cyberoam ssl vpn user guide - ing series 10.x/10.6.6/guides... · cyberoam ssl vpn user guide page...

Version 10

Document version 1.0 – 10.6.6.042 - 24/11/2017

Cyberoam SSL VPN User Guide


of 55

Important Notice

Cyberoam Technologies Pvt. Ltd. has supplied this Information believing it to be accurate and reliable at the time of printing, but

is presented without warranty of any kind, expressed or implied. Users must take full responsibility for their application of any products. Cyberoam Technologies Pvt. Ltd. assumes no responsibility for any errors that may appear in this document.

Cyberoam Technologies Pvt. Ltd. reserves the right, without notice to make changes in product design or specifications.

Information is subject to change without notice.

USER’S LICENSE

Use of this product and document is subject to acceptance of the terms and conditions of Cyberoam End User License

Agreement (EULA) and Warranty Policy for Cyberoam UTM Appliances.

You will find the copy of the EULA at http://www.cyberoam.com/documents/EULA.html and the Warranty Policy for Cyberoam

UTM Appliances at http://kb.cyberoam.com.

RESTRICTED RIGHTS

Copyright 1999 - 2015 Cyberoam Technologies Pvt. Ltd. All rights reserved. Cyberoam, Cyberoam logo are trademark of

Cyberoam Technologies Pvt. Ltd.

Corporate Headquarters

Cyberoam House, Saigulshan Complex, Opp. Sanskruti,

Beside White House, Panchwati Cross Road, Ahmedabad - 380006, GUJARAT, INDIA.

Tel: +91-79-66216666 Web site: www.cyberoam.com

http://www.cyberoam.com/documents/EULA.html

http://kb.cyberoam.com/default.asp?id=487&SID=&Lang=1.

http://www.cyberoam.com/


of 55

Contents Preface ............................................................................................................................ 4 Introduction..................................................................................................................... 6 Appliance Administrative Interfaces............................................................................... 7

Web Admin Console.................................................................................................................. 7 Command Line Interface (CLI) Console ..................................................................................... 8 Cyberoam Central Console (CCC)............................................................................................. 8

Web Admin Console .................................................................................................................... 9 Web Admin Language ............................................................................................................... 9 Supported Browsers ................................................................................................................ 10 Login procedure ...................................................................................................................... 11 Log out procedure ................................................................................................................... 12 Menus and Pages ................................................................................................................... 13 Page ....................................................................................................................................... 15 Icon bar ................................................................................................................................... 16 List Navigation Controls........................................................................................................... 17 Tool Tips ................................................................................................................................. 17 Status Bar ............................................................................................................................... 17 Common Operations ............................................................................................................... 18

SSL VPN ........................................................................................................................ 21 Concepts ....................................................................................................................... 22

SSL VPN Access Modes ......................................................................................................... 22 Portal ...................................................................................................................................... 24

Cyberoam Configuration for SSL VPN.......................................................................... 25

Tunnel Access ........................................................................................................................... 25 Web Access ............................................................................................................................... 28 Policy ......................................................................................................................................... 29 Bookmark .................................................................................................................................. 36 Bookmark Group ....................................................................................................................... 40 Portal.......................................................................................................................................... 42 Live SSL VPN Users .................................................................................................................. 44

Client Configuration for SSL VPN ................................................................................. 45

Access End-User Portal ............................................................................................................ 45 Accessing SSL VPN Using Tunnel Access .............................................................................. 47

Download Client ...................................................................................................................... 47 Download and Import Client Configuration............................................................................... 50 Establish connection ............................................................................................................... 52

Accessing SSL VPN Using Web Access .................................................................................. 54 Accessing SSL VPN Using Application Access ....................................................................... 55


of 55

Preface

Welcome to Cyberoam’s – SSL VPN User guide.

Cyberoam (Unified Threat Management) UTM appliances offer identity-based comprehensive security to organizations against blended threats - worms, viruses, malware, data loss, identity theft; threats over applications viz. Instant Messengers; threats over secure protocols viz. HTTPS; and more. They also offer wireless security (WLAN) and 3G wireless broadband and analog modem support can be used as either Active or Backup WAN connection for business continuity.

Cyberoam integrates features like stateful inspection firewall, VPN, Gateway Anti-Virus and Anti- Spyware, Gateway Anti-Spam, Intrusion Prevention System, Content & Application Filtering, Data Leakage Prevention, IM Management and Control, Layer 7 visibility, Bandwidth Management, Multiple Link Management, Comprehensive Reporting over a single platform.

Cyberoam has enhanced security by adding an 8th layer (User Identity) to the protocol stack. Advanced inspection provides L8 user-identity and L7 application detail in classifying traffic, enabling Administrators to apply access and bandwidth policies far beyond the controls that traditional UTMs support. It thus offers security to organizations across layer 2 - layer 8, without compromising productivity and connectivity.

Cyberoam UTM appliances accelerate unified security by enabling single-point control of all its security features through a Web 2.0-based GUI. An extensible architecture and an ‘IPv6 Ready’ Gold logo provide Cyberoam the readiness to deliver on future security requirements.

Cyberoam provides increased LAN security by providing separate port for connecting to the publicly accessible servers like Web server, Mail server, FTP server etc. hosted in DMZ which are visible the external world and still have firewall protection.

• Note

• Default Web Admin Console username is ‘admin’ and password is ‘admin’

• Cyberoam recommends that you change the default password immediately after installation to avoid unauthorized access.


of 55

Technical Support

You may direct all questions, comments, or requests concerning the software you purchased, your registration status, or similar issues to Customer care/service department at the following address:

Corporate Office

Cyberoam House,

Saigulshan Complex, Opp. Sanskruti,

Beside White House, Panchwati Cross Road,

Ahmedabad - 380006, GUJARAT, INDIA.

