IPSec VPN v. SSL access to FactoryPMI

A customer is proposing giving remote access to FactoryPMI by forwarding all traffic on the relevant port to the FactoryPMI server. This then puts all the security responsibility onto FactoryPMI. I need to be sure that this doesn’t become a back door onto his network.

I’m just back from a seminar outlining the use of IPSec-based VPNs. This approach was nice because it stopped unauthorised traffic before it got onto the network. How does using SSL to access FactoryPMI compare in terms of security? If we implemented an IPSec-based VPN, am I correct in thinking there would then be no reason to enable SSL for FactoryPMI?

That is correct - you also wouldn't port forward the HTTP port over from the public internet - the FPMI server would have an internal LAN address.

FactoryPMI's SSL implementation is based on Apache Tomcat, which is a very widely-used (and thus well-tested) product.

Stepping back a bit, SSL and VPN aren't equivalent technologies. SSL provides encryption for HTTP traffic. On a port-forwarded setup, outside parties only have access to the FPMI server through its HTTP port. So, only HTTP requests can be made. VPNs put the computer "virtually" on the host network, and then encrypt all communication.