CSS 11503 SSL VPN

cdunmoodie · ‎03-02-2009

Trying to architect an SSL VPN solution using CSS 11503. Do I need a radius server to authenticate the client connections? If I have a tacacs server already built into the network, can I use that?

Syed Iftekhar Ahmed · ‎03-02-2009

Are you planning to use CSS as VPN concentrator? If yes then

CSS is not a SSL VPN Concentrator, Its only a SSL offloader/Load balancer.

You should look at ASA firewalls to use them as IPsec/SSL VPn concentrators.

If your question is about loadbalancing other SSL VPN concentrators then

your best bet would be to pass SSL VPN traffic as Layer 4 traffic to the concentrators.Lots of SSL VPN options like port forwarding & embedded URL re-writes are not supported.

By the way if you are using Cisco ASAs as VPn Concentrators then

you should know that ASAs support integrated 'VPN clustering' (inbuilt loadbalancing ).

HTH

Syed Iftekhar Ahmed

cdunmoodie · ‎03-02-2009

No, I'm not trying to use it as a VPN concentrator. I want to offload the client authentication to a radius server. Basically the CA certificate will be housed on the radius and not the CSS.

Gilles Dufour · ‎03-03-2009

if you want to do client authentication on the CSS for SSL traffic, you need to enable client cert authentication.

But that does not involved a radius server or a login/pwd.

What the CSS will do is request the client to send its certificate, we will then check it for valid root, valid time,...and CRL list if configured.

No radius or tacacs involved here.

Gilles.