Tel: +91-79-66216666

Fax: +91-79-26407640

Web site: www.cyberoam.com

Cyberoam contact:

Technical support (Corporate Office): +91-79-26400707

Email: [email protected]

Web site: www.cyberoam.com

Visit www.cyberoam.com for the regional and latest contact information.


mailto:[email protected]




of 55

Introduction

This Guide provides information on how to configure Cyberoam SSL VPN connections and helps you to manage and customize Cyberoam to meet your organization’s various requirements for remote users.

Note All the screen shots in this Guide are taken from NG series appliances using (Internet Explorer) IE browser. Hence using a different browser might render the appearance of the GUI in different ways. The Usernames, IP and Mac Addresses used in this guide are fictional and their sole purpose is purely to educate the user on the usability of the Appliance.


of 55

Appliance Administrative

Interfaces

Appliance can be accessed and administered through:

1. Web Admin Console

2. Command Line Interface Console

3. Cyberoam Central Console

Administrative Access An administrator can connect and access the Appliance through HTTP,

HTTPS, telnet, or SSH services. Depending on the Administrator login account profile used for

access, an administrator can access number of Administrative Interfaces and Web Admin Console

configuration pages.

Appliance is shipped with two administrator accounts and four administrator profiles.

Administrator Type

Login Credentials Console Access Privileges

Super Administrator

admin/admin Web Admin Console

CLI console

Full privileges for both the consoles. It provides read-write permission for all the configuration performed through either of the consoles.

Default cyberoam/cyber Web Admin console only

Full privileges. It provides read-write permission for all the configuration pages of Web Admin console.

Note We recommend that you change the password of both the users immediately on deployment.

Web Admin Console

Web Admin Console is a web-based application that an Administrator can use to configure,

monitor, and manage the Appliance.

You can connect to and access Web Admin Console of the Appliance using HTTP or a HTTPS

connection from any management computer using web browser:

1. HTTP login: http://<LAN IP Address of the Appliance>

2. HTTPS login: https://<LAN IP Address of the Appliance>

For more details, refer section Web Admin Console.


of 55

Command Line Interface (CLI) Console

Appliance CLI console provides a collection of tools to administer, monitor and control certain

Appliance component. The Appliance can be accessed remotely using the following connections:

1. Remote login Utility – TELNET login

To access Appliance from command prompt using remote login utility – Telnet, use command TELNET <LAN IP Address of the Appliance>. Use default password “admin”.

2. SSH Client (Serial Console)

SSH client securely connects to the Appliance and performs command-line operations. CLI console of the Appliance can be accessed via any of the SSH client using LAN IP Address of the Appliance and providing Administrator credentials for authentication.

Note Start SSH client and create new Connection with the following parameters: Host – <LAN IP Address of the Appliance> Username – admin Password – admin

Use CLI console for troubleshooting and diagnose network problems in details. For more details,

refer version specific Console Guide available on http://docs.cyberoam.com/.

Cyberoam Central Console (CCC)

Distributed Cyberoam Appliances can be centrally managed using a single Cyberoam Central

Console (CCC) Appliance, enabling high levels of security for Managed Security Service Provider

(MSSPs) and large enterprises. To monitor and manage Cyberoam using CCC Appliance you

must:

1. Configure CCC Appliance in Cyberoam

2. Integrate Cyberoam Appliance with CCC using: Auto Discovery or Manually

Once you have added the Appliances and organized them into groups, you can configure single

Appliance or groups of Appliances.

For more information, please refer CCC Administrator Guide.

http://docs.cyberoam.com/


of 55

Web Admin Console

CyberoamOS uses a Web 2.0 based easy-to-use graphical interface termed as Web Admin

Console to configure and manage the Appliance.

You can access the Appliance for HTTP and HTTPS web browser-based administration from any

of the interfaces. Appliance when connected and powered up for the first time, it will have a

following default Web Admin Console Access configuration for HTTP and HTTPS services.

Services Interface/Zones Default Port

HTTP LAN, WAN TCP Port 80

HTTPS WAN TCP Port 443

The administrator can update the default ports for HTTP and HTTPS services from System >

Administration > Settings.

Web Admin Language

The Web Admin Console supports multiple languages, but by default appears in English. To cater

to its non-English customers, apart from English, Chinese-Simplified, Chinese-Traditional, Hindi,

Japanese and French languages are also supported. Administrator can choose the preferred GUI

language at the time of logging on.

Listed elements of Web Admin Console will be displayed in the configured language:

• Dashboard Doclet contents

• Navigation menu

• Screen elements including field & button labels and tips

• Error messages


of 55

Supported Browsers

You can connect to the Web Admin Console of the Appliance using HTTP or a secure HTTPS

connection from any management computer using one of the following web browsers:

The minimum screen resolution for the management computer is 1024 X 768 and 32-bit true xx-

color.

Browser Supported Version

Microsoft Internet Explorer Version 8+

Mozilla Firefox Version 3+

Google Chrome All versions

Safari 5.1.2(7534.52.7)+

Opera 15.0.1147.141+

The Administrator can also specify the description for firewall rule, various policies, services and

various custom categories in any of the supported languages.

All the configuration done using Web Admin Console takes effect immediately. To assist you in

configuring the Appliance, the Appliance includes a detailed context-sensitive online help.


of 55

Login procedure

The log on procedure authenticates the user and creates a session with the Appliance until the

user logs-off.

To get to the login window, open the browser and type the LAN IP Address of Cyberoam in the

browser’s URL box. A dialog box appears prompting you to enter username and password.

Screen – Login Screen

Screen Element Description

Username

Enter user login name.

If you are logging on for the first time after installation, use the default username.

Password

Specify user account password.

Dots are the placeholders in the password field.

If you are logging on for the first time after installation with the default username, use the default password.

Language

Select the language. The available options are Chinese-Simplified, Chinese-Traditional, English, French, and Hindi.

Default – English

Log on to

To administer Cyberoam, select ‘Web Admin Console’

To view logs and reports, select “Reports”.

