ssl vpn user guide version 10 - sophosdocs.sophos.com/nsg/cyberoam/version 10.x/10.04... · they...

SSL VPN User Guide Version 10 Version 7 Version 7 Version 7

Document Version 10.04.4.0028 - 08/10/2013

Document Version 10.04.5.0007 - 30/11/2013

Cyberoam SSL VPN User Guide

2

Important Notice Cyberoam Technologies Pvt. Ltd. has supplied this Information believing it to be accurate and reliable at the time of printing, but is presented without warranty of any kind, expressed or implied. Users must take full responsibility for their application of any products. Cyberoam Technologies Pvt. Ltd. assumes no responsibility for any errors that may appear in this document. Cyberoam Technologies Pvt. Ltd. reserves the right, without notice to make changes in product design or specifications. Information is subject to change without notice.

USER’S LICENSE Use of this product and document is subject to acceptance of the terms and conditions of Cyberoam End User License Agreement (EULA) and Warranty Policy for Cyberoam UTM Appliances. You will find the copy of the EULA at http://www.cyberoam.com/documents/EULA.html and the Warranty Policy for Cyberoam UTM Appliances at http://kb.cyberoam.com.

RESTRICTED RIGHTS Copyright 1999 - 2013 Cyberoam Technologies Pvt. Ltd. All rights reserved. Cyberoam, Cyberoam logo are trademark of Cyberoam Technologies Pvt. Ltd.

Corporate Headquarters Cyberoam Technologies Pvt. Ltd. 901, Silicon Tower, Off. C.G. Road, Ahmedabad – 380006, INDIA Phone: +91-79-66065606 Fax: +91-79-26407640 Web site: www.cyberoam.com

http://www.cyberoam.com/documents/EULA.html

http://kb.cyberoam.com/default.asp?id=487&SID=&Lang=1.

http://www.cyberoam.com/


3

Contents Introduction ......................................................................................................................... 7 Concepts ............................................................................................................................. 8

SSL VPN Access Modes ................................................................................................................ 8 Portal ............................................................................................................................................ 10

Cyberoam Configuration for SSL VPN ............................................................................ 11

Tunnel Access................................................................................................................................. 11 Web Access ..................................................................................................................................... 13 Policy ............................................................................................................................................... 14 Bookmark ........................................................................................................................................ 20 Bookmark Group ............................................................................................................................ 22 Portal ................................................................................................................................................ 24 Live SSL VPN Users ....................................................................................................................... 25

Client Configuration for SSL VPN .................................................................................... 26

Access End-User Portal ................................................................................................................. 26 Accessing SSL VPN Using Tunnel Access .................................................................................. 27

Download Client ........................................................................................................................... 28 Download and Import Client Configuration .................................................................................. 31 Establish connection .................................................................................................................... 33

Accessing SSL VPN Using Web Access ...................................................................................... 34 Accessing SSL VPN Using Application Access .......................................................................... 35


4

Preface

Welcome to Cyberoam‟s - User guide.

Cyberoam Unified Threat Management appliances offer identity-based comprehensive security to organizations against blended threats - worms, viruses, malware, data loss, identity theft; threats over applications viz. Instant Messengers; threats over secure protocols viz. HTTPS; and more. They also offer wireless security (WLAN) and 3G wireless broadband and analog modem support can be used as either Active or Backup WAN connection for business continuity.

Cyberoam integrates features like stateful inspection firewall, VPN, Gateway Anti-Virus and Anti- Spyware, Gateway Anti-Spam, Intrusion Prevention System, Content & Application Filtering, Data Leakage Prevention, IM Management and Control, Layer 7 visibility, Bandwidth Management, Multiple Link Management, Comprehensive Reporting over a single platform.

Cyberoam has enhanced security by adding an 8th layer (User Identity) to the protocol stack. Advanced inspection provides L8 user-identity and L7 application detail in classifying traffic, enabling Administrators to apply access and bandwidth policies far beyond the controls that traditional UTMs support. It thus offers security to organizations across layer 2 - layer 8, without compromising productivity and connectivity.

Cyberoam UTM appliances accelerate unified security by enabling single-point control of all its security features through a Web 2.0-based GUI. An extensible architecture and an „IPv6 Ready‟ Gold logo provide Cyberoam the readiness to deliver on future security requirements.

Cyberoam provides increased LAN security by providing separate port for connecting to the publicly accessible servers like Web server, Mail server, FTP server etc. hosted in DMZ which are visible the external world and still have firewall protection.

