Page 281 / 469 Scroll up to view Page 276 - 280
Virtual Private Networking Using SSL
Connections
281
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
5.
Click
Apply
to save your settings. The new portal layout is added to the List of Layouts
table. For information about how to display the new portal layout, see
Access the New SSL
Portal Login Screen
on page
297.
To edit a portal layout:
1.
On the Portal Layouts screen (for IPv4, see
Figure
183
on page
278; for IPv6, see
Figure
184
on page
278), click the
Edit
button in the Action column for the portal layout
that you want to modify. The Edit Portal Layout screen displays. This screen is identical
to the Add Portal Layout screen (see the previous figure).
2.
Modify the settings as described in the previous table.
3.
Click
Apply
to save your settings.
To delete one or more portal layouts:
1.
On the Portal Layouts screen (for IPv4, see
Figure
183
on page
278; for IPv6, see
Figure
184
on page
278), select the check box to the left of each portal layout that you
want to delete, or click the
Select All
table button to select all layouts. (You cannot
delete the SSL-VPN default portal layout.)
2.
Click the
Delete
table button.
Configure Domains, Groups, and Users
Remote users connecting to the VPN firewall through an SSL VPN portal need to be
authenticated before they are granted access to the network. The login screen that is
presented to the user requires three items: a user name, a password, and a domain
selection. The domain determines both the authentication method and the portal layout that
are used.
You need to create name and password accounts for the SSL VPN users. When you create a
user account, you need to specify a group. Groups are used to simplify the application of
access policies. When you create a group, you need to specify a domain. Therefore, you
should create any domains first, then groups, and then user accounts.
ActiveX web cache
cleaner
Select this check box to enable ActiveX cache control to be loaded when users
log in to the SSL VPN portal. The web cache cleaner prompts the user to delete
all temporary Internet files, cookies, and browser history when the user logs out or
closes the web browser window. The ActiveX web cache control is ignored by web
browsers that do not support ActiveX.
SSL VPN Portal Pages to Display
VPN Tunnel page
To provide full network connectivity, select this check box.
Port Forwarding
To specific defined network services, select this check box to provide access.
Note:
Any pages that are not selected are not visible from the SSL VPN portal;
however, users can still access the hidden pages unless you create SSL VPN
access policies to prevent access to these pages.
Table 70.
Add Portal Layout screen settings (continued)
Setting
Description
Page 282 / 469
Virtual Private Networking Using SSL
Connections
282
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
For information about how to configure domains, groups, and users, see
Configure
Authentication Domains, Groups, and Users
on page
303.
Configure Applications for Port Forwarding
Add Servers and Port Numbers
Add a New Host Name
Port forwarding provides access to specific defined network services. To define these
services, you need to specify the internal server addresses and port numbers for TCP
applications that are intercepted by the port forwarding client on the user’s computer. This
client reroutes the traffic to the VPN firewall.
Note:
SSL VPN port forwarding is supported for IPv4 connections only.
Add Servers and Port Numbers
To configure port forwarding, you need to define the IP addresses of the internal servers and
the port number for TCP applications that are available to remote users.
To add a server and a port number:
1.
Select
VPN > SSL VPN > Port Forwarding
.
The Port Forwarding screen displays. (The
following figure shows an example.)
Figure 186.
Page 283 / 469
Virtual Private Networking Using SSL
Connections
283
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
2.
In the Add New Application for Port Forwarding section of the screen, specify information in
the following fields:
IP Address
. The IP address of an internal server or host computer that a remote user
has access to.
TCP Port
. The TCP port number of the application that is accessed through the SSL
VPN tunnel. The following table lists some commonly used TCP applications and port
numbers.
3.
Click the
Add
table button. The new application entry is added to the List of Configured
Applications for Port Forwarding table. Remote users can now securely access network
applications once they have logged in to the SSL VPN portal and launched port forwarding.
To delete an application from the List of Configured Applications for Port Forwarding
table:
1.
Select the check box to the left of the application that you want to delete.
2.
Click the
Delete
table button in the Action column.