To login into your account, select “My Account”.

Login button Click to log on the Web Admin Console.

Table – Login Screen

The Dashboard appears as soon as you log on to the Web Admin Console. It provides a quick and

fast overview of all the important parameters of your Appliance.


of 55

Log out procedure

To avoid un-authorized users from accessing Cyberoam, log off after you have finished working.

This will end the session and exit from Cyberoam.

To log off from the Appliance, click the button located at the top right of any of the Web

Admin Console pages.


of 55

Menus and Pages

The Navigation bar on the leftmost side provides access to various configuration pages. This menu

consists of sub-menus and tabs. On clicking the menu item in the navigation bar, related

management functions are displayed as submenu items in the navigation bar itself. On clicking

submenu item, all the associated tabs are displayed as the horizontal menu bar on the top of the

page. To view a page associated with the tab, click the required tab.

The left navigation bar expands and contracts dynamically when clicked on without navigating to a

submenu. When you click on a top-level heading in the left navigation bar, it automatically expands

that heading and contracts the heading for the page you are currently on, but it does not navigate

away from the current page. To navigate to a new page, first click on the heading, and then click

on the submenu you want navigate to. On hovering the cursor upon the up-scroll icon or the

down-scroll icon , automatically scrolls the navigation bar up or down respectively.

The navigation menu includes following modules:

• System – System administration and configuration, firmware maintenance, backup - restore

• Objects – Configuration of various policies for hosts, services, schedules and file type


of 55

• Networks – Network specific configuration viz., Interface speed, MTU and MSS settings, Gateway, DDNS

• Identity – Configuration and management of User and user groups

• Firewall – Firewall Rule Management

• VPN – VPN and SSL VPN access configuration

• IPS – IPS policies and signature

• Web Filter – Web filtering categories and policies configuration

• Application Filter – Application filtering categories and policies configuration

• WAF – Web Application Filtering policies configuration. Available in all the models except CR15iNG and CR15wiNG.

• IM – IM controls

• QoS – Policy management viz., surfing quota, QoS, access time, data transfer

• Anti Virus – Antivirus filtering policies configuration

• Anti Spam – Anti Spam filtering policies configuration

• Traffic Discovery – Traffic monitoring

• Logs & Reports – Logs and reports configuration

Note Use F1 key for page-specific help. Use F10 key to return to Dashboard.

Each section in this guide shows the menu path to the configuration page. For example, to reach

the Zone page, choose the Network menu, then choose Interface sub-menu from the navigation

bar, and then choose Zone tab. Guide mentions this path as Network > Interface > Zone.


of 55

Page

A typical page looks as shown in the below given image:

Screen – Page


of 55

Icon bar

The Icon bar on the upper rightmost corner of every page provides access to several commonly

used functions like:

1. Dashboard – Click to view the Dashboard

2. Wizard – Opens a Network Configuration Wizard for a step-by-step configuration of the network parameters like IP Address, subnet mask and default gateway for your Appliance.

3. Report – Opens a Reports page for viewing various usage reports. Integrated Logging and Reporting solution - iView, to offer wide spectrum of 1000+ unique user identity-based reporting across applications and protocols and provide in-depth network visibility to help organizations take corrective and preventive measures.

This feature is not available for CR15xxxx series of Appliances.

4. Console – Provides immediate access to CLI by initiating a telnet connection with CLI without closing Web Admin console.

5. Logout – Click to log off from the Web Admin Console.

6. More Options – Provides options for further assistance. The available options are as follows:

• Support – Opens the customer login page for creating a Technical Support Ticket. It is fast, easy and puts your case right into the Technical Support queue.

• About Product – Opens the Appliance registration information page.

• Help – Opens the context – sensitive help page.

• Reset Dashboard – Resets the Dashboard to factory default settings.

• Lock – Locks the Web Admin Console. Web Admin Console is automatically locked if the Appliance is in inactive state for more than 3 minutes. To unlock the Web Admin Console you need to re-login. By default, Lock functionality is disabled. Enable Admin Session Lock

from System > Administration > Settings.

• Reboot Appliance – Reboots the Appliance.

• Shutdown Appliance – Shut downs the Appliance .


of 55

List Navigation Controls

The Web Admin Console pages display information in the form of lists that are spread across the

multiple pages. Page Navigation Control Bar on the upper right top corner of the list provides

navigation buttons for moving through the list of pages with a large number of entries. It also

includes an option to specify the number entries/records displayed per page.

Tool Tips

To view the additional configuration information use tool tip. Tool tip is provided for many

configurable fields. Move the pointer over the icon to view the brief configuration summary.

Status Bar

The Status bar at the bottom of the page displays the action status.


of 55

Common Operations

Adding an Entity

You can add a new entity like policy, group, user, rule, ir host by clicking the Add button available

on most of the configuration pages. Clicking this button either opens a new page or a pop-up

window.

Editing an Entity

All the editable entities are hyperlinked. You can edit any entity by clicking either the hyperlink or

the Edit icon under the Manage column.

Deleting an Entity

You can delete an entity by selecting the checkbox and clicking the Delete button or Delete icon.

To delete multiple entities, select individual entity and click the Delete button.


of 55

To delete all the entities, select in the heading column and click the Delete button.

Sorting Lists

To organize a list spread over multiple pages, sort the list in ascending or descending order of a

column attribute. You can sort a list by clicking a column heading.

• Ascending Order icon in a column heading indicates that the list is sorted in ascending order of the column attribute.

• Descending Order icon in a column heading indicates that the list is sorted descending order of the column attribute.

Filtering Lists

To search specific information within the long list spread over multiple pages, filter the lists.

Filtering criteria vary depending on a column data and can be a number or an IP address or part of

an address, or any text string combination.

To create filter, click the Filter icon in a column heading. When a filter is applied to a column,

the Filter icon changes to .

