HOB PPP Tunnel

By: Hob  09-12-2011
Keywords: vpn, Enterprise Network, Comprehensive Security Solution

HOB RD VPN NetAccess is part of the comprehensive security solution HOB RD VPN and uses the HOB PPP Tunnel to provide complete network access to all resources in the central corporate network.
This access is also bi-directional. i.e., from the central network, one can access all resources on the client as well.
Compression makes this access highly performant. Strong authentication and SSL encryption ensure that the access is secure.
Using SSL as the transmission protocol has the advantage that it is supported by all network devices; this is not the case with comparable IPsec solutions.
Momentary interruptions in the connection to the client trigger an automatic reconnect.
Currently, the HOB PPP Tunnel supports Windows Vista as the operating system on the client; support for Apple MAC, Linux, FreeBSD or Solaris will be available soon.

The PPP Tunnel in HOB RD VPN also has the abbreviation HOB-PPP-T1.

The HOB PPP Tunnel from the User's Perspective

The user starts a browser and connects to HOB RD VPN in the corporate offices. There, the user has to (depending on the procedure chosen, see below) authenticate him-or herself and then lands at the HOB RD VPN start page. Insofar as it has been configured by the administrator, The "Start PPP Tunnel" menu item will be displayed on this page.
When this menu item is selected, the PPP Tunnel will start and in the Windows taskbar a tray icon will appear.
Other Websites can still be visited with the same browser after the PPP Tunnel has started: This will not affect the PPP Tunnel, nor will closing the browser disconnect or close the PPP Tunnel.

Now the user can access, via the PPP Tunnel, all resources in the central network; all protocols, such as TCP, UDP or ICMP will go through the PPP Tunnel.

Nothing needs to be installed locally in order to use the PPP Tunnel, and the user need not have any administrator rights. Especially interesting, no special drivers are required on the client either.

The only requirement on the client besides a browser is that it have a Java Virtual Machine (JVM) installed.

Other resources on the Internet can still be used after the PPP Tunnel is started on the user's client machine; also, users still have access to other HOB RD VPN functions; when properly installed and configured in the central network, these connections will not go over the PPP Tunnel.
This is also known as a split tunnel.
Via the Windows Firewall on the client, an administrator can block access to other Internet resources if split tunneling is not wanted. To do this, the administrator must configure the Windows Firewall on the client correspondingly, this is not a function of HOB RD VPN.

Reconnect After a Short Interruption of the Connection

If there is a temporary network interruption and the client loses its connection, the user does not need to restart the PPP Tunnel, rather, as soon as the network interruption is remedied, the PPP Tunnel automatically resynchronizes itself with the network in the central office. In most cases, the applications continue running on the client without any problems.
The client's network connection can be broken when, for example, the provider temporarily interrupts the DSL line and then re-establishes the connection. Most providers do this once a day.

The HOB WebSecureProxy in the Corporate Center

The core component of HOB RD VPN is the server component HOB WebSecureProxy. The current version of the WebSecureProxy, or in short, the WSP. is 2.2, available for Windows, Linux and Unix in altogether 11 different platform-specific versions.

The WSP can also run in HOB SCS, the Open-Source Unix-based server operating system from HOB. HOB SCS stands for Secure Communications Server.

The WSP works with SSL encryption. HOB SSL supports all current encryption algorithms, including AES (Advanced Encryption Standard) with up to 256-bit key lengths.

The Web-Server Integrated in the HOB WebSecureProxy

The HOB WSP has a built-in Web server, the HOB PPP Tunnel components are downloaded from this Web server.
Approximately 300 kilobytes are downloaded. This only takes a few seconds.
Once the client components of the HOB PPP Tunnel are downloaded, they do not have to be downloaded again for subsequent connections; these components are cached on the client. If newer components are installed on the WSP, the client will detect this at the next connection attempt and then download them.

For server authentication over SSL, the WSP needs an X.509 certificate which, for example, is also used in SSL /HTTPS equipped Web servers.

Feeding the Network Packets into the Corporate Center's Network

The HOB WSP v. 2.2 has no special functions for the PPP Tunnel; the HOB WSP only en- and decrypts the PPP Tunnel's data. The HOB program xbipgw16 runs in the enterprise network. This program splits the TCP connection to the client and converts it to L2TP over UDP.
These L2TP packets then go to a hardware / software component that is not part of the HOB solution and it feeds the packets into the network.
This L2TP functionality is an industry standard and thus already built into many components.
Some of these components are, for example:

  • Microsoft Windows RRAS
  • Linux with L2TP Server, e.g., OpenSwan
  • Routers with integrated L2TP Servers

It can be advantageous to feed the network packets from the PPP Tunnel directly into the enterprise network, and not in the DMZ.
With this solution, security continues to be terminated in the DMZ.
The client receives an IP address over PPP and routes packets from this address range over the PPP Tunnel.
If the client receives an IP address from the DMZ, it can then reach all devices in the DMZ, and devices in the enterprise network itself only over NAT (Network Address Translation - optional).
If the client receives an IP address from the enterprise network, then all devices in it can be reached directly.