Add a New Host Name
After you have configured port forwarding by defining the IP addresses of the internal servers
and the port number for TCP applications that are available to remote users, you then can
also specify host-name-to-IP-address resolution for the network servers as a convenience for
users. Host name resolution allows users to access TCP applications at familiar addresses
such as mail.
example
.com or ftp.
customer
.com rather than by IP addresses.
Table 71.
Port forwarding applications/TCP port numbers
TCP Application
Port Number
FTP data (usually not needed)
20
FTP Control Protocol
21
SSH
22
a
a. Users can specify the port number together with the host name or IP
address.
Telnet
23
a
SMTP (send mail)
25
HTTP (web)
80
POP3 (receive mail)
110
NTP (Network Time Protocol)
123
Citrix
1494
Terminal Services
3389
VNC (virtual network computing)
5900 or 5800
Page 284 / 469
Virtual Private Networking Using SSL
Connections
284
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
To add servers and host names for client name resolution:
1.
Select
VPN > SSL VPN > Port Forwarding
.
The Port Forwarding screen displays (see
Figure
186
on page
282).
2.
In the Add New Host Name for Port Forwarding section of the screen, specify information in
the following fields:
Local Server IP Address
. The IP address of an internal server or host computer that
you want to name.
Fully Qualified Domain Name
. The full server name.
Note:
If the server or host computer that you want to name does not
display in the List of Configured Applications for Port Forwarding
table, you need to add it before you can rename it.
3.
Click the
Add
table button. The new application entry is added to the List of Configured Host
Names for Port Forwarding table.
To delete a name from the List of Configured Host Names for Port Forwarding table:
1.
Select the check box to the left of the name that you want to delete.
2.
Click the
Delete
table button in the Action column.
Configure the SSL VPN Client
Configure the Client IP Address Range
Add Routes for VPN Tunnel Clients
The SSL VPN client on the VPN firewall assigns IP addresses to remote VPN tunnel clients.
Because the VPN tunnel connection is a point-to-point connection, you can assign IP
addresses from the local subnet to the remote VPN tunnel clients.
The following are some additional considerations:
So that the virtual (PPP) interface address of a VPN tunnel client does not conflict with
addresses on the local network, configure an IP address range that does not directly
overlap with addresses on your local network. For example, if 192.168.1.1
through
192.168.1.100 are assigned to devices on the local network, start the client address
range at 192.168.1.101, or choose an entirely different subnet altogether.
The VPN tunnel client cannot contact a server on the local network if the VPN tunnel
client’s Ethernet interface shares the same IP address as the server or the VPN firewall.
(For example, if your computer has a network interface IP address of 10.0.0.45, you
cannot contact a server on the remote network that also has the IP address 10.0.0.45.)
Page 285 / 469
Virtual Private Networking Using SSL
Connections
285
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
Select whether you want to enable full-tunnel or split-tunnel support based on your
bandwidth:
-
A full tunnel sends all of the client’s traffic across the VPN tunnel.
-
A split tunnel sends only traffic that is destined for the local network based on the
specified client routes. All other traffic is sent to the Internet. A split tunnel allows you
to manage bandwidth by reserving the VPN tunnel for local traffic only.
If you enable split-tunnel support and you assign an entirely different subnet to the VPN
tunnel clients from the subnet that is used by the local network, you need to add a client
route to ensure that a VPN tunnel client connects to the local network over the VPN
tunnel.
Configure the Client IP Address Range
First determine the address range to be assigned to VPN tunnel clients, and then define the
address range.
To define the client IP address range:
1.
Select
VPN > SSL VPN > SSL VPN Client
.
The SSL VPN Client screen displays the
IPv4 settings (the following screen shows some examples).
2.
Specify the IP version for which you want to configure the SSL VPN client:
IPv4
. In the upper right of the screen, the IPv4 radio button is already selected by
default. Go to
Step
3
.
Figure 187.
SSL VPN Client screen for IPv4
IPv6
. Select the
IPv6
radio button. The SSL VPN Client screen displays the IPv6
settings (the following screen shows some examples).

Rate

3.5 / 5 based on 2 votes.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top