StoneBlog.stonesoft.com

Goal of this short post is to shed light on StoneGate SSL VPN logic to allow better understanding of the technology itself.

Specifically, this document describes what happens inside SSL VPN when user is authenticated and authorized:

1. When accessing SSL VPN user firstly types URL of SSL VPN (e.g. https://ssl.mydomain.com).
   After SSL Tunnel has been negotiated the enabled authentication methods are presented by Access Point service.
2. Next, user chooses the authentication method that he/she wants use and enters his/her credentials.
3. After user submits the credentials, Access Point contacts Policy Service, which verifies that user can be found from access rules.
4. If used authentication method is OK, Policy Service contacts Authentication Service and asks it to authenticate user.
5. Authentication Service checks user credentials from LDAP/RADIUS server and if they are OK (authentication successful), Authentication Service sends OK to Policy service.
   Note: Depending on the authentication method user credential may be checked via secure RADIUS or LDAPS connection or via unsecure LDAP connection.
6. Once authentication is successful, Policy Service checks access rules for each resource and evaluates which resources user is allowed to access.
7. Based on this evaluation Policy Service informs Access Point which resources to place on Application Portal for this authenticated user.

This simple yet powerful logic allow the implementation of very flexible solutions where proper application access over the web is made possible.

Network security. Simplified.

written by RoarinPenguin - 1,053 views \\ tags: authentication, authorization, logic, SSL VPN