVPN is a _very_ good SSL VPN implementation
that requires no GUI components whatsoever, even though there are good
GUI clients written for it.
Furthermore, the "clientless" VPN solutions reduce the operator's
control over the endpoints, degrading the overall security of the
system. Some solutions attempt mitigating controls, but you can't
change the fact that you're allowing rather arbitrarily secured
machines to utilize your resources. Of course, if you don't plan to
vet the systems clients will be using (when issuing certificates or
the like), that doesn't matter much.
</rant>
That said, pfSense does not offer what you are looking for. Your best
bet to implement precisely that would probably be to purchase a
solution like SSL Explorer (still cheaper than a Juniper) and run it
on a dedicated machine in a DMZ off of pfSense with limited access in
& out.
RB
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