Configuring Column Settings

By default on every page all columnar information is displayed but on certain pages where a large


of 55

number of columnar information is available, all the columns cannot be displayed. It is also

possible that some content may not be of use to everyone. Using column settings, you can

configure to display only those numbers of columns which are important to you.

To configure column settings, click Select Column Settings and select the checkbox against the

columns you want to display and clear the checkbox against the columns which you do not want to

display. All the default columns are greyed and not selectable.


of 55

SSL VPN

A Virtual Private Network (VPN) is a network that uses public telecommunication infrastructure, such as the Internet, to provide remote offices or traveling users with access to a central organizational network. A secure tunnel is formed across the public network which carries private network traffic between distant offices. This traffic is usually encrypted and compressed for enhanced performance and security. VPN technology has replaced the need to acquire and maintain expensive dedicated leased-line telecommunication circuits once typical in wide-area network installations.

A VPN user can access the central network in a manner that is identical to being connected directly to the central network. Hence, it is ideal for business telecommuters or employees working from home. It is essential that the connection between the central network and remote location meets certain requirements like:

Flexible Access: The remote users must be able to access the organization’s network from various locations, like Internet cafes, hotels, airports etc. The range of applications available must include web applications, mail, file shares, and other more specialized applications required to meet corporate needs.

Secure connectivity: Guaranteed by the combination of authentication, confidentiality and data integrity for every connection.

Usability: Installation must be easy. No configuration should be required as a result of network modification at the remote user end. The given solution should be seamless for the connecting user.

A SSL (Secure Socket Layer) VPN fulfills the above requirements by providing easy-to-use and secure access to remote users. It allows access to the corporate network and provides the ability to create point-to-point encrypted tunnels between remote user and the company’s internal network. It requires a combination of SSL certificates and username/password for authentication to enable access to the internal resources.

The Appliance extends its VPN feature to include SSL VPN functionality to provide secure access to a company’s central network to remote users. It delivers a set of features and benefits which are easy to use and control and which allow access to the corporate network from anywhere, anytime.

Depending upon requirement, remote users can access the central network through SSL VPN

Client or End user Web Portal (clientless access). It offers a secure web portal which can be accessed by each authorized user to download a free SSL VPN Client, SSL certificates and a client configuration. In addition, it offers granular access policies, bookmarks to designated network resources and portal customization.

Note SSL VPN is not supported when the Appliance is deployed as Bridge. SSL VPN feature is not available for Cyberoam CR15i models.


of 55

Concepts

SSL VPN Access Modes

The Appliance authenticates any remote user based on user name and password. A successful login determines the access rights of remote users according to user, group and the SSL VPN policy. The SSL VPN policy specifies whether the connection will operate in Tunnel Access Mode, Web Access Mode or Application Access Mode.

Tunnel Access Mode

Tunnel Access Mode provides remote users with access to the corporate network through laptops as well as from Internet cafes, hotels, airports etc. It requires an SSL VPN Client at the remote end. Hence, remote users are required to download and install SSL VPN Client from the SSL VPN Portal. The Client establishes an SSL VPN tunnel over an HTTPS link between the remote user and the Appliance to encrypt and send the traffic. Here the Appliance acts as a secure HTTPS gateway and authenticates remote users.

The Appliance allows two types of tunneling:

• Split Tunnel: This ensures that only traffic for the private network is encrypted and tunneled while Internet traffic is sent through the usual unencrypted route. This is configured by default and is used to avoid bandwidth choking.

• Full Tunnel: This ensures that not only the private network traffic but other Internet traffic is also tunneled and encrypted.

Web Access Mode

Web Access Mode is used when remote users want to access SSL VPN using a web browser only, also termed as clientless access. It provides users with access to certain Enterprise Web Applications/Servers. This feature comprises of an SSL daemon running on the Appliance unit and an SSL VPN Portal which provides users with access to network resources behind the Appliance and certain web applications as configured in the SSL VPN policy.

Application Access Mode

The Application Access Mode also provides clientless access. It gives the user access to web applications as well as certain enterprise applications through a web browser. The feature comprises of an SSL daemon running on the Appliance unit and an SSL VPN Portal which provides users with access to different TCP based applications like HTTP, HTTPS, RDP, TELNET, SSH and FTP without installing a client.

In this mode, the Appliance acts as a secure gateway and authenticates the remote users. On successful authentication, the Appliance redirects the web browser to the web portal from where the remote users can access the applications behind the Appliance. Configuring Application Access mode is a two-step process:

1. Select the Application Access mode in SSL VPN policy

2. Assign the policy to the User or Group

For Administrators, the Web Admin Console provides SSL VPN management. Administrator can configure SSL VPN users, access methods and policies, user bookmarks for network resources, and system and portal settings.


of 55

For remote users, the customizable End user Web Portal enables access to resources as per the configured SSL VPN policy.

With no hassles of client installation, it can be termed as “clientless access”.

Prerequisite The following requirements should be fulfilled for the remote user to access SSL VPN in Application Access Mode: OS should be Windows 2000, Windows XP, Windows 7, Windows Vista or Windows Server 2003. Remote user should have the Administrator privileges. Java Runtime Environment V 1.6 or above should be installed.

Threat - Free Tunneling

The Appliance scans the VPN Tunnel Traffic (incoming and outgoing) for malware, spam, inappropriate content and intrusion attempts, ensuring Threat-free Tunneling. Furthermore, VPN traffic is subjected to DoS inspection, although the Appliance does provide the option of bypassing DoS inspection for specific traffic.

The Appliance does not have an exclusive port assigned for the VPN Zone like the LAN, WAN and DMZ ports. As soon as a VPN connection is established, the port/interface used by the connection is automatically added to the VPN zone, and on disconnection, the port is removed by itself. The VPN zone is used by both IPSec and SSL VPN traffic.

Note Threat Free Tunneling is applicable only when the SSL VPN tunnel is established through Tunnel Access Mode.

