F5 Networks' FirePass Controller: Clientless SSL for Remote Access

Unlike an IPsec (IP security) VPN, the FirePass does not require client software to be pre-installed and configured on the remote PC. Instead, it works directly through a Web browser using a virtual desktop Web page or by dynamically installing client software that establishes an SSL tunnel via a virtual network adapter.

Back to School

We took the FirePass 1000 for a test run in the California Polytechnic Network Performance Research Lab (NetPRL). To get to the virtual desktop interface, we pointed our browser at the external FirePass URL. We established an SSL connection that would work well from a public terminal or any Web kiosk where the user cannot install software and has only Web browser access.

The FirePass virtual desktop interface provides access to a number of services, including an e-mail client to access the corporate e-mail server; secure host connections--including telnet and SSH (Secure Shell)--using Java terminal emulators; and shared directories using file-system access, such as NSF and Windows Workgroups.

We also used the FirePass by means of a virtual network adapter. This method lets you set up an SSL tunnel between the workstation and the FirePass. To go this route, you must download client software (ActiveX for Internet Explorer or a Java plug-in for Netscape/Mozilla) directly from the FirePass device into your browser. The client software creates a new virtual network adapter and modifies your routing table using split tunnel or all traffic to route your network traffic through the SSL tunnel to the FirePass. After this tunnel is established, all IP applications can use this tunnel to provide secure access to the corporate intranet.This method requires users to have Windows administrative privileges on their PCs to create the virtual network adapter. However, because the client software is installed and configured automatically with the click of a mouse, your IT department needn't preconfigure every mobile device with VPN client software.

Hardware Installation

The FirePass hardware may be installed in a number of configurations, but all suggested implementations include putting the appliance behind the corporate firewall and providing the FirePass with an externally accessible IP address. Because the FirePass device operates only as a Web server and an SSL endpoint, we only needed to make pinholes through the firewall to the FirePass IP address for the HTTP and HTTPS ports (see "Basic Firepass Configuration," page 34). For additional security, F5 suggests that the box be placed in the corporate DMZ.

We configured the FirePass from our Web browser using the device's management login. From here, we set up the normal networking parameters (IP address, gateway, mask) on the device, installing the SSL certificate and configuring the box for user authentication. We found that the simplest solution for user authentication is to enter the user names and passwords manually into the device's internal user database from the Web interface. The FirePass does support more scalable solutions, though. It can access your corporate-user database by means of the FirePass's RADIUS or LDAP authentication options. And you can create groups of users in order to restrict access based on user login.

Unfortunately, we found the configuration to be confusing. The administrative interface could be more user-friendly and the comments could be more informative. Despite this, a professional IT staff should be able to have a basic-configuration device up and running within a day.

We set up the device with a number of users, using the device's internal user database for authentication. This part of the configuration was easy and worked immediately. From the client side, connecting the FirePass was a breeze, and using the browser-only interface doesn't require user configuration. Simply enter the URL for the device, then type in your user name and password.

Just Browsing

We tested the box using Internet Explorer, Netscape and Mozilla. All three browsers successfully established the SSL connection to the FirePass and brought up the virtual desktop interface. The user interface could use tweaking--it's not always clear what to do or enter next.From the browser-based virtual desktop, we connected to a local Sun box using both SSH and telnet. The terminal emulators are written in Java and seemed a little slow, but considering the advantage of having a secure terminal connection via a Web browser, the speed was acceptable.

We had a little trouble connecting via SSH, and sometimes had to try multiple times. F5 reps promised this problem has been fixed for the next release.

In terms of performance, we couldn't tell the difference when doing normal Web browsing over the secure link--there were no noticeable delays.

We were mostly successful in using the client software to establish a secure tunnel. The client software worked fine with both Internet Explorer and Netscape. Although there seemed to be some problems with Mozilla with the first install of the plug-in, we eventually got it to work as well.

Once the client software has created the virtual network adapter, it's networking as usual. We were able to use our normal IP applications--e-mail and SSH--immediately over the secure tunnel.So is FirePass for you? If you're looking to give mobile users secure access without the overhead of setting up a IPsec VPN, FirePass can do the job. It's easy on the end user and well worth the investment when you consider the potential cost of sending unencrypted data across the Internet.

Hugh Smith is an assistant professor at the California Polytechnic State University in San Luis Obispo and a member of the Cal Poly Network Performance Research Lab. Students Scott Thomas and Newman Chan are members of the Cal Poly NetPRL. Write to them at [email protected].

Post a comment or question on this story.

FirePass was acquired by F5 Networks when F5 purchased uRoam in July. F5 has added a number of features for this release, including support for LDAP 3 (version 2 is already supported), automatic cleanup of kiosk users' cache and tempfiles, and accessibility to X Window applications through a Web browser without having to preinstall client software.