Note

Default Web Admin Console username is „admin‟ and password is „admin‟

Cyberoam recommends that you change the default password immediately after installation to avoid unauthorized access.


5

About this Guide

This Guide provides information on how to configure Cyberoam SSL VPN connections and helps you to manage and customize Cyberoam to meet your organization‟s various requirements for remote users.

Typographic Conventions

Material in this manual is presented in text, screen displays, or command-line notation.

Item Convention Example

Server Machine where Cyberoam Software - Server component is installed

Client Machine where Cyberoam Software - Client component is installed

User The end user

Username Username uniquely identifies the user of the system

Topic titles Shaded font typefaces Introduction

Subtitles Bold & Black typefaces

Notation conventions

Navigation link

Bold typeface

Group Management Groups Create it means, to open the required page click on Group management then on Groups and finally click Create tab

Name of a particular parameter / field / command button text

Lowercase italic type

Enter policy name, replace policy name with the specific name of a policy Or Click Name to select where Name denotes command button text which is to be clicked

Cross references

Hyperlink in different color

Refer to Customizing User database Clicking on the link will open the particular topic

Notes & points to remember

Bold typeface between the black borders

Note

Prerequisites

Bold typefaces between the black borders

Prerequisite Prerequisite details


6

Technical Support

You may direct all questions, comments, or requests concerning the software you purchased, your registration status, or similar issues to Customer care/service department at the following address:

Corporate Office

Cyberoam Technologies Pvt. Ltd.

901, Silicon Tower

Off C.G. Road

Ahmedabad 380006

Gujarat, India.

Phone: +91-79-66065606

Fax: +91-79-26407640

Web site: www.cyberoam.com

Cyberoam contact:

Technical support (Corporate Office): +91-79-26400707

Email: [email protected]

Web site: www.cyberoam.com

Visit www.cyberoam.com for the regional and latest contact information.


mailto:[email protected]




7

Introduction

A Virtual Private Network (VPN) is a network that uses public telecommunication infrastructure, such as the Internet, to provide remote offices or traveling users with access to a central organizational network. A secure tunnel is formed across the public network which carries private network traffic between distant offices. This traffic is usually encrypted and compressed for enhanced performance and security. VPN technology has replaced the need to acquire and maintain expensive dedicated leased-line telecommunication circuits once typical in wide-area network installations.

Note All the screen shots in the Cyberoam User Guides have been taken from NG series of appliances. The feature and functionalities however remains unchanged across all Cyberoam appliances.

A VPN user can access the central network in a manner that is identical to being connected directly to the central network. Hence, it is ideal for business telecommuters or employees working from home. It is essential that the connection between the central network and remote location meets certain requirements like:

Flexible Access: The remote users must be able to access the organization‟s network from various locations, like Internet cafes, hotels, airport etc. The range of applications available must include web applications, mail, file shares, and other more specialized applications required to meet corporate needs.

Secure connectivity: Guaranteed by the combination of authentication, confidentiality and data integrity for every connection.

Usability: Installation must be easy. No configuration should be required as a result of network modification at the remote user end. The given solution should be seamless for the connecting user.

SSL (Secure Socket Layer) VPN fulfills the above requirements by providing simple-to-use and secure access to remote users. It allows access to the corporate network and provides the ability to create point-to-point encrypted tunnels between remote user and the company‟s internal network. It requires a combination of SSL certificates and username/password for authentication to enable access to the internal resources.

Cyberoam extends its VPN feature to include SSL VPN functionality to provide secure access of a company‟s central network to remote users. It delivers a set of features and benefits which are easy to use and control and which allow access to the corporate network from anywhere, anytime.

Depending upon requirement, remote users can access through SSL VPN Client or End user Web Portal (clientless access). It offers a secure web portal which can be accessed by each authorized user to download a free SSL VPN Client, SSL certificates and a client configuration. In addition, it offers granular access policies, bookmarks to designated network resources and portal customization.

Note

SSL VPN is not supported when Cyberoam is deployed as Bridge.

SSL VPN feature is not available for Cyberoam CR15i models.


8

Concepts

SSL VPN Access Modes

Cyberoam appliance authenticates any remote user based on user name and password. A successful login determines the access rights of remote users according to user, group and the SSL VPN policy. The SSL VPN policy specifies whether the connection will operate in Tunnel Access Mode, Web Access Mode or Application Access Mode.

