Cisco has ceased development on the IPSec VPN client, and shifted to pushing the SSL VPN client for remote VPN access for both IOS and ASA platforms. But that costs up to USD$125 per VPN client. Is that good for customers ? Or are we being shafted to increase revenue ? The Cisco VPN Client that uses IPSec as a dynamic remote access method to IOS, ASA, PIX and C6500 VPN modules is basically dead. From the Cisco Web site:
“The Cisco VPN client supports Windows 2000, XP and Vista (x86/32-bit only); Linux (Intel); Mac OS X 10.4; and Solaris UltraSparc (32 and 64-bit). For x64 (64-bit) Windows support, you must utilize Cisco’s next-generation Cisco AnyConnect VPN Client.” – Link Here
And from the Product Q&A’s
“Cisco VPN Client Version 5 is available for 32-bit Windows Vista. There are no current plans to provide 64-bit support for the Cisco VPN Client but 64-bit support is available for the Cisco AnyConnect VPN Client.”
There doesn’t seem to be any End of Life or End of Support notices, so the current version must still be getting support, but there is no future for it.
You can choose any technology, so long as it is SSL VPN
A quick look at Cisco AnyConnect will confirm that this is an SSL VPN technology only. So this leads me to a few conclusions:
- Cisco isn’t planning on continuing the Cisco VPN Client
- Cisco doesn’t like IPSec as a dynamic secure remote access method.
- You must choose SSL VPN for remote access, because Cisco says so
- I need to start planning to replace the Cisco VPN client in the next year or two. On several thousand desktops.
- Which is going to be great
- and replace it with a technology that isn’t nearly so lovely, simple and well understood
- This looks like it’s saving Cisco money – they don’t have to develop and maintain two clients
- But is going to cost us a shedload of cash
Which would be fine, I suppose, if I could find a good reason why changing from IPsec to SSL would be a goodthing(gm).
What’s good about SSL VPN then ?
I was reading through some notes from Networkers and made the following list:
- SSL VPN’s have three modes – clientless, thin client and full client.
- Clientless VPN’s allow you to create a portal, which you can customise.
- allow for application translation – e.g. show CIFS Drive Shares appear in a web page (for clientless mode)
- For thin client mode, you can deliver Java plugins that let you access certain services such as Citrix, ssh, telnet, RDP without having the client programs on your PC
- Thick client acts the same as IPSec VPN client, but can be installed (initiated) from the web browser (sort of)
- The SSL VPN client is NOT FREE (not so good)
Did I mention that the SSL VPN Client option is not FREE….
So the IPSec VPN, which most of us are very happy with and used to, is free for an unlimited amount of users. But the replacement requires a license for every user past two.
And you will be forced to upgrade since the VPN Client doesn’t work on modern systems ((not straightaway, one day Microsoft will get a version of the Windows to replace Windows XP)).
Yeah, I’ve got the same feeling as you.
I am going to pay for SSL VPN technology that Cisco is forcing you to move towards.
They have chosen to do that. Now that is customer focussed.
How much ?
Here are the USD list prices for the SSL licenses:
IOS SSL VPN Licences
|FL-WEBVPN-10-K9||Feature License IOS SSL VPN Up To 10 Users (Incremental)||$300|
|FL-WEBVPN-25-K9||Feature License IOS SSL VPN Up To 25 Users (Incremental)||$750|
|FL-WEBVPN-100-K9||Feature License IOS SSL VPN Up To 100 Users (Incremental)||$3,000|
ASA SSL VPN Licences
|ASA5500-SSL-10||ASA 5500 SSL VPN 10 Premium User License||$1,250|
|ASA5500-SSL-25||ASA 5500 SSL VPN 25 Premium User License||$3,095|
|ASA5500-SSL-50||ASA 5500 SSL VPN 50 Premium User License||$3,995|
|ASA5500-SSL-100||ASA 5500 SSL VPN 100 Premium User License||$7,995|
|ASA5500-SSL-250||ASA 5500 SSL VPN 250 Premium User License||$19,995|
|ASA5500-SSL-500||ASA 5500 SSL VPN 500 Premium User License||$29,995|
|ASA-SSL-10-25=||ASA 5500 SSL VPN 10 to 25 Premium User Upgrade License||$1,895|
|ASA-SSL-25-50=||ASA 5500 SSL VPN 25 to 50 Premium User Upgrade License||$1,995|
|ASA-SSL-50-100=||ASA 5500 SSL VPN 50 to 100 Premium User Upgrade License||$3,995|
Rule of Thumb
So an IOS SSL VPN connection is going to cost about USD$30 per concurrent connection.
An ASA SSL VPN is going to cost USD$125 per concurrent connection.
Remember that a lot of companies use VPNs as a DR feature and that is the peak load condition when say, 40% of users might connect from home. This means that SSL VPN licenses are not good value for money since they are only used in exceptional circumstances.
Where’s the WIN then
To be frank, I’m not sure. For most people, choosing IPSec is the default choice. Its simple, well known, easy to do and doesn’t cost anything.
SSL VPN is a bewildering array for policies for inheritance and self configuration. It has all the features of the IPSec client for AAA and maintenace, plus some fancy clientless modes. But it costs quite a bit.
Lack of Competition
The IPSec VPN client was made free when all the firewall vendors had VPN capability. But the current lack of competition in SSL VPNs means that prices aren’t likely to reduce. For example, F5 and Juniper needs volume licensing on their SSL VPN products to make any money at all. CheckPoint always charges for for everything until they lose market share. So there isn’t much motivation for Cisco to remove volume licensing on SSL.
And by discontinuing the IPSec VPN Client you are being forced to pay the license fee.
So Help Me out….
Is there any features or special powers that the SSL VPN has that I can pitch to justify the migration ? Is there some justification that SSL has inherent magical powers or is this a cynical revenue grab ?
Sound off in the comments. I’d love to find out.