Part of the HOB PPP Tunnels is a component which executes NAT in the IP header and in DNS-UDP packets. Through this, the PPP Tunnel can be used to reach several non-interconnected networks (sub-networks) in the corporate network.
This component is called xl-sdh-ppp-pf-01 and runs as an add-on (Server-Data-Hook) in the WebSecureProxy.
This component can also (optionally) be used as a DNS server; certain URLs can be resolved over this integrated DNS server which overwrites the addresses from the DNS server in the enterprise network.
The reason for this DNS server is that certain URLs, which have an address in the public Internet as well as (different) in the enterprise network, are resolved in such  way that other HOB RD VPN components do not establish a connection over the PPP Tunnel but over the public Internet.

HOB PPP Tunnel Network Stack

Authentication with HOB RD VPN

User authentication can be carried out in three different was, depending on the type of installation:

  • User ID and Password
  • Token with one-time-password, e.g., RSA SecurID, Secure Computing Premier Access or VASCO DigiPass
  • Certificate for client authentication over SSL
    (stored on, e.g., a SmartCard)

Authentication is performed over a browser with an SSL / HTTPS connection to the WSP. Thus the authentication process itself is encrypted and secure.

The HOB WSP has an integrated Radius interface enabling authentication to all conventional Radius servers.

The HOB WSP also has an integrated OCSP  (Online Certificate Status Protocol) interface enabling client SSL certificates to be inspected for validity.

Integrity Check before the Client is Granted Access

The client can, as an option, also be inspected according to specific criteria before being granted access to enterprise-internal data. When desired, this can be configured during installation in the corporate network.

HOB Enterprise Access for Central Configuration

Configuration and authentication data such as User ID and password are either stored in an XML file in the WSP configuration (HOB RD VPN Compact, under preparation) or in the component HOB Enterprise Access.
HOB Enterprise Access uses either an integrated database or the data are saved to an LDAP server. HOB Enterprise Access supports all current LDAP servers as well as Microsoft Active Directory.
When HOB Enterprise Access is configured to store data in an LDAP server, the required structures are created via a schema extension.

Common Criteria Certification

The HOB PPP Tunnel is part of the comprehensive security solution HOB RD VPN. HOB RD VPN has been certified in accordance with the Common Criteria by the German Federal Office for Information Security (BSI Bundesamt für Sicherheit in der Informationstechnik).

No Single-Point-of-Failure

In larger installations, all HOB RD VPN components can be redundantly installed in the enterprise network. Thus there is no single-point-of failure and uninterrupted operation is enabled.

08.10.08  KB
25.10.08  KB
26.10.08  KB
28.10.08  KB
30.10.08 KB

HOB software can be thoroughly tested before purchase. Here you can download a fully functional version for testing (test period = 4 weeks). After you are satisfied, just purchase and enter a license key to continue using the software.

HOB SCS can also be purchased from an:

Questions about HOB RD VPN?


JR 07.11.11

Keywords: Comprehensive Security Solution, Enterprise Network, vpn,

Other products and services from Hob


HOB MacGate

All components and elements of the Mac user interface such as the menu list, dock, icons and the program windows are fully functional in the Remote Desktop session. It requires only the HOB remote access solution HOB RD VPN (Remote Desktop Virtual Private Network) and the HOB WebSecureProxy. This access is possible from every client platform: Windows PC, Linux PC, Thin-Client or even from another Mac.



HOB RD VPN can be used to replace traditional, rather inflexible hardware appliance solutions with a flexible and quickly adaptable "software appliance" - in light of increasing virtualization, this advantage is not to be underestimated. It makes absolutely no difference whether your data and applications are on a Windows Terminal Server, virtualized windows systems, Unix/Linux servers, a traditional host, or even a personal computer.



After a user has successfully authenticated himself to the WSP over a browser, and wants to access his desktop PC, the WSP will send a Wake-on-LAN packet to the user’s desktop PC. The HOB WSP has a built-in Web server; components of the Java RDP client HOBLink JWT are preferably downloaded from this integrated Web server.


Kerberos Authentication 3270

Different than other "Single Sign-On" solutions, with which the passwords are stored locally and, when desired, are entered automatically without user intervention, with Kerberos no passwords are stored locally. The IBM Mainframe, in many enterprises still an indispensable pillar of the IT structure, can now be integrated with its 3270-applications into a Kerberos environment.