HOB RD VPN NetAccess is part of the comprehensive security solution
HOB RD VPN and uses the HOB PPP Tunnel to provide complete network access to all resources in
the central corporate network.
This access is also bi-directional. i.e., from the central network, one can
access all resources on the client as well.
Compression makes this access highly performant. Strong authentication and SSL
encryption ensure that the access is secure.
SSL as the transmission protocol has the advantage that it is supported by all
network devices; this is not the case with comparable
Momentary interruptions in the connection to the client trigger an automatic reconnect.
Currently, the HOB PPP Tunnel supports Windows Vista as the operating system on
the client; support for Apple MAC, Linux, FreeBSD or Solaris will be available
The PPP Tunnel in HOB RD VPN also has the abbreviation
The HOB PPP Tunnel from the User's Perspective
The user starts a browser and connects to
HOB RD VPN in the corporate offices. There, the user has to (depending on the
procedure chosen, see below) authenticate him-or herself and then lands at the HOB RD VPN
start page. Insofar as it has been configured by the administrator, The "Start PPP
Tunnel" menu item will be displayed on this page.
When this menu item is selected, the PPP Tunnel will start and in the Windows
taskbar a tray icon will appear.
Other Websites can still be visited with the same browser after the PPP Tunnel
has started: This will not affect the PPP Tunnel, nor will closing the browser
disconnect or close the PPP Tunnel.
Now the user can access, via the PPP Tunnel, all resources in the central
network; all protocols, such as TCP, UDP or
ICMP will go through the PPP Tunnel.
Nothing needs to be installed locally in order to use the PPP Tunnel, and the
user need not have any administrator rights.
Especially interesting, no special drivers are required on the client either.
The only requirement on the client besides a browser is that it have a Java
Virtual Machine (JVM) installed.
Other resources on the Internet can still be used after the PPP Tunnel is
started on the user's client machine; also, users still have access to other HOB RD VPN
functions; when properly installed and configured in the central network, these
connections will not go over the PPP
This is also known as a split tunnel.
Via the Windows Firewall on the client, an administrator can block access to
other Internet resources if split tunneling is not wanted.
To do this, the administrator must configure the Windows Firewall on the client
correspondingly, this is not a function of HOB RD VPN.
Reconnect After a Short Interruption of the Connection
If there is a temporary network interruption and the client loses its
connection, the user does not need to restart the PPP Tunnel, rather, as soon as
the network interruption is remedied, the PPP Tunnel automatically
resynchronizes itself with the network in the central office. In most cases, the
applications continue running on the client without any problems.
The client's network connection can be broken when, for example, the provider
temporarily interrupts the DSL line and then re-establishes the connection. Most
providers do this once a day.
The HOB WebSecureProxy in the Corporate Center
The core component of HOB RD VPN is the server component HOB WebSecureProxy.
The current version of the WebSecureProxy, or in short, the WSP. is 2.2,
available for Windows, Linux and Unix in altogether 11 different
The WSP can also run in HOB SCS, the Open-Source
Unix-based server operating system from HOB. HOB SCS stands for Secure
The WSP works with SSL encryption. HOB SSL
supports all current encryption algorithms, including AES (Advanced
Encryption Standard) with up to 256-bit key lengths.
The Web-Server Integrated in the HOB WebSecureProxy
The HOB WSP has a built-in Web server, the HOB PPP Tunnel components are
downloaded from this Web server.
Approximately 300 kilobytes are downloaded. This only takes a few seconds.
Once the client components of the HOB PPP Tunnel are downloaded, they do not
have to be downloaded again for subsequent connections; these components are
cached on the client. If newer components are installed on the WSP, the client
will detect this at the next connection attempt and then download them.
For server authentication over SSL, the WSP needs an X.509 certificate which,
for example, is also used in SSL /HTTPS
equipped Web servers.
Feeding the Network Packets into the Corporate Center's Network
The HOB WSP v. 2.2 has no special functions for the PPP Tunnel; the HOB WSP
only en- and decrypts the PPP Tunnel's data. The HOB program xbipgw16 runs in
the enterprise network. This program splits the TCP connection to the client and
converts it to L2TP over UDP.
These L2TP packets then go to a hardware / software component that is not part
of the HOB solution and it feeds the packets into the network.
This L2TP functionality is an industry standard and thus already built into many
Some of these components are, for example:
- Linux with
L2TP Server, e.g., OpenSwan
- Routers with integrated L2TP Servers
It can be advantageous to feed the network packets from the PPP
Tunnel directly into the enterprise network, and not in the DMZ.
With this solution, security continues to be terminated in the DMZ.
The client receives an IP address over PPP and routes packets from this address
range over the PPP Tunnel.
If the client receives an IP address from the DMZ, it can then reach all devices
DMZ, and devices in the enterprise network itself only over NAT (Network
Address Translation - optional).
If the client receives an IP address from the enterprise network, then all
devices in it can be reached directly.
Part of the HOB PPP Tunnels is a component which executes NAT in the
IP header and in DNS-UDP packets. Through this, the PPP Tunnel
can be used to reach several non-interconnected networks (sub-networks) in the
This component is called xl-sdh-ppp-pf-01 and runs as an add-on (Server-Data-Hook)
in the WebSecureProxy.
This component can also (optionally) be used as a DNS server; certain URLs can
be resolved over this integrated DNS server which overwrites the addresses from
the DNS server in the enterprise network.
The reason for this DNS server is that certain URLs, which have an address in
the public Internet as well as (different) in the enterprise network, are
resolved in such way that other HOB RD VPN components do not establish a
connection over the PPP Tunnel but over the public Internet.
HOB PPP Tunnel Network Stack
Authentication with HOB RD VPN
User authentication can be carried out in three different was, depending on
the type of installation:
- User ID and Password
- Token with one-time-password, e.g., RSA
SecurID, Secure Computing Premier Access or VASCO DigiPass
- Certificate for client authentication over SSL
(stored on, e.g.,
Authentication is performed over a browser with an SSL
/ HTTPS connection to the WSP. Thus the authentication process itself is
encrypted and secure.
The HOB WSP has an integrated Radius interface enabling authentication to all
conventional Radius servers.
The HOB WSP also has an integrated OCSP
(Online Certificate Status Protocol) interface enabling client SSL certificates
to be inspected for validity.
Integrity Check before the Client is Granted Access
The client can, as an option, also be inspected according to specific
criteria before being granted access to enterprise-internal data. When desired,
this can be configured during installation in the corporate network.
HOB Enterprise Access for Central Configuration
Configuration and authentication data such as User ID and password are either
stored in an XML file in the WSP configuration (HOB RD VPN Compact, under
preparation) or in the component HOB Enterprise Access.
HOB Enterprise Access uses either an integrated database or the data are saved
to an LDAP server. HOB Enterprise Access supports all current LDAP servers as
well as Microsoft Active Directory.
When HOB Enterprise Access is configured to store data in an LDAP server, the
required structures are created via a schema extension.
Common Criteria Certification
The HOB PPP Tunnel is part of the comprehensive security solution HOB RD VPN. HOB RD VPN has been certified in accordance with the Common Criteria by the
German Federal Office for Information Security (BSI Bundesamt für Sicherheit in der
In larger installations, all HOB RD VPN components can be redundantly
installed in the enterprise network. Thus there is no single-point-of
failure and uninterrupted operation is enabled.
| || |
HOB software can be thoroughly tested
Here you can download a fully functional version for testing
(test period = 4 weeks). After you are satisfied, just purchase and
enter a license key to continue using the software.
HOB SCS can also be purchased from an:
Questions about HOB RD VPN?