cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
790
Views
15
Helpful
3
Replies

webvpn vs client vpn

suthomas1
Level 6
Level 6

I was told that clients accessing vpn over browser page(webvpn- putting https://vpnaddress) is not advised for security reasons.

Instead a client is always preferred.

 

I am curious to know more about this from this forum on which method is more preferred & if there are any good reasons to go one way.

 

Appreciate all inputs. Thanks in advance.

1 Accepted Solution

Accepted Solutions

Rahul Govindan
VIP Alumni
VIP Alumni

I think it is more on an interoperability issue than a security one. When you use clientless webvpn, the ASA has to re-write the content it receives from the backend web pages to present it to the end user. This may not work all the time as there are restrictions to what content the ASA can re-write. Think of this almost as a proxy.

 

AnyConnect (or client VPN) avoids this by creating a tunnel so that the end user traffic is just routed to the internal network by the ASA. There is no re-write by the ASA, so you access the content as is.

 

If you ask me, security-wise, clientless can be thought of as more secure than client because it restricts what type of content you can receive while remote to the network. The content received is only web-based and it can be restricted to what networks/resources the administrator publishes on the portal. With client based vpn, you are not restricting what applications the end client can use over the tunnels - only network and ports.

 

Hope this helps. 

View solution in original post

3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

From notes :

 

They both use different protocols SSH and IPSEC, and there are both secure in terms of security.

 

Q1. Whats the difference between SSL VPN Client & WEBVPN

Ans. The difference between the webvpn and SSL VPN Client is the WebVPN uses SSL/TLS and port

forwarding via a java app for application support, it also only supports unicast TCP

traffic, no ip address is assigned to the client, and all the web-browsing down the tunnel is done with an SSL web-mangle that allows us to stuff things into the SSL session. The SSL VPN Client is a full tunneling client using SSL/TCP that installs an app on the machine and envelopes the vpn traffic into the ssl session and also has an ip address assigned so the tunnel is two way, not uni-directional. It allows for application support over the tunnel without having to set up a port forward for each application.

 

Q2. Is it true that with SSL VPN Client we will have more features than WEBVPN ?

Ans. It is a fact that the SSL VPN Client provides more support than the WebVPN does, but in regards to features WebVPN has more features because every little bit of it has to be configured. The SSL VPN Client provides wider support with less to configure and is much more functional.

 

Q3. Which soultion would be right for us WEBVPN or SSL VPN ?

Ans. This last question I really cannot answer as it's not TAC's position to tell you what

you do and do not need. My opinion is that the SSL VPN is by far a better solution as

it runs over SSL over TCP, had small impact to all traffic to determine if traffic is destined for STC client and faster than mangled WebVPN, but in the end it's really up to you to decide which features you do and do not need.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hi,
When using the VPN client, this allows the users to access the network resources natively without having to browse the webpage, providing the users with a similar user experience if connected to the local LAN.

The VPN client this allows you to run posture checks to ensure the health of the computer, by determining whether applications such as Anti-Virus, Anti-Malware or Local Firewall are running on the computer before permitting access to the network.

HTH

Rahul Govindan
VIP Alumni
VIP Alumni

I think it is more on an interoperability issue than a security one. When you use clientless webvpn, the ASA has to re-write the content it receives from the backend web pages to present it to the end user. This may not work all the time as there are restrictions to what content the ASA can re-write. Think of this almost as a proxy.

 

AnyConnect (or client VPN) avoids this by creating a tunnel so that the end user traffic is just routed to the internal network by the ASA. There is no re-write by the ASA, so you access the content as is.

 

If you ask me, security-wise, clientless can be thought of as more secure than client because it restricts what type of content you can receive while remote to the network. The content received is only web-based and it can be restricted to what networks/resources the administrator publishes on the portal. With client based vpn, you are not restricting what applications the end client can use over the tunnels - only network and ports.

 

Hope this helps. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: