NetConnect is a VPN client. Use it when you have users who want to get in and access a variety of protocols to lots of internal servers remotely. You can lock it down to one host/one protocol or allow access to the entire internal network. Netconnect users are on your network by default. If you want to allow them access to their internal network you have to set up split tunneling networks.

SAM, or port forwarding is typically used to allow users to a few internal resources while retaining their default access through their network. For example, we use SAM to allow a partner company to get to one citrix server on port 1494.

Your question is a good one. We dont use SAM all that much but I guess I can understand why companies do.

Good Luck..

I think one goal of SAM, especially WSAM is that you also may check which application is connecting, e.g. a SapGUI. To prevent users using the ACL for that up with any evil tool you may lock it down to a variety of MD5-Sums of possible sapgui.exes. For sure this might get unhandy once in administration if you have thousand of different sapgui versions around you.

Also you may reduce the access range to just this application, as with a NC tunnel, you have at least a transparent access to the network (that you grant access to) and at least some attackable servers like DNS or other things you need to give the client access per default.

Thanks guys. I now better understand the differences.

I'm pretty sure WSAM supports UDP. JSAM supports only TCP.

I use SAM to limit the exposure of my internal network to users on the Internet, typically 3rd parties. For example, with SAM, the user can see the DNS names only of the servers he or she is allowed to access; NC gives free access to my DNS servers.

Also, SAM allows me to specify the resources the 3rd party can access by DNS name, instead of IP address. This is really useful, as the configuration doesn't break when someone decides to move the application (and the DNS name) to a server at a different address.

Thanks everyone. I really appreciate your comments.

One more question: Is SAM really limited to a a couple of applications or could I use any custom application I want?

Sascha

WSAM is only limited to the couple of applications you define that they may have access or let's say processnames (as it does not see an application itself).

E.g. you could also allow ping 1.2.3.4 besides SAPGui, whatever.

But in my eyes it get's unhandy if you have too much apps for all users together, then I'd personally use NC, except when they are spread among different roles that are mapped based on different user attributes.

so from an application point of view I could do the same things with WSAM that I could do with NC, just be more restrictive on how the application is being used or which application is being used. Got it. Very interesting. I think I should explore this feature more

I always use NC. For everything. A more reliable and easier to adminster interface. I control what can be done via the NC Access List. I use split tunnelling so it acts like WSAM. JSAM is especially clunky. NC is especially good on MAC and Linux. I think the only use I would have for WSAM is on a WinMobile phone.

Most other access uses the Terminal Services Proxy (CTS) which in Windows is AWESOME. Totally transparent to users. Again, I use NC in MAC and LINUX. (Wish the Citrix Resource Profile allowed selecting Network Connect as the delivery mechanism.)

-=Dan=-