Share this
Remote Access Clientless VPN: What You Need To Know
by PivIT Global on Nov 29, 2022 4:12:00 AM
It’s a striking prediction: Kate Lister, president of Global Workplace Analytics, estimates that by 2025, around 70 percent of the workforce will work remotely at least five days per month.
Such a figure would have huge implications for how the workplace functions. And though that date is still years away, it’s not uncommon for employees and clients to require access to your resources, no matter where they are or what they’re working on.
Despite that, the security of your resources remains paramount. So, how can you empower secure remote access, using only a browser, while still retaining a focus on security?
A clientless VPN solution could be the answer. Such an option provides browser-based access to resources located behind the VPN gateway on the other side of the protected tunnel.
Instead of using a pre-installed VPN client such as Cisco AnyConnect on the host device, this solution empowers users to access web-based applications, FTP servers, and CIFS file shares simply by using a Transport Layer Security (TLS)-enabled browser.
On top of that, by using application plug-ins, smart tunnels, and port forwarding, users can access almost any application and service that uses static TCP ports.
In this article, we will:
- Provide an overview of clientless remote access VPN technology.
- Discuss its benefits and limitations.
- Learn the basics and familiarize you with TLS protocol.
- Take a look at the clientless web portal.
- Find out more about recommended implementation steps for a clientless VPN implementation on a Cisco ASA firewall by using the ASDM management tool.
Looking for more ways to optimize security in your organization? Try these articles:
- Must-Have Port Security: Simple but Effective Layer 2 Protection
- Your Best Security System: Cisco ASA vs. Fortinet FortiGate
- A Must-Have Guide - Risk-Free: Protect Against VLAN and STP Attacks
An Overview of Clientless VPN
Cisco clientless TLS VPNs allow organizations to provide secure remote access to protected network resources in the headquarters, even when the remote user device is not managed or has no VPN client installed. In other words, it provides the simplest way for users to access mainly web-based (and some non-web-based) applications over a web browser.
The way it works is quite simple. Remote users use only a web browser to establish a TLS VPN connection (tunnel) with the VPN gateway — which usually is a Cisco ASA firewall, but can also be a Cisco router. The VPN gateway that acts as a proxy between the remote user and protected resources is responsible for the overall VPN permissions, such as services allowed, bookmarks available, et cetera.
Keep in mind that the Cisco Firepower NGFW firewall doesn’t support clientless VPN deployment at the time of writing. After successful bidirectional authentication, the VPN gateway presents the user with a web portal through which they can access only those services for which permissions are provided.
Even though the clientless VPN solution is easier to deploy, it provides only limited access, which is the opposite of the full access supported by the Cisco AnyConnect VPN solution. Therefore, whether to use a clientless VPN primarily depends on the type of users that need to access the protected resources behind the VPN gateway.
Typical use cases include internet kiosks and business partners that require access only to a specific set of services and resources in general, which works perfectly with the clientless VPN limitation. This also protects against unwanted access being provided to the wrong users.
Accessing Resources Remotely
Because clientless TLS VPNs do not provide full access like Cisco AnyConnect VPNs do, the VPN gateway that acts as a proxy must be appropriately configured to allow the set of applications required by remote users to be operational. There are several different methods to accomplish that:
- URL and CIFS: With a minimal configuration on the VPN getaway, users can access resources using pre-configured bookmarks. These bookmarks allow users to access pre-configured web pages or file shares. In addition, users can also use manual URL entries.
- Application plug-ins: Application plug-ins, also referred to as thin-client connections, support well-known applications such as SSH, Telnet, VNC, and RDP, among others. Though this is recommended, newer versions of Cisco firewalls lack support for most plug-ins.
- Smart tunnels: This option is recommended for all applications that lack a plug-in, providing users with native application client access to enterprise resources.
- Port forwarding: This option is an older technology that, similar to smart tunnels, provides users with native application client access to enterprise resources. It should be used only when using smart tunnels is impossible.