Network Resources

Network Resources are the components that can be accessed using SSL VPN. It provides access to HTTP or HTTPS servers in the internal network, Internet, or any other network segment that can be reached by the Appliance. The Administrator can configure Web (HTTP), Secure Web (HTTPS), RDP, Telnet, SSH or FTP bookmarks and internal network resources to allow access to web-based resources and applications. If required, custom URL access can also be provided.


of 55

Network resources:

Resource Accessible in Mode

Bookmarks Web Access Mode, Application Access Mode

Bookmark Groups Web Access Mode, Application Access Mode

Custom URLs - Not defined as Bookmark

Web Access Mode

Enterprise Private Network resources

Tunnel Access Mode

Portal

The Appliance’s SSL VPN Portal is the entry point for any remote user to the corporate network. It provides easy access to network resources through a secure tunnel. It is possible to customize the portal interface by including the company logo and a customized message to be displayed to users when they log into the portal. The Portal displays only those network resources that are assigned to the logged in user through the SSL VPN Policy and Access Mode.


of 55

Cyberoam Configuration for

SSL VPN

Configuration of the Appliance for SSL VPN can be done from VPN > SSL.

This menu covers configuring global settings for Tunnel Access and Web Access, defining Policies, creating Bookmarks and Bookmark Groups and customizing the SSL VPN Portal. Detailed explanations for each of these tasks are given below.

Tunnel Access

Configure Tunnel Access Mode for the remote users who are to be provided with the corporate network access from laptops, Internet cafes, hotels etc. It requires an SSL VPN Client at the remote end. Remote users can download and install SSL VPN Client from the End-user Web Portal.

To configure and update certain parameters globally for Tunnel Access Mode, go to VPN > SSL > Tunnel Access.

Screen - Tunnel Access Configuration


of 55

Screen Elements Description

Tunnel Access Settings

Protocol Select the protocol TCP or UDP. Selected network protocol will be the default protocol for all the SSL VPN clients. Connection over UDP provides better performance.

SSL Server Certificate Select the SSL Server certificate to be used for authentication from the dropdown list. If you do not have a certificate, generate the same.

Certificate can be created from System > Certificate > Certificate.

Per User Certificate Click to use individual certificate for each user for authentication and select the user from the drop down list of user(s) that appears.

SSL server uses this certificate to authenticate the remote client. One can use a common certificate for all the users or create individual certificate for each user. The Appliance automatically generates certificates valid up to 31st December, 2036 for all the users added in the Appliance.

To enable Per User Certificate, you need to configure the

Default CA. Configure Default CA from System > Certificate > Certificate Authority.

SSL Client Certificate Select the SSL Client certificate from the dropdown list if you want to use a common certificate for authentication. If you do not have a certificate, generate a Self-signed certificate.

The selected certificate is bundled with the Client installer and is downloaded when the remote user(s) install SSL client. Remote users/SSL Clients represent the selected certificate to the server for authenticating themselves. The same certificate can be used for both SSL Server and Client.

Override Hostname Here you can set the server IP address for client VPN connection. Usually this should be the external IP address of Cyberoam.

IP Lease Range Specify the range of IP Addresses reserved for the SSL Clients. SSL clients will be leased IP Address from the configured pool.

Subnet Mask Specify the Subnet Mask.

Primary DNS Specify the IP Addresses of Primary DNS servers to be provided for the use of Clients.

Note Do not assign the private IP Address space that is already configured for any ports via Network Configuration.

Secondary DNS Specify the IP Addresses of Secondary DNS servers to be provided for the use of Clients.

Primary WINS Specify the IP Addresses of Primary WINS servers to be


of 55

provided for the use of Clients.

Secondary WINS Specify the IP Addresses of Secondary WINS servers to be

provided for the use of Clients.

Dead Peer Detection Click to enable dead peer detection.

Check Peer After Every Specify the time after which the peer must be checked for its status.

Time Range (in seconds) - 60 to 3600

Default – 60 seconds

Disconnect After Specify the time after which the connection must be

disconnected if the peer is not live.



Idle Timeout Specify the idle timeout. Connection will be dropped after the configured inactivity time and user will be forced to re-login.

Idle Timeout Range (in minutes) - 15 to 60

Default – 15 minutes

Data Transfer Threshold Specify the data transfer threshold.

Once the idle timeout is reached, before dropping the connection, the Appliance will check the data transfer rate. If it is more than the configured threshold, the connection will not be dropped.

The Administrator can check the data transfer for the live

connections from the VPN > Live Connections > SSL VPN Users page.

Data Transfer Threshold Range (in bytes): 1 to 65536

Default – 250 bytes

Key Lifetime Enter a time period after which the key will expire.

Default: 28,800 seconds

Table - Tunnel Access screen elements


of 55

Web Access

Configure Web Access Mode for the remote users who are equipped with the web browser only and when access is to be provided to the certain Enterprise Web applications/servers through web browser only. In other words, it is a clientless access.

To configure Web Access Mode, go to VPN > SSL > Web Access.

Screen - Web Access Configuration


Web Access Settings

Idle Time Specify the idle time. The connection will be dropped after

the configured inactivity time and user will be forced to re-login.

Idle Time Range (in minutes): 10 to 60


Table - Web Access screen elements


of 55

Policy

SSL VPN Policies determine the Access Mode and the network resources available to the remote users and also controls the access to the private network (corporate network) in the form of bookmarks.

The SSL VPN Policy page displays list of all the policies. You can sort the list based on the policy name. The page provides option to add a new policy, update the policy, or delete the policy.

To configure SSL VPN Policies, go to VPN > SSL > Policy.

• Add SSL VPN Policy Members

• Manage SSL VPN Policy Members

Manage SSL VPN Policies

Screen - Manage SSL VPN Policies


Name Displays name of the SSL VPN Policy.

Access Mode Displays the selected access mode of the Policy: Tunnel Access, Web Access or Application Access.