Tunnel Access Mode

Tunnel Access Mode provides remote users with access to the corporate network through laptops as well as from Internet cafes, hotels, airport etc. It requires an SSL VPN Client at the remote end. Hence, remote users are required to download and install SSL VPN Client from the SSL VPN Portal. The Client establishes an SSL VPN tunnel over HTTPS link between remote user and Cyberoam appliance to encrypt and send the traffic. Here Cyberoam acts as a secure HTTPS gateway and authenticates remote users.

Cyberoam allows two types of tunneling:

Split Tunnel: This ensures that only traffic for the private network is encrypted and tunneled while Internet traffic is sent through the usual unencrypted route. This is configured by default and is used to avoid bandwidth choking.

Full Tunnel: This ensures that not only private network traffic but other Internet traffic is also tunneled and encrypted.

Web Access Mode

Web Access Mode is used when remote users want to access SSL VPN using a web browser only, i.e., clientless access. It provides users with access to certain Enterprise Web Applications/Servers. This feature comprises of an SSL daemon running on the Cyberoam unit and an SSL VPN Portal which provides users with access to network resources behind Cyberoam and certain web applications as configured in the SSL VPN policy.

Application Access Mode

Application Access Mode also provides clientless access. It gives the user access to web applications as well as certain enterprise applications through a web browser. The feature comprises of an SSL daemon running on the Cyberoam unit and an SSL VPN Portal which provides users with access to different TCP based applications like HTTP, HTTPS, RDP, TELNET, SSH and FTP without installing a client.

In this mode, appliance acts as a secure gateway and authenticates the remote users. On successful authentication, appliance redirects the web browser to the Web portal from where remote users can access the applications behind the appliance. Configuring Application Access mode is a two-step process:

1. Select Application Access mode in SSL VPN policy

2. Assign policy to the User or Group

For administrators, Web Admin Console provides SSL VPN management. Administrator can configure SSL VPN users, access methods and policies, user bookmarks for network resources, and system and portal settings.


9

For remote users, customizable End user Web Portal enables access to resources as per the configured SSL VPN policy.

With no hassles of client installation, it is also a “clientless access”.

Prerequisite The following requirements should be fulfilled for the remote user to access SSL VPN in Application Access Mode:

OS should be Windows 2000, Windows XP, Windows 7, Windows Vista or Windows Server 2003.

Remote user should have Administrator privileges.

Java Runtime Environment V 1.6 or above should be installed.

Threat - Free Tunneling

Cyberoam scans VPN Tunnel Traffic (incoming and outgoing) for malware, spam, inappropriate content and intrusion attempts, ensuring Threat-free Tunneling. Furthermore, VPN traffic is subjected to DoS inspection, although Cyberoam does provide the option of bypassing DoS inspection for specific traffic.

Cyberoam does not have an exclusive port assigned for the VPN Zone like the LAN, WAN and DMZ ports. As soon as a VPN connection is established, the port/interface used by the connection is automatically added to the VPN zone, and on disconnection, the port is removed by itself. VPN zone is used by both IPSec and SSL VPN traffic.

Note

Threat Free Tunneling is applicable only when SSL VPN tunnel is established through Tunnel Access Mode.

Network Resources

Network Resources are the components that can be accessed using SSL VPN. SSL VPN provides access to HTTP or HTTPS servers in the internal network, Internet, or any other network segment that can be reached by Cyberoam. The Administrator can configure Web (HTTP), Secure Web (HTTPS), RDP, Telnet, SSH or FTP bookmarks and internal network resources to allow access to web-based resources and applications. If required, custom URL access can also be provided.

Network resources:

Resource Accessible in Mode

Bookmarks Web Access Mode, Application Access Mode

Bookmark Groups Web Access Mode, Application Access Mode

Custom URLs - Not defined as Bookmark

Web Access Mode

Enterprise Private Network resources

Tunnel Access Mode


10

Portal

Cyberoam‟s SSL VPN Portal is the entry point for any remote user to the corporate network. It provides easy access to network resources through a secure tunnel. It is possible to customize the portal interface by including company logo and a customized message to be displayed to users when they log into the portal. The Portal displays only those network resources that are assigned to the logged in user through SSL VPN Policy and Access Mode.


11

Cyberoam Configuration for

SSL VPN

Configuration of Cyberoam for SSL VPN can be done from VPN SSL.

This menu covers configuring global settings for Tunnel Access and Web Access, defining Policies, creating Bookmarks and Bookmark Groups and customizing the SSL VPN Portal. Detailed explanations for each of these tasks are given below.

