<rant>
It is unfortunate that Juniper seems to have somewhat subverted the
meaning of the phrase "SSL VPN". IMO, the nomenclature indicates a
VPN that uses SSL for its authentication and encryption as opposed to,
say, IKE and ESP. It has nothing to do with whether the technology is
browser-based or not. OpenVPN is a _very_ good SSL VPN implementation
that requires no GUI components whatsoever, even though there are good
GUI clients written for it.

Furthermore, the "clientless" VPN solutions reduce the operator's
control over the endpoints, degrading the overall security of the
system. Some solutions attempt mitigating controls, but you can't
change the fact that you're allowing rather arbitrarily secured
machines to utilize your resources. Of course, if you don't plan to
vet the systems clients will be using (when issuing certificates or
the like), that doesn't matter much.
</rant>

That said, pfSense does not offer what you are looking for. Your best
bet to implement precisely that would probably be to purchase a
solution like SSL Explorer (still cheaper than a Juniper) and run it
on a dedicated machine in a DMZ off of pfSense with limited access in
& out.


RB

I've watched the stream all afternoon and just
wanted to offer my .02
worth on the matter as we have a rather large
multi-VPN deployment
with a mix of solutioning to fit the appropriate
needs.

Point I:
I agree whole-heartedly that if you are in control
of the
workstations/laptops "abroad" and the users have
NO administrative
rights to install augment its OS/apps then OpenVPN
is a great RWA
(road warrior access) method and works flawlessly
on pfSense.  We
have a couple of dedicated "VPN" servers (RWA and
S2S) sitting in a
DMZ off from another heavy edge pfSense box, that
way we have the
granularity of policy (rules) to pear down what is
accessed and what
is not when the RWA client is auth'd and has
connectivity.  We also
have it taylored to S2S (site to site) VPN
connectivity (both IPsec
and OVPN) so that all traffic and routing are
choked via policy rules
within the edge pfSense and a backend (behind the
edge pfSense) router
w/ simple ACLs.  All of this can be acomplished
quite easily w/
pfSense and some time spent on the mail lists to
see how to setup
multiple OVPN and IPsec connectivity.

Point II:
For the "untrusted" client or "the ones you don't
manage and admin"
you might consider a RDP solution ... i.e., have
the auth and
establish to a very restrictive pfSense OVPN
server {in a controlled
DMZ} and then ONLY allow RDP to a trusted and
hardened term-server
for the apps they need inside your network.

Point III:
Ah yes, the SSL-VPN mis-conception ... well
browser-based VPN is all
of the rage and is certainly making justification
of client based
IPsec VPN a toughER sell.  It has it's perts and
it is without
question a "easy-deploy" thus begging the question
(like has been
stated earlier in this stream) is the "end-point"
to be trusted (and
if not ... how do we mitigate)?  Another
deployment we have here for
those VERY few I couldn't sell on either of the
two previous
solutions was to grab a "fairly" cheap Netgear
SSL312 off the net and
put it in yet another dedicated
VLAN/DMZ/security-zone and allow those
few that "had to have it" connect and then pare
the access down with
tried and true pfSense.  You can also very easily
with some older
hardware ramp up a SSL-Explorer "community
edition" (again ... as has
been stated)  and it should provide relatively the
same "feel" for the
end-user experience.

Conclusion:
I would vest in a decent and fairly robust "edge
pfSense" (hardware)
and then make that your point of CONTROL (not
termination) for VPN
access.  IMHO, it is a safe bet that if you loose
a VPN "server"
someday (and you probably will) due to hack,
mis-config, client
compromise, etc.) then you'll still have your
"main" firewall intact
and helping in control and mitigation.

Follow-on:
All of the above is assuming you are "doing this
VPN design" for a
business.  If we are talking SOHO then you can
(and I have several
such clients "outside" that are perfectly
comfortable running the
whole RWA and "edge" firewall on one box) ...
pfSense is without
question capable and ready for this task as well. 
As is the mantra
out of the devs at pfSense ... home, SOHO, ROBO or
enterprise ...
pfSense can fit in all of these spaces very well
and is rivited with
features and accessories to meet just about any
"ACCESS" task ..
head-on!

Again ... just my .02 worth.

Regards,
--
David L. Strout
Engineering Systems Plus, LLC
----- Original Message -----
SUBJECT: Re: [pfSense Support] SSL VPN
FROM: bill.marquette-***@public.gmane.org
TO: support-***@public.gmane.org
DATE: 07-08-2008 8:34 pm
On Tue, Jul 8, 2008 at 6:06 PM, Chris Buechler
client at time of
install.
F5, et al, they
usually
environment they're
up to date
patches,
access based on that
are good, you get in.
I
or whether you
should
wanted to point out
some
currently offer any client
Whether or not that's a
almost all the VPN
do not use it for
It usually becomes a support nightmare when you
allow personal
workstations on your network. But it can easily
be argued (to RB's
points) that you shouldn't allow that in the first
place. These
solutions have a place, but it's usually
mis-deployed to pretend to
mitigate a security issue that is better solved
with policy,
education, and dollars spent giving your employees
the tools they
need
to do their jobs instead of forcing them to use
their own money to
perform your work.

--Bill

---------------------------------------------------------------------
To unsubscribe, e-mail:
support-unsubscribe-***@public.gmane.org
For additional commands, e-mail:
support-help-***@public.gmane.org