Tunnel Type Displays the type of SSL VPN Tunnel established: Split or Full Tunnel.

Table - Manage SSL VPN Policies screen elements


of 55

SSL VPN Policy Parameters

To add or edit SSL VPN Policies, go to VPN > SSL > Policy. Click the Add Button to add a new policy or the Edit Icon to modify the details of the policy.

Screen - Add SSL VPN Policy


of 55


Add SSL VPN Policy

Name Specify a name to identify the SSL VPN policy.

Access Mode Select the access mode by clicking the appropriate option.

Available Options:

Tunnel Access Mode – For the remote users who are to be provided with the corporate network access from laptops, Internet cafes, hotels etc. It requires an SSL VPN Client at the remote end. Remote users can download and install the SSL VPN Client from the SSL VPN Portal.

Web Access Mode – For remote users who want to access SSL VPN using a web browser only, i.e., clientless access. It provides users with access to certain Enterprise Web Applications/Servers. This feature comprises of an SSL daemon running on the Appliance and an SSL VPN Portal which provides users with access to network resources behind the Appliance and certain web applications as configured in the SSL VPN policy.

Application Access Mode – It also provides clientless access. It gives the user access to web applications as well as certain enterprise applications through a web browser. The feature comprises of an SSL daemon running on the Cyberoam unit and an SSL VPN portal which provides users with access to different TCP based applications like HTTP, HTTPS, RDP, TELNET, SSH and FTP without installing a client.

Description Provide the SSL VPN Policy Description.

Tunnel Access Settings

Tunnel Type Select tunnel type. The Tunnel Type determines how the remote user’s traffic will be routed.

Available Options:

• Split Tunnel - ensures that only the traffic for the private network is tunneled and encrypted.

• Full Tunnel - ensures not only private network traffic but other Internet traffic is tunneled and encrypted.

Default - Split Tunnel is enabled.


of 55

Accessible Resources Accessible Resources allows restricting the access to certain hosts of the private network. User’s access to private network is controlled through his SSL VPN policy while Internet access is controlled through his Internet Access policy.

“Available Hosts/Networks” list displays the list of available hosts and network. All the hosts added from Hosts menu, IP Host will be displayed in the list.

Select or Clear Hosts/Networks to add or remove from the list.

“Selected Host/Network” list displays the list of Host/Network that remote user can access.

Advanced Settings (DPD & Idle Timeout)

DPD Settings One can customize and override the global Dead Peer

Detection setting.

Click “Use Global Settings” to apply the default DPD Settings.

Click “Override Global Settings” to configure the DPD Settings manually.

Click “Enable DPD” checkbox to enable Dead Peer Detection check at regular interval whether peer is live or not.

Specify time after which the peer must be checked for its status.


Default - 60 seconds

Specify time after which the connection must be disconnected if peer is not live.




of 55

Idle Timeout The connection will be dropped after the configured inactivity time and user will be forced to re-login.

One can use the global settings or customize the idle timeout.

Click “Use Global Settings” to apply the default Idle Timeout value.

Default - 15 minutes

Click “Override Global Settings” to configure the Idle Timeout value manually.


Note Advanced Settings can only be configured if you have selected the Tunnel Access option of the Access Mode.

Web Access Settings

Accessible Resources

Accessible Resources also allows restricting the access to the

bookmarks.

Click the “Enable Arbitrary URL Access” checkbox to enable the access to custom URLs.

“Available Bookmarks/Bookmarks Groups” list displays the list of available resources. All the Bookmarks/Bookmarks Group added will be displayed in the list.

Select or Clear the Bookmarks to add or remove from the list.

“Selected Bookmarks/Bookmarks Group” list displays the list of Bookmarks/Bookmarks Group that remote user can access.

Advanced Settings (Idle Timeout)

Idle Timeout Connection will be dropped after the configured inactivity time and user will be forced to re-login. One can use the global settings or customize the idle timeout.

Click “Use Global Settings” to apply the default Idle Timeout settings.



of 55

Click “Override Global Settings” to configure the Idle Timeout settings manually.


Application Access Settings

Accessible Resources

Accessible Resources also allows restricting the access to the bookmarks.

“Available Bookmarks/Bookmarks Groups” list displays the list of available resources. All the Bookmarks/Bookmarks Groups added will be displayed in the list.

Select or Clear the Bookmarks to add or remove from the list.

The “Selected Bookmarks/Bookmarks Groups” list displays the list of Bookmarks/Bookmarks Groups that remote user can access.

Table - Add SSL VPN Policy screen elements

Add SSL VPN Policy Members

1. Edit the policy in which you want to add the members by clicking the Manage icon under the Manage column.

2. Click Add Policy Member(s) button. A window displays list of users. You can add single or multiple users. Selected users are allowed access through SSL VPN connection.

3. Click Apply button to add these users and user groups to the SSL VPN Policy members list.

Screen - Add SSL VPN Policy Members

Removing SSL VPN Policy Members

1. Edit the policy in the form which you want to remove user membership.

2. Click the Manage Policy Member(s) button. A window displays the list of SSL VPN Policy members who are allowed access through the SSL connection. You can select single or multiple users.


of 55

3. Click Delete button.

Screen - Manage SSL VPN Policy Members


of 55

Bookmark

Bookmarks are resources whose access will be available through the End-user Web portal. Bookmarks are applied through the SSL VPN policy and are available to users having Web or Application Access.

The page displays a list of all the bookmarks and you can filter or sort the list based on the bookmark name. The page also provides options to add a new bookmark, update, or delete bookmarks. You cannot delete Bookmarks included in any SSL VPN policy.

Manage Bookmarks

To manage Bookmarks, go to VPN > SSL > Bookmark.

Screen - Manage Bookmarks


Name Displays the name of the Bookmark.

Type Displays the selected Bookmark Type: HTTP, HTTPS, RDP,

Telnet, SSH, FTP, IBM Server Terminal, FTPS, SFTP, SMB

VNC

URL Displays the URL for which the bookmark is created.