Tunnel Access

Configure Tunnel Access Mode for the remote users who are to be provided with the corporate network access from laptops, Internet cafes, hotels etc. It requires an SSL VPN Client at the remote end. Remote users can download and install SSL VPN Client from the End-user Web Portal.

To configure and update certain parameters globally for Tunnel Access Mode, go to VPN SSL

Tunnel Access.

Screen - Tunnel Access Configuration

Screen Elements Description

Tunnel Access Settings

Protocol Select protocol TCP or UDP. Selected network protocol will be the default protocol for all the SSL VPN clients.


12

Connection over UDP provides better performance.

SSL Server Certificate Select SSL Server certificate to be used for authentication from the dropdown list. If you do not have certificate, generate the same.

Certificate can be created from System Certificate

Certificate.

Per User Certificate Click Per User Certificate if you want to use individual user certificates for authentication. One can use a common certificate for all the users or create individual certificate for each user. Cyberoam automatically generates certificate valid up to 31st December, 2036 for all the users added in Cyberoam. To enable Per User Certificate, you need to configure the

Default CA. Configure Default CA from System

Certificate Certificate Authority.

SSL Client Certificate Select the SSL Client certificate from the dropdown list if you want to use common certificate for authentication. If you do not have certificate, generate a Self-signed certificate. The selected certificate is bundled with the Client installer and is downloaded when remote users install SSL client. Remote users/SSL Clients represent the selected certificate to the server for authenticating themselves. Same certificate can be used for both SSL Server and Client.

IP Lease Range Specify the range of IP Addresses reserved for the SSL Clients. SSL clients will be leased IP Address from the configured pool.

Subnet Mask Specify Subnet mask.

Primary DNS Specify IP Addresses of Primary DNS servers to be provided for the use of Clients.

Note Do not assign the private IP Address space that is already configured for any ports via Network Configuration.

Secondary DNS Specify IP Addresses of Secondary DNS servers to be provided for the use of Clients.

Primary WINS Specify IP Addresses of Primary WINS servers to be provided for the use of Clients.

Secondary WINS Specify IP Addresses of Secondary WINS servers to be provided for the use of Clients.

Dead Peer Detection Click “Enable Dead Peer Detection” checkbox to enable Dead Peer Detection.

Check Peer After Every Specify time after which the peer must be checked for its status. Time Range (in seconds): 60 - 3600. By default, the duration is 60 seconds.

Disconnect After Specify time after which the connection must be disconnected if the peer is not live.


13

Time Range (in seconds): 300 - 1800. By default, the duration is 300 seconds.

Idle Timeout Specify idle timeout. Connection will be dropped after the configured inactivity time and user will be forced to re-login. Idle Timeout Range (in minutes): 15 - 60. By default, the duration is 15 minutes.

Data Transfer Threshold Specify data transfer threshold. Once the idle timeout is reached, before dropping the connection, appliance will check the data transfer. If data transfer is more than the configured threshold, connection will not be dropped. Administrator can check the data transfer for the live

connections from the VPN Live Connections SSL

VPN Users page. Data Transfer Threshold Range (in bytes): 1 - 65536. By default, the value is 250 bytes.

Table - Tunnel Access screen elements

Web Access

Configure Web Access Mode for the remote users who are equipped with the web browser only and when access is to be provided to the certain Enterprise Web applications/servers through web browser only. In other words, it is a clientless access.

To configure Web Access Mode, go to VPN SSL Web Access.

Screen - Web Access Configuration


Web Access Settings

Idle Time Specify idle time. Connection will be dropped after the configured inactivity time and user will be forced to re-login. Idle Time Range (in minutes): 10 - 60. By default, the duration is 10 minutes.


14

Table - Web Access screen elements

Policy

SSL VPN Policies determine the Access Mode assigned to the remote users and the network resources available to users and also controls the access to the private network (corporate network) in the form of bookmarks.

To configure SSL VPN Policies, go to VPN SSL Policy. You can:

Add

View

Edit – Click the Edit icon in the Manage column against the SSL VPN Policy to be modified. Edit SSL VPN Policy is displayed in a new window which has the same parameters as the Add SSL VPN Policy window.

Delete – Click the Delete icon in the Manage column against a SSL VPN Policy to be deleted. A dialog box is displayed asking you to confirm the deletion. Click OK to delete the

SSL VPN Policy. To delete multiple SSL VPN policies, select them and click the Delete button.

