SSL VPN Technology

SSL VPNs from AEP Networks are ICSA Labs-approved appliances that provide secure remote access to a wide range of enterprise applications, using a Web browser as a ready-made access client. As a dedicated network appliance, our platforms typically reside between a company's firewall and application servers, integrating seamlessly into existing network and security designs. With AEP SSL VPNs, remote users need only a computer and a Web browser to access virtually any business application on the corporate network, including Windows, UNIX/Linux, and mainframes.

With a proprietary, closed-system architecture, our NSP and SGA platform functions as secure, web-based application access portal to a variety of centralized resources, ranging from traditional client/server applications to web and intranet applications. All transmissions between the SSL VPN appliance and the local machine are encrypted using SSL (secure socket layer) technology, while site authenticity is assured through built-in digital certificate support.

Further distinguishing the AEP approach from other SSL VPN solutions, our platforms offer the choice of three application-access technologies:

Thin/Application Gateway Access to Server-based Applications (Layer 7)

AEP’s family of SSL VPNs offer remote access to remote applications by incorporating Web-enabling technology directly within the platform. This integrated approach, unique to AEP among SSL VPN vendors, eliminates the need for enterprises to deploy and maintain server-based “middleware” — such as Citrix Secure Gateway — or remote-access clients, such as those required by IPSec approaches.

For example, in the NSP’s thin access model, the NSP initiates a session to the application server on behalf of the user, and presents a rendering of the session to the user’s web browser. This allows the user to interact with the application as if it were installed locally.

In this way, the NSP “intermediates” the connection between remote-client requests and the network server, terminating incoming connections at the application layer. Once the incoming request is terminated, the NSP processes and translates the data to the appropriate backend application protocol – in this case, RDP for the terminal server, which presents the Outlook application to the user. The NSP then resends the application data back to the user’s browser, in the form of HTTPS traffic via “screen scraping” technology. At no time is the end-user directly connected to a “private side” network resource.

Netilla’s thin access mode supports applications residing on Windows, UNIX, Linux, mainframe and AS/400 servers. By incorporating remote printing, client drive mapping, and file access, this approach effectively recreates the main office environment from any authorized computer.

Secure Access to Web-based Applications and Portals

The Netilla family of SSL VPNs from AEP enable secure access to internal Web-based applications, intranet sites and portals with a proprietary Web Reverse Proxy technology. Our built-in HTML translation engine dynamical rewrites all user requested Web pages, obscuring the URL, network topology, and source code of the originating Web application.

The similar proxy approach used for Thin access is also well suited for Web-based intranet applications and portals. In this case, the NSP and SGA terminate, examine, and rewrite HTTP requests. Remote users are then presented with Web-application resources as allowed by corporate-defined security policy. For more complex web applications, such as Citrix Web Interface, the NSP employs a sophisticated Java applet re-write module, allowing smooth presentation of these applications.

Authorized remote users thus gain instant, clientless access to a wide range of internal Web applications from any location, allowing internal DNS addresses that do not resolve publicly to be accessed securely over the Internet. Company Web servers remain safe behind the firewall, in a highly secure portion of the private network, without the cost and maintenance of locking each server down for public access, while administrators gain granular access control to directories, servers, and paths on a user or group basis. At no time is the end-user directly connected to a “private side” network resource.

Network Layer Access to Client/Server Applications (Layer 3)

The third access mode option supported by the Netilla family of SSL VPNs allows access to client-server applications that require synchronization directly with the corporate server. We provide this data transfer over a Layer 3 SSL tunnel, which is accomplished by using the browser as a conduit to install a virtual adapter. The virtual adapter negotiates the secure SSL tunnel via the user’s Web browser to the NSP or SGA, where each of these SSL tunnels is terminated as a PPP interface. Policy may be applied to these interfaces using the NSP’s integrated stateful packet inspection (SPI) firewall, facilitating a policy enforcement point similar to the NSP’s other access modes.

The NSP and SGA also allow for applying dynamic policy over the layer 3 SSL tunnel. In this mode, our dynamic firewall is used to open and close specific ports, such as for Microsoft Exchange. For the duration of each session, the administrator is able to grant access only to the Exchange server – or to limit access to that server for groups of users - as needed.

The Most Versatile SSL VPN on the Market

By merging three access technologies into a single appliance, the NSP provides a full-spectrum remote-access solution that meets EVERY application access type. The result is a powerful tool - one that delivers a high level of flexibility for network administrators, who can arm their remote users with a wide range of applications based on changing conditions and needs, while protecting the company’s critical business assets.