Clientless VPN Authentication
The basic clientless TLS VPN solution uses bidirectional authentication in which both the user and the VPN gateway authenticate with each other.
The VPN gateway (usually a firewall) identifies itself to the remote user by providing an identity certificate, usually signed by a third-party CA such as GoDaddy. It can also be signed by a local enterprise CA.
On the other side, the remote user provides a username and password combination, which can be compared against the stored credentials in the local database or against an external server, such as Cisco ISE. The first option is preferred for small deployments, while the second is recommended for large enterprise networks.
Web Portals
After successful authentication, the remote users are presented with a web portal through which they can navigate the protected resources behind the VPN gateway. This way, they can easily access various web resources, such as HTTP and HTTPS pages, FTP and CIFS file shares, and many other supported applications.
As you can see from the figure above, the web portal is a very user-friendly and straightforward web page.
Based on the remote user's permissions after authentication, certain bookmarks and applications are available on the portal to access the corresponding protected resources. On top of that, you can also edit (redesign) the web portal, so that the overall outlook better fits your organization’s style.
Keep in mind that when implementing clientless VPN on Cisco ASA, by default the firewall permits all portal traffic to all resources. However, you can use a web ACL to permit or deny access to certain resources on the other side of the tunnel when requirements demand that.
Pros and Cons of Clientless VPN
Like all VPN technology today, the clientless VPN solution brings various benefits but also has some limitations.
The clientless TLS VPN solution is very simple and doesn’t require any rights on the user’s side to use it. It relies on the native TLS protocol to protect the data exchanged between the web browser and the VPN gateway when navigating resources through the web portal. Because of that, there is no need for a pre-installed VPN client on the host.
The clientless VPN solution easily traverses most firewalls and NAT-enabled devices in the routing path toward the protected resources in the enterprise network.
However, the clientless TLS VPN solution has some limitations. Because everything is done through the web portal, it may require user training so that users can learn how to use the navigation portal before they begin using it.
Furthermore, due to its proxying nature, real-time applications often experience latency and delay, which makes them unusable at times.
Finally, since this VPN solution doesn’t support all IP applications, sometimes you have to choose a different option.
________________
Hardware Options For You
Here at PivIT, we know the importance doesn't stop with the device itself. It stretches to what is available today, financing options, and more. We make it easy for you to find the hardware to build your network on your terms.
________________
5 Steps to Configure Clientless TLS VPN on a Cisco ASA
The deployment of a basic clientless TLS VPN on a Cisco ASA consists of several steps that must be correctly approached so that the remote VPN users can successfully establish VPN sessions to the VPN gateway and access the protected resources of the organization:
- Enable clientless TLS VPN traffic termination on Cisco ASA’s interface where the remote sessions will arrive.
- Install an identity certificate to identify remote users.
- Configure user authentication by defining the necessary settings in the connection profiles and group policies.
- Optionally, configure basic portal features and access control by creating bookmarks, defining a web ACL for special access permissions, and disabling URL entries or file-share access.
- Optionally, enable split-tunneling.
Clientless VPN That Is Easy To Use
Based on everything we discussed in this article, it’s clear that the clientless VPN solution is a perfect choice for remote users who need on-demand, on-the-fly, secure access to corporate resources.
While there are various limitations to keep in mind, there are also clear benefits that could solve several pain points for your organization as the world of work continues to evolve.
After all, it is easy to implement and even easier to use from the client’s point of view while at the same time providing great flexibility. Keep it in mind the next time you require an added remote access tool to suit your users’ needs.
