1. Home
    2. /
  2. Manuals
    3. /
  3. NETGEAR
    4. /
  4. SRX5308
    5. /
  5. 56
Page 276 / 469 Scroll up to view Page 271 - 275
Virtual Private Networking Using SSL
Connections
276
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
SSL VPN Portal Options
The VPN firewall’s SSL VPN portal can provide two levels of SSL service to the remote user:
SSL VPN tunnel
. The VPN firewall can provide the full network connectivity of a VPN
tunnel using the remote user’s browser instead of a traditional IPSec VPN client. The SSL
capability of the user’s browser provides authentication and encryption, establishing a
secure connection to the VPN firewall. Upon successful connection, an ActiveX-based
SSL VPN client is downloaded to the remote computer to allow the remote user to
virtually join the corporate network.
The SSL VPN client provides a point-to-point (PPP) connection between the client and
the VPN firewall, and a virtual network interface is created on the user’s computer. The
VPN firewall assigns the computer an IP address and DNS server IP addresses, allowing
the remote computer to access network resources in the same manner as if it were
connected directly to the corporate network, subject to any policy restrictions that you
configure.
SSL port forwarding
.
Like an SSL VPN tunnel, port forwarding is a web-based client that
is installed transparently and then creates a virtual, encrypted tunnel to the remote
network. However, port forwarding differs from an SSL VPN tunnel in several ways:
-
Port forwarding supports only TCP connections, not UDP connections, or connections
using other IP protocols.
-
Port forwarding detects and reroutes individual data streams on the user’s computer
to the port forwarding connection rather than opening up a full tunnel to the corporate
network.
-
Port forwarding offers more fine-grained management than an SSL VPN tunnel. You
define individual applications and resources that are available to remote users.
The SSL VPN portal can present the remote user with one or both of these SSL service
levels, depending on how you set up the configuration.
Overview of the SSL Configuration Process
To configure and activate SSL connections, perform the following six basic steps in the order
that they are presented:
1.
create an SSL portal (see
Create the Portal Layout
on page
277).
When remote users log in to the VPN firewall, they see a portal page that you can
customize to present the resources and functions that you choose to make available.
2.
Create authentication domains, user groups, and user accounts (see
Configure Domains,
Groups, and Users
on page
281).)
a.
Create one or more authentication domains for authentication of SSL VPN users.
When remote users log in to the VPN firewall, they need to specify a domain to which
their login account belongs. The domain determines the authentication method that is
used and the portal layout that is presented, which in turn determines the network
Page 277 / 469
Virtual Private Networking Using SSL
Connections
277
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
resources to which the users are granted access. Because you need to assign a
portal layout when creating a domain, the domain is created after you have created
the portal layout.
b.
Create one or more groups for your SSL VPN users.
When you define the SSL VPN policies that determine network resource access for
your SSL VPN users, you can define global policies, group policies, or individual
policies. Because you need to assign an authentication domain when creating a
group, the group is created after you have created the domain.
c.
Create one or more SSL VPN user accounts.
Because you need to assign a group when creating an SSL VPN user account, the
user account is created after you have created the group.
3.
For port forwarding, define the servers and services (see
Configure Applications for Port
Forwarding
on page
282).
Create a list of servers and services that can be made available through user, group, or
global policies. You can also associate fully qualified domain names (FQDNs) with these
servers. The VPN firewall resolves the names to the servers using the list you have
created.
4.
For SSL VPN tunnel service, configure the virtual network adapter (see
Configure the SSL
VPN Client
on page
284).
For the SSL VPN tunnel option, the VPN firewall creates a virtual network adapter on the
remote computer that then functions as if it were on the local network. Configure the
portal’s SSL VPN client to define a pool of local IP addresses to be issued to remote
clients, as well as DNS addresses. Declare static routes or grant full access to the local
network, subject to additional policies.
5.
To simplify policies, define network resource objects (see
Use Network Resource Objects to
Simplify Policies
on page
288).
Network resource objects are groups of IP addresses, IP address ranges, and services.
By defining resource objects, you can more quickly create and configure network policies.
6.
Configure the SSL VPN policies (see
Configure User, Group, and Global Policies
on
page
291).
Policies determine access to network resources and addresses for individual users,
groups, or everyone.
Create the Portal Layout
The Portal Layouts screen that you can access from the SSL VPN configuration menu allows
you to create a custom screen that remote users see when they log in to the portal. Because
the log-in screen is customizable, it provides an ideal way to communicate remote access
instructions, support information, technical contact information, or VPN-related news updates
to remote users. The log-in screen is also suited as a starting screen for restricted users; if
mobile users or business partners are permitted to access only a few resources, the log-in
screen that you create presents only the resources that are relevant to these users.
