SSL/TLS VPNs leverage the ubiquitous web browser to provide secure remote access. They eliminate the need for complex client software installations, making them ideal for contractors, partners, and temporary access.
Portal mode provides a web page with bookmarks to internal resources (e.g., RDP via HTML5, internal web apps). Full tunnel mode (like OpenVPN or AnyConnect) installs a virtual NIC, routing all endpoint traffic through the SSL tunnel.
💡 Pro-tip: Use SSL Portal mode for third-party vendors. It restricts them to specific applications via the browser, preventing them from mapping your internal network or pivoting laterally.
<!-- Conceptual SSL VPN Portal Rewrite -->
<script>
function launchRDP(target) {
window.open('https://vpn.corp.local/rdp?host=' + target);
}
</script>This conceptual code shows how an SSL VPN portal rewrites internal links, proxying the traffic through the gateway so the user never needs direct IP access to the internal server.
While convenient, browser-based SSL portals are vulnerable to cross-site scripting (XSS) and session hijacking if the web portal itself is poorly coded. Full tunnel SSL clients require strict endpoint posture checking (NAC).
⚠️ Ensure your SSL VPN appliance is aggressively patched. SSL VPNs are internet-facing and are consistently targeted for zero-day exploits (e.g., Pulse Secure, Fortinet CVEs) to gain initial network access.
| Mode | Client Req | Access Scope |
|---|---|---|
| Portal | Browser only | Specific Apps / Rewrites |
| Full Tunnel | Installed Agent | Full Network Routing |
| Clientless | None | Web-based file shares |
Verify exercises to earn ★ 180 XP and unlock next lab level.