Add SSL VPN Policy Members

Manage SSL VPN Policy Members

Manage SSL VPN Policies

Screen - Manage SSL VPN Policies


Add Button Add a new SSL VPN Policy.

Name Displays name of the SSL VPN Policy.

Access Mode Displays the selected access mode of Policy: Tunnel Access, Web Access or Application Access.

Tunnel Type Displays the type of SSL VPN Tunnel established: Split or Full Tunnel.

Edit Icon Edit the SSL VPN Policy.

Delete Button Delete the SSL VPN Policy. Alternately, click the delete icon against the policy to be deleted.

Table - Manage SSL VPN Policies screen elements


15

SSL VPN Policy Parameters

To add or edit SSL VPN Policies, go to VPN SSL Policy. Click Add Button to add a new policy or Edit Icon to modify the details of the policy.

Screen - Add SSL VPN Policy


16


Add SSL VPN Policy

Name Specify a name to identify the SSL VPN policy.

Access Mode Select the access mode by clicking the appropriate option. Available Options:

Tunnel Access Mode – For the remote users who are to be provided with the Corporate network access from laptops, Internet cafes, hotels etc. It requires an SSL VPN Client at the remote end. Remote users can download and install SSL VPN Client from the SSL VPN Portal.

Web Access Mode – For remote users who want to access SSL VPN using a web browser only, i.e., clientless access. It provides users with access to certain Enterprise Web Applications/Servers. This feature comprises of an SSL daemon running on the Cyberoam unit and an SSL VPN Portal which provides users with access to network resources behind Cyberoam and certain web applications as configured in the SSL VPN policy.

Application Access Mode – It also provides clientless access. It gives the user access to web applications as well as certain enterprise applications through a web browser. The feature comprises of an SSL daemon running on the Cyberoam unit and an SSL VPN portal which provides users with access to different TCP based applications like HTTP, HTTPS, RDP, TELNET, SSH and FTP without installing a client.

Description Provide SSL VPN Policy Description.

Tunnel Access Settings

Tunnel Type Select the tunnel type. Tunnel type determines how the remote user‟s traffic will be routed. Available Options:

Split Tunnel - ensures that only the traffic for the private network is tunneled and encrypted.

Full Tunnel - ensures not only private network traffic but other Internet traffic is tunneled and encrypted.

By default, Split Tunnel is enabled.

Accessible Resources Accessible Resources allows restricting the access to certain hosts of the private network. User‟s access to private network is controlled through his SSL VPN policy while Internet access is controlled through his Internet Access policy. “Available Host/Network” list displays the list of available hosts and network. All the hosts added from Hosts menu, IP Host will be displayed in the list. Select or Clear the Hosts to add or remove from the list. “Selected Host/Network” list displays the list of Host/Network that remote user can access.

Advanced Settings (DPD & Idle Timeout)


17

Screen - DPD & Idle Timeout Advanced Settings

DPD Settings One can customize and override the global Dead Peer Detection setting. Click “Use Global Settings” to apply the default DPD Settings. Click “Override Global Settings” to configure the DPD Settings manually. Click “Enable DPD” checkbox to enable Dead Peer Detection check at regular interval whether peer is live or not. Specify time after which the peer must be checked for its status. Time Range (in seconds): 60 - 3600. By default, the duration is 60 seconds. Specify time after which the connection must be disconnected if peer is not live. Time Range (in seconds): 300 - 18000. By default, the duration is 300 seconds.

Idle Timeout Connection will be dropped after the configured inactivity time and user will be forced to re-login. One can use the global settings or customize the idle timeout. Click “Use Global Settings” to apply the default Idle Timeout value. By default, the duration is 15 minutes. Click “Override Global Settings” to configure the Idle Timeout value manually. Idle Timeout Range (in minutes): 15 - 60.

Web Access Settings


18

Accessible Resources

Accessible Resources also allows restricting the access to the bookmarks. Click “Enable Arbitrary URL Access” to enable the access to custom URLs. “Available Bookmarks/Bookmarks Group” list displays the list of available resources. All the Bookmarks/Bookmarks Group added will be displayed in the list. Select or Clear the Bookmarks to add or remove from the list. “Selected Bookmarks/Bookmarks Group” list displays the list of Bookmarks/Bookmarks Group that remote user can access.

