As most developers realize, web applications commonly mean sacrificing functionality for easy, browser-based access for end users. While browser scripting and controls have come a long way, there are still advantages of a rich client that browsers cannot attain due primarily to interactive and stateful functionality.



The problem plaguing developers for some time is how to enable rich client users to access servers remotely while contending with the myriad of proxy servers, firewalls, and other software installed at the edge of the network. VPN solutions utilizing IPSec, while interesting, have continued to have their fair share of limitations from a functional and configuration standpoint. It is common to hear complaints about remote users failing to access client server apps from hotel rooms (or even home offices) while IT support costs (and frustration levels) escalate.

SSL VPNs, like F5 Firepass Controller, are a fantastic solution. By providing a clientless, secure network tunnel using proven SSL encryption to protect data, users can simply login to the VPN portal and access the network with their established credentials. It works with virtually any application traffic – not just HTTP – and enables seamless access despite firewalls and other software that creates so many problems for outdated IPSec solutions. With the announcement of Firepass 5.0 from F5, SSL VPN technology is now something developers can use to address rich client challenges once and for all.

So Why Should a Developer Care?
So, why should a developer care? Well – with this release of Firepass 5.0, developers now have access to the first SSL VPN client API for streamlining how rich client applications access backend servers – smoothly and securely. The API, as part of F5’s iControl initiative to provide rich APIs that integrate application and network communications, enables developers to integrate secure remote access to their client application to simplify installation, user access, and reduce support hassles along the way.

The benefits can be significant. By integrating the SSL connection process, it helps end users reduce the number of steps necessary to access the network and the application. This means more people actually use the application (and isn’t that the goal in the end?). Plus, using an SSL VPN keeps IT happy since they’ll be spending less time answering support calls from frustrated road warriors trying to use the application from a hotel room somewhere in Kansas (or Tokyo or London... or... you get the picture).

A Real World Situation
But, how real is this scenario, you ask? Well – here is a real world example of a company using this API to streamline access for hundreds (and realistically thousands in the next two years) of financial professionals. Currently, these users must install a desktop client and configure it to work with the existing IPSec VPN solution. This is required so that the app can setup a secure connection with the corporate data center. The installation and configuration process is a whopping 50 steps. Further, the process requires some level of technical assistance on every installation. For some remote locations, technical staff are not available to help and users either go without access or have access that is entirely unpredictable.

By using the Firepass SSL VPN Client API and embedding access with the application package, I estimate they will remove at least 80% of the install and config steps required today. Further, users will have more reliable access. And, since the configuration is part of client install script, IT will not run up costs to babysit the configuration process.

So, the benefits become quite clear. Developers, users, and IT all benefit along with the company bottom line. Everyone smiles. What makes this incredibly compelling is that developers can use existing toolsets and development languages to realize these benefits.

How the SSL VPN Client Works
Here’s how it works. Application developers build a rich client application (or enhance an existing one) for the Windows desktop using a development tool such as Visual Studio.NET or Delphi. Language choices include Visual C++/C#, Visual Basic, or if this is a running as a component in a browser, the application could also use VBScript or Jscript.

The client application calls an SSL VPN object API (provided from F5 as an ActiveX component) that effectively dials up the network using the specified host name and port, passes user credentials to the Firepass Controller for authentication and access, and establishes an encrypted SSL tunnel. From here, the client application can begin communicating with the server.

When integrating with the API, the developer can build their application to require user credentials to be provided at the time of installation. Or, a user can be prompted to provide the login details when they double-click the desktop icon to launch the client application to ensure user authentication each time they launch the app.

To deploy the application, all the developer needs to do is include the Firepass ActiveX object (which is free) as part of their installation package and provide the proper installation configuration scripts as with any client distribution. Further, the API supports Microsoft’s MSI distribution technology if a developer chooses to utilize it.

One added benefit of the Firepass SSL VPN is that it is priced and licensed based on concurrent user connections. So, developers can cost effectively integrate this component with client applications and distribute it freely without fear of exorbitant client code license costs. The licensing only comes into play when counting how many users are accessing the SSL VPN server simultaneously.

The Bottom Line: Use the API to Your Benefit
The Firepass SSL VPN Client API is a significant step forward for enabling developers to provide the best of rich client access from any location for end users without the challenges historically associated with dated VPN approaches. It offers a great opportunity for developers to become heroes within their companies by using their existing skills to streamline end user productivity (and enhance happiness!) while reducing IT support costs and frustrations.

Look forward to more tips and resources about using the Firepass SSL VPN client API and if you have thoughts or questions, share them in the new VPN Client API forum area. (If you’re not a DevCentral member, subscribe today – it’s free – and get regular updates about this new capability and other iControl development options with the DevCentral News email newsletter).


Questions about this? Do you have an opinion?

Post your thoughts in the new Firepass SSL VPN Client forum.