Is SSL Network Extender the anwer?

[20100]

Hi,

Not sure if it is the right place within the forum to ask:

We have site to site VPN with partners, but only allow traffic from our office to theirs.

From time to time we have staff spending time within the partner offices, requiring access back to our office.

Access to our office is only provided (so far) using SecureClient.

However, in most of the cases, SecureClient does not work, as the Firewall is confused between the SecureCLient VPN and the site-to-site VPN link already established between the 2 firewalls (I gather that the remote Secureclient is hiding behind the IP of the partner's firewall).

Is there anyway to get this going?

The other idea, what perhaps to implement SSL Network Extender. At first I thought that it would work with a Web server (different IP from the firewall), but when reading more, it looks like we are talking about a web server installed on the firewall itself, which could cause the same issue
I am right or will it work?

The other idea, would be perhaps to install a Citrix Server for remote access via web access.

Are there any other (better) ways to achieve what we want to do?

Thanks for sharing your ideas

Vincent

[chillyjim]

If I read this correctly you have people at a partner site which you have a s2s VPN connection with. You want to provide client2site VPN for these folks and it will not work.

WOW, I'm suprised I haven't ran into this before...

SNX on the firewall gateway will not help, you will have the same problems.

SNX on a different gateway or Connectra (which includes SNX) would help if configured correctly.

Depending on what you need to do while remote, Citrix may be a better answer, but Connectra will give you full VPN functionality as well as HTTP portal for your users.

[lammbo]

I've run into this before. In some cases, Visitor mode worked. With the gateway listening on 443, it seems to traverse pretty well.

I have a safe@office at my house with a site to site at work. Same circumstances, pre-existing tunnel. I cannot use SecureClient from my house except in Visitor mode.

[20100]

Thanks guys. Looks like Connectra or Citrix are the answers. Not cheap solutions for both of them. I will have a closer look at both.

[mcnallym]

I though everyone knew that if you have a Site-2-Site VPN then you can't use a SecureClient VPN between the same two places.

[abusharif]

Quote:

Originally Posted by 20100

Thanks guys. Looks like Connectra or Citrix are the answers. Not cheap solutions for both of them. I will have a closer look at both.

If you will be looking at connectra i suggest that you take a look at Juniper SA ssl appliances, which are, according to me, much much (can i add another much?) better then connectra in any aspect.

Now i will go and hide ;)

[chillyjim]

Quote:

Originally Posted by abusharif

If you will be looking at connectra i suggest that you take a look at Juniper SA ssl appliances, which are, according to me, much much (can i add another much?) better then connectra in any aspect.

Now i will go and hide ;)

No need to hide, but please do start another thread on why you think this. I'm not disagreeing (or agreeing) at this point. I'm just always interested in why people like one product over another.

***Disclaimer -- I sell Check Point and not Juniper***