Advanced Settings (Idle Timeout)

Screen - Idle Timeout Advanced Settings

Idle Timeout Connection will be dropped after the configured inactivity time and user will be forced to re-login. One can use the global settings or customize the idle timeout. Click “Use Global Settings” to apply the default Idle Timeout settings. By default, the Idle Timeout is 10 minutes. Click “Override Global Settings” to configure the Idle Timeout settings manually. Idle Timeout Range (in minutes): 10 - 60

Application Access Settings

Accessible Resources

Accessible Resources also allows restricting the access to the bookmarks. “Available Bookmarks/Bookmarks Group” list displays the list of available resources. All the Bookmarks/Bookmarks Group added will be displayed in the list. Select or Clear the Bookmarks to add or remove from the list. “Selected Bookmarks/Bookmarks Group” list displays the list of Bookmarks/Bookmarks Group that remote user can access.

Table - Add SSL VPN Policy screen elements


19

Add SSL VPN Policy Members

Click “Add Policy Member(s)” button to add user or user groups to SSL VPN Policy members list. A pop-up window is displayed to select the users. Multiple users or user groups can be also selected.

Screen - Add SSL VPN Policy Members

Select Users or user groups who are to be allowed access through SSL VPN connection. Click “Apply” button to add these users and user groups to the SSL VPN Policy members list.

Users or user groups to be added can also be searched in the Members list.

Manage SSL VPN Policy Members

Click “Manage Policy Member(s)” button to view user or user groups that are in SSL VPN Policy members list. A pop-up window is displayed to view the users. Multiple users or user groups can be selected and deleted.

Screen - Manage SSL VPN Policy Members

The page displays the list of SSL VPN Policy members who are allowed access through SSL

connection. To delete users, select the users to be deleted and click “Delete” button.

Users or user groups to be deleted can be searched from the Members list.


20

Bookmark

Bookmarks are the resources whose access will be available through SSL VPN Portal. You can also create a group of bookmarks that can be configured in SSL VPN Policy.

These resources will be available in Web Access and Application Access modes and is to be configured in SSL VPN Policy.

To manage Bookmarks, go to VPN SSL Bookmark. You can:

Add

View

Edit - Click the Edit icon in the Manage column against the Bookmark to be modified. Edit Bookmark pop-up window is displayed which has the same parameters as the Add Bookmark window.

Delete - Click the Delete icon in the Manage column against a Bookmark to be deleted. A dialog box is displayed asking you to confirm the deletion. Click OK to delete the Bookmark.

To delete multiple Bookmarks, select them and click the Delete button.

Manage Bookmarks

Screen - Manage Bookmarks


Add Button Add a new Bookmark.

Name Displays name of the Bookmark.

Type Displays selected Bookmark Type: HTTP, HTTPS, RDP, Telnet, SSH or FTP.

URL Displays the URL for which the bookmark is created.

Description Displays the Bookmark Description.

Edit Icon Edit the Bookmark.

Delete Button Delete the Bookmark. Alternately, click the delete icon against the bookmark to be deleted.

Table - Manage Bookmarks screen elements


21

Bookmark Parameters

To add or edit Bookmarks, go to VPN SSL Bookmark. Click Add Button to add a new bookmark or Edit Icon to modify the details of the bookmark.

Screen - Add Bookmark


Name Specify a name to identify the Bookmark.

Type Select the type of Bookmark from the options available. Available Options:

HTTP

HTTPS

RDP

Telnet

SSH

FTP

IBM Server Terminal

URL Specify the URL of the website for which the bookmark is to be created.

Referred Domains Provide a set of domain(s)/URL(s) required by Bookmarked URL to render it appropriately.

Description Provide Bookmark Description.

Table - Add Bookmark screen elements


22

Bookmark Group

To manage Bookmark Groups, go to VPN SSL Bookmark Group. You can:

Add

View

Edit - Click the Edit icon in the Manage column against the Bookmark Group to be modified. Edit Bookmark Group pop-up window is displayed which has the same parameters as the Add Bookmark Group window.

Delete - Click the Delete icon in the Manage column against a Bookmark Group to be deleted. A dialog box is displayed asking you to confirm the deletion. Click OK to delete the

Bookmark Group. To delete multiple Bookmark Groups, select them and click the Delete button.

Manage Bookmark Groups

Screen - Manage Bookmark Groups


Add Button Add a new Bookmark Group.

Name Displays name of the Bookmark Group.

Description Displays Bookmark Group Description.

Edit Icon Edit the Bookmark Group.

Delete Button Delete the Bookmark Group. Alternately, click the delete icon against the bookmark group to be deleted.