Page 278 / 469
Virtual Private Networking Using SSL
Connections
278
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
You apply portal layouts by selecting one from the available portal layouts in the configuration
of a domain. When you have completed your portal layout, you can apply the portal layout to
one or more authentication domains (see
Configure Domains
on page
303). You can also
make the new portal the default portal for the SSL VPN gateway by selecting the default radio
button next to the portal layout name.
The VPN firewall’s default portal address is https://<IP_address>/portal/SSL-VPN, in which
the IP address can be either an IPv4 or an IPv6 address. Both types of addresses are
supported simultaneously. The default domain geardomain is assigned to the default
SSL-VPN portal.
You can define individual layouts for the SSL VPN portal. The layout configuration includes
the menu layout, theme, portal pages to display, and web cache control options. The default
portal layout is the SSL-VPN portal. You can add additional portal layouts. You can also make
any portal the default portal for the VPN firewall by clicking the
Default
button in the Action
column of the List of Layouts table, to the right of the desired portal layout.
To create an SSL VPN portal layout:
1.
Select
VPN > SSL VPN > Portal Layouts
.
The Portal Layouts screen displays the IPv4
settings. (The following figure shows an additional layout in the List of Layouts table as an
example.)
2.
Specify the IP version for which you want to add a portal layout:
IPv4
. In the upper right of the screen, the IPv4 radio button is already selected by
default. Go to
Step
3
.
Figure 183.
Portal Layouts screen for IPv4
IPv6
. Select the
IPv6
radio button. The Portal Layouts screen displays the IPv6
settings. (The following figure shows an additional layout in the List of Layouts table as an
example.)
Figure 184.
Portal Layouts screen for IPv6
Page 279 / 469
Virtual Private Networking Using SSL
Connections
279
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
The List of Layouts table displays the following fields:
Layout Name
. The descriptive name of the portal.
Description
. The banner message that is displayed at the top of the portal (see
Figure
196
on page
298).
Use Count
. The number of authentication domains that use the portal.
Portal URL:
-
Portal URL (IPv4)
. The IPv4 URL at which the portal can be accessed. The IPv4
address in the URL is the public WAN address of the VPN firewall (see
Configure
the IPv4 Internet Connection and WAN Settings
on page
29). Both the IPv4 URL
and the IPv6 URL can be active simultaneously.
-
Portal URL (IPv6)
. The IPv6 URL at which the portal can be accessed. The IPv6
address in the URL is the public WAN address of the VPN firewall (see
Configure
the IPv6 Internet Connection and WAN Settings
on page
52). Both the IPv6 URL
and the IPv4 URL can be active simultaneously.
Action
. The table buttons, which allow you to edit the portal layout or set it as the
default.
3.
Under the List of Layouts table, click the
Add
table button. The Add Portal Layout screen
displays. (The following figure shows an example.)
Figure 185.
Page 280 / 469
Virtual Private Networking Using SSL
Connections
280
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
4.
Complete the settings as described in the following table:
Table 70.
Add Portal Layout screen settings
Setting
Description
Portal Layout and Theme Name
Portal Layout Name
A descriptive name for the portal layout. This name is part of the path of the SSL
VPN portal URL.
Note:
Custom portals are accessed at a different URL than the default portal. For
example, if your SSL VPN portal is hosted at https://vpn.company.com, and you
create a portal layout named CustomerSupport, users access the website at
Note:
Only alphanumeric characters, hyphens (-), and underscores (_) are
accepted in the Portal Layout Name field. If you enter other types of characters or
spaces, the layout name is truncated before the first nonalphanumeric character.
Note:
Unlike most other URLs, this name is case-sensitive.
Portal Site Title
The title that displays at the top of the user’s web browser window, for example,
Company Customer Support
.
Banner Title
The banner title of a banner message that users see before they log in to the
portal, for example,
Welcome to Customer Support
.
Note:
For an example, see
Figure
196
on page
298. The banner title text is
displayed in the orange header bar.
Banner Message
The text of a banner message that users see before they log in to the portal, for
example,
In case of login difficulty, call 123-456-7890
. Enter a plain text message,
or include HTML and JavaScript tags. The maximum length of the login screen
message is 4096 characters.
Note:
You can enlarge the field (that is, the text box) by manipulating the lower
right corner of the field (see the blue circle in the previous figure).
Note:
For an example, see
Figure
196
on page
298. The banner message text is
displayed in the gray header bar.
Display banner
message on login page
Select this check box to show the banner title and banner message text on the
login screen as shown in
Figure
196
on page
298.
HTTP meta tags for
cache control
(recommended)
Select this check box to apply cache control directives for the HTTP meta tags to
this portal layout. Cache control directives include:
<meta http-equiv=”pragma” content=”no-cache”>
<meta http-equiv=”cache-control” content=”no-cache”>
<meta http-equiv=”cache-control” content=”must-revalidate”>
Note:
NETGEAR strongly recommends enabling HTTP meta tags for security
reasons and to prevent out-of-date web pages, themes, and data being stored in
a user’s web browser cache.

Rate

124.8 / 5 based on 304 votes.

Popular NETGEAR Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top