Share this
- Configuration Guides (47)
- Cisco Routers (29)
- Switches (27)
- Network Security (23)
- Cisco Switches (21)
- Routing Protocols (21)
- Routers (20)
- Cisco (19)
- Product Comparisons (19)
- Firewall (18)
- Cisco Security (17)
- Cisco Technical Information (17)
- IT Hardware Solutions (17)
- Network Protocols (17)
- Wireless (17)
- Security (15)
- OneCall (13)
- Servers (12)
- cisco asa (12)
- Cisco Wireless (11)
- Router Protocols (11)
- Cisco Catalyst (9)
- Cisco UCS (9)
- Upgrading Network (9)
- Cisco Servers (8)
- Product Highlight (8)
- Access Control Lists (7)
- Fortinet (7)
- Server Comparisons (7)
- Access Points (6)
- Arista Networks (6)
- OSPF (6)
- Wireless APs (6)
- Cisco ASR (5)
- Cloud Solutions (5)
- HPE-Aruba Wireless (5)
- Juniper Mist (5)
- Network Management (5)
- SD-WAN (5)
- Storage (5)
- Switch Comparison (5)
- Back To Basics (4)
- Cybersecurity (4)
- EIGRP (4)
- Firewall Architecture (4)
- HSRP (4)
- Juniper Networks (4)
- Network Automation (4)
- Network Servers (4)
- OEM Comparison (4)
- Aruba Central (3)
- Cisco Telephony (3)
- DHCP (3)
- DHCP Snooping (3)
- Dell EMC PowerEdge (3)
- Internet (3)
- Maintenance (3)
- Maintenance Renewal (3)
- Network Accessories (3)
- TPM (3)
- Telephony (3)
- aruba (3)
- Cisco NX-OS (2)
- Cisco Nexus (2)
- Dell Servers (2)
- Fortinet NGFWs (2)
- IT Trends (2)
- LAN Networks (2)
- Network Time Protocol (2)
- Palo Alto NGFWs (2)
- Rapid PVST+ (2)
- Remote Configuration (2)
- Software Defined Networking (2)
- WLAN (2)
- Ways to Save (2)
- fortigate (2)
- Asset Management (1)
- CPU Usage (1)
- Cisco AIR-CT (1)
- Cisco Aironet (1)
- Cisco DNA (1)
- Cisco ISR (1)
- Cisco Supervisor Engines (1)
- Cisco UCS Manager (1)
- Cognitive Campus (1)
- Cost of Downtime (1)
- Dell EMC Data Domain (1)
- Edge Switches (1)
- Fabric Extenders (1)
- GRE Tunnel (1)
- HPE BL (1)
- Juniper SRX (1)
- Nexus Switches (1)
- Nutanix (1)
- Optics (1)
- PowerEdge R740xd (1)
- STP Extension (1)
- Sparing Integrity Program (1)
- Switched Virtual Interface (1)
- TCP (1)
- UCS Fabric Interconnects (1)
- hyperconverge (1)
- April 2024 (2)
- March 2024 (1)
- February 2024 (2)
- January 2024 (1)
- December 2023 (1)
- November 2023 (2)
- October 2023 (1)
- September 2023 (3)
- August 2023 (5)
- July 2023 (2)
- June 2023 (4)
- May 2023 (5)
- April 2023 (8)
- March 2023 (7)
- February 2023 (5)
- January 2023 (2)
- December 2022 (3)
- November 2022 (3)
- October 2022 (8)
- September 2022 (9)
- August 2022 (9)
- July 2022 (8)
- June 2022 (9)
- May 2022 (5)
- April 2022 (3)
- March 2022 (1)
- February 2022 (2)
- November 2021 (2)
- October 2021 (1)
- September 2021 (2)
- August 2021 (2)
- July 2021 (3)
- June 2021 (2)
- May 2021 (4)
- April 2021 (4)
- March 2021 (2)
- February 2021 (1)
- January 2021 (2)
- December 2020 (2)
- November 2020 (2)
- October 2020 (2)
- September 2020 (2)
- August 2020 (4)
- July 2020 (5)
- June 2020 (4)
- May 2020 (6)
- April 2020 (2)
- March 2020 (1)
- February 2020 (2)
- January 2020 (2)
- December 2019 (1)
- May 2019 (2)
- April 2019 (5)
- February 2019 (1)
- January 2019 (3)
- December 2018 (1)
No Comments Yet
Let us know what you think