Table - Manage Bookmark Group screen elements


23

Bookmark Group Parameters

To add or edit Bookmark Group, go to VPN SSL Bookmark Group. Click Add Button to add a new Bookmark Group or Edit Icon to modify the details of the Bookmark Group.

-

Screen - Add Bookmark Group


Name Specify a name to identify the Bookmark Group.

Select Bookmark Select bookmarks to be grouped. “Bookmark List” displays the list of bookmarks that can be added to the group. “Selected Bookmark List” displays the list of bookmarks that are included in the group. Select or clear the Bookmarks to add or remove from the list.

Description Provide Bookmark Group Description.

Table - Add Bookmark Group screen elements


24

Portal

SSL VPN Portal is an entry point to the corporate network. It can be accessed by browsing to https://<WAN IP Address of Cyberoam:port> from the web browser. Use default port: 8443 unless

customized. Confirm port number from System Administration Settings.

For users having Tunnel Access, SSL VPN Client and Configuration file can be downloaded from the portal. For users having Web and Application Access, a list of all the bookmarks will be displayed. URL Address bar will also be displayed to the user, if allowed in the User SSL VPN policy. User can type the URL in the address bar to access other URLs than bookmarks. All the downloadable components will be displayed only if the remote user is allowed the “Full” access.

Cyberoam provides flexibility to customize the Portal page to offer consistent logon/log off page. This page can be exclusive to your business including your business name and logo. To customize

the SSL VPN user portal, go to VPN SSL Portal.

Screen - SSL VPN User Portal


General Settings

Logo To upload the custom logo, specify Image file name to be uploaded else click “Default”. Use “Choose File” button to select the complete path. The image size should not exceed 700 X 80 pixels.

Page Title Change the Page Title, if required.

Login Page Message Provide message to be displayed on the Portal login page.

Home Page Message Provide message to be displayed on the Portal.


25

This message can reflect your business or even a welcome message.

Color Scheme Customize the color scheme of the portal if required. Specify the color code or click the square box to pick the color.

Preview Button Click to view the custom settings before saving the changes.

Reset to Default Button Click to revert to the default settings.

Table - SSL VPN Portal screen elements

Live SSL VPN Users

To view the list of all the currently logged on SSL VPN users, go to VPN Live Connections

SSL VPN Users.

Page displays important parameters like Username, Source and leased IP Address, Access mode, date and time when connection was established, tunnel type and data transferred. If the connection is established through Web Access mode, only username, access mode and date and time when connection was established will be displayed. Page allows disconnection of any live user.

Screen - Live SSL VPN Users


26

Client Configuration for

SSL VPN

Access End-User Portal

Cyberoam SSL VPN Portal can be accessed by remote users using the URL - https://<WAN IP Address of Cyberoam:port>. Use the default port: 8443 unless customized. User is directed to the Cyberoam SSL VPN Portal Login Page. Access is available only to those users who have been assigned the SSL VPN Policy.

Screen - Login Page


Username Specify user login name.

Password Specify user account Password.

Language Select the language. Available Options:

Chinese-Simplified

Chinese-Traditional

English

French

Hindi


27

Japanese By default, English is selected.

Login Button Click to login to the Cyberoam SSL VPN Portal.

Table - Login Page

Accessing SSL VPN Using Tunnel Access

After successfully logging into the Cyberoam SSL VPN Portal, user is directed to the Main Page which has only the “Tunnel Access Mode” section activated.

Screen - Main Page for Tunnel Access Mode


SSL VPN Client (Tunnel access mode)

Download Client Click to download the SSL VPN Client Installer bundled with Configurations.

Download SSL VPN Client Configuration - Windows

Click to download the SSL VPN Configurations for Windows.

Note Only the SSL VPN Configurations is available through this option.

Download SSL VPN Client Configuration - MAC Tunnelblick

Click to download the SSL VPN Configurations for MAC Tunnelblick.

Note


28

Only the SSL VPN Configurations is available through this option.

Receive Passphrase Select a mode to receive the SSL VPN Certificate Passphrase. To receive the Passphrase in the SSL VPN Client Bundle itself, enable “Key Encryption” option in the selected “SSL Client Certificate” prior to downloading the SSL VPN Client Bundle. Available Options:

Show - Select to Display the “Passphrase” on the screen.

Send Email - Select to send the “Passphrase” to the Email Address of the logged-in user. It is mandatory to configure Email Address and SMTP Mail Server to be able to receive the SSL VPN Passphrase via Email. Configure User Email

Address from Identity Users Users and

configure SMTP Mail Server from System

Configuration Notification in the section “Mail Server Settings”.

