Home » Support » Knowledge Base » SSL VPN Setup

SSL VPN Setup

Overview

SSL VPN provides an easy and reliable means for users to establish a secure connection to your InstaGate from virtually any location where they can browse the web. SSL VPN utilizes a Java based client installer, allowing your users to connect from any modern PC with a web browser, including Windows, Mac OS, and Linux operating systems. For clients on other operating systems or when you wish to use a third-party OpenVPN compatible client, manual certificate installation is also possible.

By default SSL VPN utilizes TCP port 443, allowing it to work on most port-restricted networks such as those at hotels and airports, where other type of point to point VPN connections may not function properly.

 

Configuration

To enable and configure SSL VPN:

Settings

  1. Select SSL VPN Settings: Enabled to display the available configuration parameters.


     
  2. The default "WANIP" will automatically be selected under Server Configuration: Server IP Address. If multiple WAN addresses are defined they will also be available to choose here. This is the public IP address your users will be using to connect.
     
  3. Server port determines which TCP or UDP port is utilized for connecting clients. The defaults, TCP port 443, correspond to the HTTPS protocol, and are a good choice due to availability on most restricted networks. Any other available port may be used here, but make certain it does not conflict with other services or firewall polices defined on your InstaGate.


     
  4. Select the desired Tunnel Mode within VPN Network Configuration.  You can choose between Bridged mode and Routed mode. A description of each follows below.

    ***NOTE: Old-Gen InstaGate models (EX, EX2, xSP, PRO) only have the Routed mode option***
     

    • Bridged mode functions similarly to PPTP VPN; connecting users will be assigned an IP address from the pool you specify, and will be able to access local network resources as if their PC were connected directly to the internal network. In this mode, connecting users will be subject to the same filtering and rules applied to your existing LAN, such as Web Security filtering.

      • Start IP Address and End IP Address determine the range of assignable IP addresses for SSL VPN users. This range must be part of your existing Local Area Network (LAN) IP subnet.
      • If all available IP addresses are in use, new SSL VPN connections will not be possible until a user disconnects or more IP addresses are added to the pool.
         
    • Routed mode will allow you to specify a unique subnet of IP addresses for connecting users, separate from your current internal networks. This mode allows for advanced routing and control of connecting clients; by default, connecting users will have access to resources on your InstaGate only, such as Web Security filtering. Access to other internal network resources is controlled using Client Routes within Advanced settings.

      • Network Address specifies the prefix for IP addresses that will be assigned to connecting users. For example, if you wish to use the network range 192.168.100.1 - 192.168.100.254, the Network Address would be 192.168.100.0.
      • Subnet Mask determines the number of available IP addresses in your SSL VPN range. In the example above, the Subnet Mask would be 255.255.255.0, a class C subnet.
      • Your InstaGate will reserve the first IP address within the subnet specified to act as the local routing endpoint. Clients will utilize two available IP addresses each, to establish point-to-point connectivity.

 

Users

  1. From the main SSL VPN page, select Users to manually generate and download the SSL VPN client certificates for manual installation on your user's PC. This is not normally a required step, as users with Remote Access (VPN) permissions can download and install the eSoftVPN Launcher or Client by logging in to their User Management web interface on your InstaGate with their personal credentials. Both of those downloads have the certificates as well.


     
  2. Select the User name and the Operating system from the drop-down menus. Each user MUST download their own client as the settings for the user are generated and included as part of the download.
    ***NOTE: Make sure you select the correct Operating system for the PC you plan to install the client on! A Windows download will not work on a Mac or Linux computer.***

 

Advanced Settings

  1. From the main SSL VPN page, select Advanced to configure advanced SSL VPN parameters such as the protocol used, DNS/WINS addresses assigned to clients, as well as any routes that should be passed to connecting users.
     
  2. The Compression option is essentially just a performance enhancer. With it enabled, all data passing through the VPN is compressed to streamline transmission
     
  3. You can also enable / disable Full-tunneling from this window. Full-tunneling forces all traffic to pass through the device instead of the user's Default Gateway for his network. The option is enabled by default. Generally you would only want it disabled if you are wanting to allow only limited access to your network.

 

PKI

  1. To regenerate the SSL certificates used by the InstaGate and/or individual clients, click the PKI button on the main SSL VPN page. After the initial setup, this should only be necessary if there is any suspicion that your network or an existing SSL VPN client has been compromised.


     
  2. Clicking Initialize PKIwill generate a new Server Certificate. This is necessary to be able to generate the user Client Certificates.


     
  3. The Renew button is used to renew the client certificate for a specific user. Select a user from the User drop-down menu and then click the Renew button.

 

User Configuration

  1. Before anyone can use the SSL VPN, they need to have a user created on the unit and that user must have Remote Access(VPN) enabled.

 

Troubleshooting

  • If trying to download on a Macintosh computer the OS version needs to be 10.5 or higher. Anything older is not compatible with the VPN client.
     
  • The download option in the Admin Web Interface is NOT the actual VPN Client.  It is only the configuration and certificates for the client. Make sure users are downloading the client from UserAdmin.
     
  • If using a port other than 443 to connect via SSL VPN, make sure that port is open to the firewall and that it is not already in use for other services.

Not what you were looking for?

Get more Help -  Ask a Question -  Login to Support Portal

Free 15 Day Trial

Evaluate the InstaGate or ThreatWall on your network.

Order a unit

Schedule a Demo

Ready to see our network security appliances in action?

Schedule a Demo

Online Support

Use the online support portal to open a case, ask a question, or check the status of an existing case.

Support Portal

© 2012 eSoft. All rights reserved.
Privacy | Site Map