1. Home
    2. /
  2. Manuals
    3. /
  3. NETGEAR
    4. /
  4. SSL312
    5. /
  5. 17
Page 81 / 120 Scroll up to view Page 76 - 80
6-1
v1.1, November 2006
Chapter 6
Configuring the SSL VPN Tunnel Client and Port
Forwarding
This chapter describes the configuration for the SSL VPN Tunnel Client and for Port Forwarding.
When a remote user accesses the SSL VPN Concentrator from a PC that allows ActiveX content,
these two powerful features can be activated. For each of these features, the SSL312 installs a
small client program on the user’s PC that enables a more direct level of network access than is
possible from the browser alone.
This chapter includes:
Two Approaches for VPN
SSL VPN Client Configuration
Configuring Applications for Port Forwarding
Two Approaches for VPN
Two portal features allow direct VPN access to the corporate network. The SSL VPN Tunnel
Client allows full network access similar to an IPSec VPN connection. Port Forwarding allows
direct network access for selected client-server applications.
When a remote user accesses the SSL VPN Portal, one of the listed options is to Establish an SSL
VPN Tunnel. When this feature is selected, the SSL VPN Concentrator will install a small VPN
Tunnel Client program on the user’s PC that will allow the remote user to virtually join the
corporate network. The VPN Tunnel Client provides a PPP (point-to-point) connection between
the client and the SSL VPN Concentrator, and a virtual network interface is created on the user’s
PC. The SSL VPN Concentrator will assign the PC an IP address and DNS server IP addresses,
allowing the remote PC to access network resources in the same manner as if it were connected
directly to the corporate network.
Port Forwarding, like VPN Tunnel, is a web-based client that installs transparently and then
creates a virtual, encrypted tunnel to the remote network. However, Port Forwarding differs from
VPN Tunnel in several ways. For example, Port Forwarding:
Only supports TCP connections, not UDP or other IP protocols.
Page 82 / 120
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual
6-2
Configuring the SSL VPN Tunnel Client and Port Forwarding
v1.1, November 2006
Detects and reroutes individual data streams to the Port Forwarding connection rather than
opening up a full tunnel to the corporate network.
Offers more fine grained management than VPN Tunnel. Administrators define individual
applications and resources that will be available to remote users. With VPN Tunnel,
administrators must create access policies to block undesirable traffic at the SSL VPN
Concentrator rather than at the client level.
SSL VPN Client Configuration
The IP addresses to be assigned to remote VPN Tunnel Clients are configured in the VPN Tunnel
menu. Because the connection is a point-to-point connection, you can assign IP addresses from the
corporate subnet to the remote VPN Tunnel Clients. The DNS settings assigned to the VPN Tunnel
Client are configured in the Network menu.
Some additional considerations:
So that the virtual (PPP) interface address of the VPN Tunnel Client does not conflict with
addresses on the corporate network, configure an IP address range that does not directly
overlap with addresses on your local network. For example, if
192.168.0.1
through
192.168.0.1
00 are currently assigned to devices on your local network, then start the
client address range at
192.168.0.1
01 or choose an entirely different subnet altogether.
The VPN Tunnel Client cannot contact a server on the corporate network if the VPN Tunnel
Client's Ethernet interface shares the same IP address as the server or the SSL VPN
Concentrator (for example, if your laptop has a network interface IP address of
10.0.0.45
,
then you won't be able to contact a server on the remote network that also has the IP address
10.0.0.45
).
If you assign an entirely different subnet to the VPN Tunnel Clients, you must
Add a client route to configure the VPN Tunnel client to connect to the corporate network
using the VPN tunnel.
Create a static route on the corporate network's firewall to forward local traffic intended
for the VPN Tunnel Client range to the SSL VPN Concentrator.
Beyond what is defined in
“Web Browser Requirements” on page 1-2
, the VPN Tunnel Client has
some specific operating requirements. For
Mac OS. VPN Tunnel supports Version 1.4 (Tiger).
Browsers. The Firefox browser is not supported.
Page 83 / 120
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual
Configuring the SSL VPN Tunnel Client and Port Forwarding
6-3
v1.1, November 2006
Adding IP Address Ranges
Determine the address range you will assign to VPN Tunnel Clients, then define the address range
in the SSL VPN Concentrator administrative interface.
To configure the SSL VPN Tunnel client address range:
1.
Under Access Administration in the left navigation pane, click the VPN Tunnel option. The
VPN Tunnel Client screen displays.
In the Client IP Address Range section of the screen, you can define the IP address range to
assign to incoming VPN Tunnel clients. The default range begins with
192.168.251.1
and
ends with
192.168.251.254
.
2.
In the Client Address Range Begin field, enter the first IP address of the IP address range.
3.
In the Client Address Range End field, enter the last IP address of the IP address range.
4.
Click Apply to update the configuration.
5.
Restart the SSL VPN Concentrator software if any VPN Tunnel Clients are actively
connected. Restarting will force the clients to obtain a new virtual IP address.
VPN Tunnel Clients are now able to connect to the SSL VPN Concentrator and receive a
dynamic IP address in the client address range.
Be sure to configure DNS addresses in the Network menu.
Page 84 / 120
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual
6-4
Configuring the SSL VPN Tunnel Client and Port Forwarding
v1.1, November 2006
.
Adding Routes for VPN Tunnel Clients
The VPN Tunnel Clients assume that the following networks are located across the VPN over SSL
tunnel:
The subnet containing the client IP address (PPP interface), as determined by the class of the
address (Class A, B, or C).
Subnets specified in the Configured Client Routes table.
If the assigned client IP address range is in a different subnet than the corporate network or if the
corporate network has multiple subnets, you must define Client Routes.
To add an SSL VPN Tunnel client route:
1.
Access the VPN Tunnel menu.
1.
In the Destination Network field under Add Routes for VPN Tunnel Clients section, enter the
network address of a local area network or subnet. For example, enter
192.168.0.0
.
2.
Enter the subnet mask of the local area network Subnet Mask field.
Figure 6-1
Page 85 / 120
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual
Configuring the SSL VPN Tunnel Client and Port Forwarding
6-5
v1.1, November 2006
3.
Click Add Route. The client route appears in the Configured Client Routes table, as shown in
the figure below.
4.
Restart the SSL VPN Concentrator software if VPN Tunnel Clients are currently connected to
the SSL VPN Concentrator. Restarting forces clients to reconnect and receive new addresses
and routes.
Now users are able to connect to the SSL VPN Concentrator and receive a virtual IP address
from the client address range.
.
To delete a VPN Tunnel Client Route:
1.
In the Configured Client Routes table, click the Delete link adjacent to the client route.
Note:
You must also add a static route on your corporate firewall or router that directs
local traffic destined for the VPN Tunnel Client address range to the SSL VPN
Concentrator.
Figure 6-2

Rate

4 / 5 based on 1 vote.

Popular NETGEAR Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top