Networking · Security

SSL VPN

Remote network access over HTTPS using TLS — works through any firewall since it runs on port 443.

An SSL VPN provides remote access to a network over HTTPS, using TLS encryption. Unlike traditional IPsec VPNs, SSL VPNs work through standard web traffic ports and don't require special client-side network configuration.

The defining advantage of SSL VPN over IPsec for remote access is accessibility. IPsec requires UDP ports that are often blocked by corporate firewalls, hotels, and restrictive networks. SSL VPN runs over TCP port 443 — the same port as HTTPS — which is almost never blocked. A remote user connecting from a hotel or airport can reliably establish an SSL VPN connection even when IPsec would fail.

Diagram showing a remote user connecting via an SSL VPN tunnel over the internet to an SSL VPN server, which provides access to internal web servers and mail servers

SSL VPN comes in two forms:

Clientless — the VPN is accessed through a web browser with no installed software. The browser authenticates the user and provides access to specific internal web applications. Useful for contractors or managed devices where you can't install software.

Full tunnel (client-based) — a lightweight client is installed on the device. Once connected, all network traffic routes through the encrypted tunnel. This is the typical mode for remote employees who need full network access. Most modern remote access VPN clients use SSL/TLS under the hood — Cisco AnyConnect, SonicWall NetExtender, and Palo Alto GlobalProtect all operate this way.

RADIUS is typically used for authentication, enabling MFA integration: the user authenticates with username, password, and a TOTP code, with RADIUS validating all three.

IPsec remains the standard for site-to-site VPN (gateway to gateway). SSL VPN is the standard for remote user access.