Description Displays the Bookmark Description.

Table - Manage Bookmarks screen elements

Bookmark Parameters

To add or edit Bookmarks, go to VPN > SSL > Bookmark. Click the Add Button to add a new bookmark or the Edit Icon to modify the details of the bookmark.


of 55

Screen - Add Bookmark


Name Specify a name to identify the Bookmark.

Type Select the type of Bookmark from the options available. Available Options:

• HTTP

• HTTPS

• RDP

• TELNET

• SSH

• FTP

• IBM Server Terminal

• FTPS

• SFTP

• SMB

• VNC – Virtual Network Computing (VNC) a graphical desktop sharing system that uses RFB protocol gain remote access.

Description Provide Bookmark Description.

Table - Add Bookmark screen elements

Bookmark Type


HTTPS/HTTP URL


of 55

Example – google.com, 10.1.1.1:8080

Referred Domains - Provide a set of domain(s)/URL(s) required by Bookmarked URL to render it appropriately.

RDP URL - Specify the URL of the website for which the bookmark is to be created.

Domain- Specify the log on domain name on remote machine.

Screen Resolution – Select from the available options.

Port - Specify the port number on which the RDP service is running.

Default - 3389

Telnet URL - Specify the URL of the website for which the bookmark is to be created.

SSH URL - Specify the URL of the website for which the

bookmark is to be created.

IBM Server Terminal URL - Specify the URL of the website for which the bookmark is to be created.

FTP/FTPS URL - Specify the URL of the website for which the bookmark is to be created.

Port - Specify the port number used for file sharing.

Default FTP Port – 21

Default FTPS Port – 990

Init Remote Folder – Specify the remote directory path. After successful authentication, the user is redirected to the specified path on the remote server.

SFTP URL - Specify the URL of the website for which the



Default - 22

Init Remote Folder – Specify the remote directory path. After successful authentication, user is redirected to the specified path on the remote server.

SMB URL - Specify the URL of the website for which the


of 55



Default - 445

Specify the remote directory path.

After successful authentication, the user is redirected to the specified path on the remote server.

VNC URL - Specify the URL of the website for which the bookmark is to be created.

View Only – Click to create a read only VNC bookmark. On enabling, one cannot provide input to the server.

Default – Disabled

If disabled, one can provide an input to the server.

Shared – Click to create a VNC type of bookmark which can be viewed by multiple VNC viewers.

Default – Disabled

If disabled other VNC viewers cannot see it.

Accepted Clipboard – On enabling, a user is allowed to copy from the VNC server.

Default – Enabled

If disabled, a user is not allowed to copy from the VNC server.

Send Clipboard – On enabling, a user can copy to the VNC server.

Default – Enabled

If disabled, a user cannot copy to the VNC server.

Port – Specify the number of VNC server port(s) on which the it runs.

Default - 7900


of 55

Bookmark Group

The Bookmark Group page displays list of all the groups and you can sort the list based on the group name. The page provides options to add, update, or delete the group. You can update the group to include bookmark(s) as group members. Single bookmark can be a member of multiple groups. You cannot delete a group if it includes a bookmark which is s part of any of the SSL VPN policies.

Manage Bookmark Groups

To manage Bookmark Groups, go to VPN > SSL > Bookmark Group.

Screen - Manage Bookmark Groups


Name Displays the name of the Bookmark Group.

Description Displays the Bookmark Group Description.

Table - Manage Bookmark Group screen elements

Creating a Bookmark Group

To add or edit Bookmark Group, go to VPN > SSL > Bookmark Group. Click the Add button to add a new Bookmark Group or Edit Icon to modify the details of the Bookmark Group.


of 55

-

Screen - Add Bookmark Group


Name Specify a name to identify the Bookmark Group.

Select Bookmark Select bookmarks to be grouped.

The “Bookmark List” displays the list of bookmarks that can be added to the group.

The “Selected Bookmark List” displays the list of bookmarks that are included in the group.

Select or clear the Bookmarks to add or remove from the list.

Description Provide Bookmark Group Description.

Table - Add Bookmark Group screen elements

Adding or Removing a Bookmark from an Existing Bookmark Group

1. Edit the bookmark group in which you want to add or remove a bookmark by clicking the

Manage icon under the Manage column.

2. To add a bookmark, select a bookmark from Bookmark List. To remove a bookmark from group, clear the bookmark checkbox in the Selected Bookmark List.

3. Click the OK button.


of 55

Portal

As End-user Web Portal is an entry point to your Corporate network, the Appliance provides flexibility to customize the Portal page as per your business. You can customize log on/log off page by including your business name and logo.

The Administrator needs to provide the End-user Web portal URL – https://<WAN IP Address of appliance:8443> to the remote users. 8443 is the default port unless customized. Confirm the port number from System > Administration > Settings before forwarding URL to the remote user.

For users having Tunnel Access, SSL VPN Client and Configuration file can be downloaded from the portal. For users having Web and Application Access, a list of all the bookmarks are displayed. URL Address bar will also be displayed to the user, if allowed in the User SSL VPN policy. User can type the URL in the address bar to access other URLs than bookmarks. All the downloadable components will be displayed only if the remote user is allowed the “Full” access.

To customize the SSL VPN user portal, go to VPN > SSL > Portal.

Screen - SSL VPN User Portal


General Settings

Logo To upload a custom logo, specify the Image file name to be uploaded else click Default. Use the “Choose File” button to select the complete path.

The image size should not exceed 700 X 80 pixels.

Page Title Change the Page Title, if required.

Login Page Message Provide the message to be displayed on the Captive Portal login page.


of 55

Home Page Message Provide the message to be displayed on the Portal.

This message can reflect your business or could even be a welcome message.

Color Scheme Customize the color scheme of the portal if required.

Specify the color code or click the square box to pick the color.

