In this mode, the remote user accesses the internal network using a web browser (FireFox, Chrome, Internet Explorer, Edge, Safari, ...) on the client computer (see figure below). The following applications are available for the remote user:
A basic condition is that a remote user's computer must support this way of communication. The remote user downloads Java applet from the portal page. This applet works on the client as a TCP proxy server for the services that are configured on the portal page. This type allows remote access to standard TCP-based applications such as POP3 (Post Office Protocol 3), SMTP (Simple Mail Transfer Protocol), IMAP (Internet Message Access Protocol), or Telnet, as well as access to enterprise information systems such as SAP (System Application Products). The client’s applications must be configured to communicate via a TCP connection to a known server and port. The server address is typically a loopback (127.0.0.1), where communication is captured by the TCP proxy server and then routed to the SSL tunnel.
This mode exhibits the largest list of options for a remote users. The user downloads (manually or automatically) a full SSL VPN client after logging on to the VPN server. For Cisco, it is "Cisco AnyConnect VPN Client". This program creates a virtual network interface that provides access to the network layer to various applications. This type of SSL VPN provides options comparable to IPsec VPN (Remote Access). When the connection is terminated, the Cisco AnyConnect VPN client will be removed from the client station or may remain installed on the station.
Conventional SSL VPNs cannot be used to create Site-to-Site VPNs, they are mostly used as Remote-Access VPNs. An exception to this rule is the OpenVPN project that allows you to create SSL/TLS secure site-to-site VPNs.