Note Selecting “Send Email” returns an error “Failed to send the Passphrase” if the Email Address of the logged-in user is not configured in Cyberoam.

To configure the mode for receiving the Passphrase, go to

System Administration Settings and select from the options available against parameter "Receive Passphrase via" of section SSL VPN Settings.

Note Only the configured modes are displayed against “Receive Passphrase” parameter.

Table - Main Page for Tunnel Access Mode Screen Elements

Download Client

For downloading the client for the first time, click “Download Client” and follow the on-screen instructions:


29

Screen - Download Client

Note Windows Vista users need Administrator privileges to install the client.

On clicking “Download Client”, the following message appears.

Screen - Prompt Message

Click “Save” to save a copy of CrSSL.exe on your local machine, else click “Run” to run the setup. The following warning message appears.

Screen - Warning Message

On clicking “Run”, the “Choose Install Location” dialog box appears.


30

Screen - Choose Install Location

Click “Browse” to change the location of the Destination Folder where the client is to be installed. Click “Install”. The following screen appears while installation is in progress.

Screen - Installation in Progress


31

Once the installation is complete, the CrSSL Client icon appears in the system tray.

Download and Import Client Configuration

Note

If you are installing SSL VPN Client for the first time, skip this section.

Step 1: Download SSL VPN Client Configuration

You need to download the configuration file if you have already installed Client or if the server configuration has changed. Click “Download SSL VPN Client Configuration - Windows” and follow the on- screen instructions.

Screen - Download Configuration

On clicking “Download SSL VPN Client Configuration - Windows”, the following message appears.

Screen - Prompt Message

Click “Save” to save clientbundle.tgz.


32

Step 2: Import SSL VPN Configuration

Right click the CrSSL Client icon in the System Tray.

Click “Import Configuration”. The Import Configuration screen appears.

Screen - Import Configuration

Click the ellipses (…) to browse to the location at which the file clientbundle.tgz is saved. Click “Import” to import the SSL VPN Configuration from clientbudle.tgz.


33

Screen – Import Configuration Status

Establish connection

Step 1: Login to access network resources or Internet

Double click CrSSL Client icon and specify username and password and click “Login” button.

Screen – User Authentication


Username Specify user login name.

Password Specify user account Password.

Save username and password

Click to save username and password.

Auto Start SSL VPN Click to start SSL VPN Tunnel automatically with system restart.

Login Button Click to login.

Exit Button Click to close the CrSSL Client.

Table – User Authentication Screen Elements

User is prompted to provide an additional password as “Passphrase” when the selected SSL Client Certificate under “Tunnel Access Settings” page contains an Encrypted Key.


34

Screen - Enter Password


Enter Password Specify the Passphrase.

OK Button Click to login.

Cancel Button Click to cancel the login session.

The icon turns yellow indicating that connection is in progress and turns green the moment connection is established and IP Address is leased.

To disconnect the connection, right click the CrSSL Client icon and click “Logout”.

Accessing SSL VPN Using Web Access

After successfully logging into the Cyberoam SSL VPN Portal, user is directed to the Main Page, which has only the “Web Access Mode” section activated.

Screen - Main Page for Web Access Mode


35


Configured Bookmarks

Sr. No. Displays serial number of the Bookmark.

Bookmark Name Displays name of the Bookmark.

Bookmark URL Displays URL of the Bookmark.

Service Displays Service used for creating the Bookmark.

Table - Main Page for Web Access Mode Screen Elements

Accessing Applications

User can access any of the Bookmarks listed on the Main Page which include certain Enterprise Web Applications/Servers.

Accessing SSL VPN Using Application Access

After successfully logging into the Cyberoam SSL VPN Portal, user is directed to the Main Page which has only the “Application Access Mode” section activated.

Screen - Main Page for Application Access Mode


Configured Bookmarks

Sr. No. Displays serial number of the Bookmark.

Bookmark Name Displays name of the Bookmark.


36

Bookmark URL Displays URL of the Bookmark.

Service Displays Service used for creating the Bookmark.

Table - Main Page for Application Access Mode Screen Elements

Accessing Applications

User can access any of the Bookmarks listed on the Main Page which include certain Enterprise Applications/Servers.

ssl vpn user guide version 10 - sophosdocs.sophos.com/nsg/cyberoam/version 10.x/10.04... · they...

Documents