Preview Button Click to preview the customized settings before saving the

changes.

Reset to Default Button Click to revert to the default settings.

Table - SSL VPN Portal screen elements


of 55

Live SSL VPN Users

To view the list of all the currently logged on SSL VPN users, go to VPN > Live Connections

> SSL VPN Users.

This page displays important parameters like Username, Source and leased IP Address, Access mode, date and time when connection was established, tunnel type and data transferred. If the connection is established through Web Access mode, only the username, access mode and date and time when connection was established will be displayed. This page allows disconnection of any live user.

Screen - Live SSL VPN Users


of 55

Client Configuration for

SSL VPN

Access End-User Portal

Cyberoam SSL VPN Portal can be accessed by remote users using the URL - https://<WAN IP Address of Appliance:port>. Use the default port: 8443 unless customized. The User is directed to the Cyberoam SSL VPN Portal Login Page. The Access is available only to those users who have been assigned the SSL VPN Policy.

Screen - Login Page


Username Specify the user login name.

Password Specify the user account Password.


of 55

Language Select the language.

Available Options:

• Chinese-Simplified

• Chinese-Traditional

• English

• French

• Hindi

• Japanese

Default - English

Login Button Click to log on to the Cyberoam SSL VPN Portal.

Table - Login Page


of 55

Accessing SSL VPN Using Tunnel Access

After successfully logging into the Cyberoam SSL VPN Portal, the user is directed to the Main Page which has only the “Tunnel Access Mode” section activated.

Screen - Main Page for Tunnel Access Mode


SSL VPN Client (Tunnel access mode)

Download Client Click to download the SSL VPN Client Installer bundled with the Configurations.

Download SSL VPN Client Configuration - Windows

Click to download the SSL VPN Configurations for Windows.

Download SSL VPN Client Configuration - MAC Tunnelblick

Click to download the SSL VPN Configurations for MAC Tunnelblick.

Table - Main Page for Tunnel Access Mode Screen Elements

Download Client

For downloading the client for the first time, click the “Download Client” and follow the on-screen instructions:


of 55

Screen - Download Client

Note Windows Vista users need Administrator privileges to install the client.

On clicking “Download Client”, the following message appears:

Screen - Prompt Message

Click “Save” to save a copy of CrSSL.exe on your local machine, else click “Run” to run the setup. The following warning message appears.

Screen - Warning Message

On clicking “Run”, the “Choose Install Location” dialog box appears.


of 55

Screen - Choose Install Location

Click “Browse” to change the location of the Destination Folder where the client is to be installed. Click “Install”. The following screen appears while installation is in progress.

Screen - Installation in Progress


of 55

Once the installation is complete, the CrSSL Client icon appears in the system tray.

Download and Import Client Configuration

Note

If you are installing SSL VPN Client for the first time, skip this section.

Step 1: Download SSL VPN Client Configuration

You need to download the configuration file if you have already installed Client or if the server configuration has changed. Click the “Download SSL VPN Client Configuration - Windows” and follow the on- screen instructions.

Screen - Download Configuration

On clicking “Download SSL VPN Client Configuration - Windows”, the following message appears.

Screen - Prompt Message

Click “Save” to save clientbundle.tgz.


of 55

Step 2: Import SSL VPN Configuration

Right click the CrSSL Client icon in the System Tray.

Click “Import Configuration”. The Import Configuration screen appears.

Screen - Import Configuration

Click the ellipses (…) to browse to the location at which the file clientbundle.tgz is saved. Click “Import” to import the SSL VPN Configuration from clientbudle.tgz.


of 55

Screen – Import Configuration Status

Establish connection

Step 1: Login to access the network resources or Internet

Double click th e CrSSL Client icon and specify username and password and click “Login” button.

Screen – User Authentication


Username Specify the user login name.

Password Specify the user account Password.

Save username and password

Click to save the username and password.

Auto Start SSL VPN Click to start the SSL VPN Tunnel automatically with system restart.

Login Button Click to log on.

Exit Button Click to close the CrSSL Client.

Table – User Authentication Screen Elements


of 55

The icon turns yellow indicating that connection is in progress and turns green the moment connection is established and the IP Address is leased. You will be prompted for the same through a pop up that will appear in the system tray which will also show the assigned IP Address of the established tunnel.

Screen – Successful Client Establishment

To disconnect the connection, right click the CrSSL Client icon and click “Logout”.


of 55

Accessing SSL VPN Using Web Access

After successfully logging into the Cyberoam SSL VPN Portal, the user is directed to the Main Page which has only the “Web Access Mode” section activated.

Screen - Main Page for Web Access Mode


Configured Bookmarks

Sr. No. Displays the serial number of the Bookmark.

Bookmark Name Displays the name of the Bookmark.

Bookmark URL Displays the URL of the Bookmark.

Service Displays Service to be used for creating the Bookmark.

Table - Main Page for Web Access Mode Screen Elements

Accessing Applications

The User can access any of the Bookmarks listed on the Main Page which include certain Enterprise Web Applications/Servers. Based on the client requirement, the Administrator can also allow the SSL VPN client, to access certain public URL(s) as seen in the screen.


of 55

Accessing SSL VPN Using Application Access

After successfully logging on to the Cyberoam SSL VPN Portal, the user is directed to the Main Page which has only the “Application Access Mode” section activated.

Screen - Main Page for Application Access Mode


Configured Bookmarks

Sr. No. Displays the serial number of the Bookmark.

Bookmark Name Displays the name of the Bookmark.

Bookmark URL Displays the URL of the Bookmark.

Service Displays the Service used for creating the Bookmark.

Table - Main Page for Application Access Mode Screen Elements

Accessing Applications

The User can access any of the Bookmarks listed on the Main Page which include certain Enterprise Applications/Servers.

cyberoam ssl vpn user guide - ing series 10.x/10.6.6/guides... · cyberoam ssl vpn user guide page...

Documents