NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual

2-8

Installing the SSL312

v1.1, November 2006

d.

If you plan a single arm topology, clear the Enable Routing Mode checkbox. If you plan a

routing topology, check the Enable Routing Mode checkbox and enter your chosen

Ethernet Port 2 IP Address and Subnet Mask.

e.

Click Apply. If you changed the IP address for the Ethernet Port to which you are

connected, you will now lose your connection to the SSL VPN Concentrator.

Installing the SSL VPN Concentrator

You are now ready to physically install your SSL VPN Concentrator using the following steps:

1.

Turn off the power to the SSL VPN Concentrator and connect it to your network in your

chosen topology.

•

For a single arm topology, connect Ethernet Port 1 to your corporate network and leave

Ethernet Port 2 disconnected.

•

For a routing topology, connect Ethernet Port 1 to your public network and Ethernet Port 2

to your corporate network.

2.

Turn on the power to the SSL VPN Concentrator.

3.

From a PC on your corporate network, open a suitable browser and access the SSL VPN

Concentrator web management interface by typing

https://[IP_address]

, where IP_address is

the address that you assigned to the SSL312 Ethernet Port that is connected to the corporate

network.

4.

Log in as admin using the new password that you assigned. You can now continue the

configuration of your SSL VPN Concentrator.

Managing Certificates

Establishing an SSL connection requires that the SSL server, such as your SSL VPN Concentrator,

provide a digital SSL certificate to the user’s browser. A certificate is a file that contains:

•

A public encryption key to be used for encrypting your messages to the server.

•

Information identifying the operator of the server.

•

A digital signature confirming the identity of the operator of the server.

NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual

Installing the SSL312

2-9

v1.1, November 2006

You can obtain a certificate from a well-known commercial Certificate Authority (CA) such as

Verisign or Thawte, or you can generate and sign your own certificate. Because a commercial CA

takes steps to verify the identity of an applicant, a certificate from a commercial CA provides a

strong assurance of the server’s identity. A self-signed certificate will trigger a warning from most

browsers as it provides no protection against identity theft of the server.

Your SSL VPN Concentrator contains a self-signed certificate from NETGEAR. NETGEAR

recommends that you replace this certificate prior to deploying the SSL VPN Concentrator in your

network.

From the Certificates menu, you can view the currently loaded certificates, upload a new

certificate and generate a Certificate Signing Request (CSR).

Obtaining a Certificate from a Certificate Authority

To obtain a certificate from a CA, you must generate a Certificate Signing Request (CSR) for your

SSL VPN Concentrator. The CSR is a file containing information about your company and about

the device that will hold the certificate. Refer to the CA for guidelines on the information you

include in your CSR.

To generate a new Certificate Signing Request (CSR) file:

NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual

2-10

Installing the SSL312

v1.1, November 2006

1.

Under the System Configuration menu in the left navigation pane, select Certificates. The

Certificates screen displays.

2.

In the Digital Certificate Management section, click New CSR/CRT. The Create CSR

screen

displays.

Figure 2-5

NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual

Installing the SSL312

2-11

v1.1, November 2006

3.

Fill out all of the fields with the appropriate information. This information will appear in your

certificate and will be visible to users.

4.

Click Apply. A file download screen will display. Click Save to save the

CSR

.

ZIP

file to a disk

location. You will need to provide this file to the Certificate Authority.

5.

Contact the CA to purchase your certificate using the CSR file you generated.

6.

When you receive your certificate from the CA, store the certificate file on your PC.

7.

Upload and enable the certificate according to the instructions later in this chapter.

Generating a Self-Signed Certificate

As an alternative to obtaining a certificate from a CA, you can generate a self-signed certificate for

your SSL VPN Concentrator.

To generate a self-signed certificate file:

1.

Under the System Configuration menu in the left navigation pane, select Certificates. The

Certificates menu will display as shown in the previous section.

Figure 2-6

NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual

2-12

Installing the SSL312

v1.1, November 2006

2.

In the Digital Certificate Management section, click New CSR/CRT. The Create CSR

screen

will display.

3.

Fill out all of the fields with the appropriate information. This information will appear in your

certificate and will be visible to users.

4.

Check the Generate a Self-signed Certificate checkbox to generate a new CRT.

5.

Click Apply. If all information is entered correctly, a file download screen displays. Click Save

to save the

CRT

.

ZIP

file to a disk location. This file includes a

SERVER

.

CRT

and a

SERVER

.

KEY

key file.

6.

Upload and enable the certificate according to the instructions later in this chapter.

Uploading and Enabling the New Certificate

For uploading to the SSL VPN Concentrator, the certificate information must be in a zipped file

containing a certificate file named

SERVER

.

CRT

and a certificate key file named

SERVER

.

KEY

. If the

zipped file does not contain these two files, the zipped file will not be uploaded. Any file name

will be accepted, but it must have the

.

ZIP

extension..

To upload and enable the new certificate:

1.

Under the System Configuration menu in the left navigation pane, select Certificates. The

Certificates menu will display as shown in the previous section.

2.

In the Import Digital Certificate table, select Browse to locate the zipped digital certificate file

on your disk or network drive.

3.

Click Upload to save the file to the Cert Description table. Once the certificate has been

uploaded, the certificate is displayed in the Current Certificates table.

Note:

Do not upload the CSR file to the SSL VPN Concentrator.

Note:

Valid certificates generated by an authorized Certificate Authority (CA) require

a password. Before you enable the certificate and restart the software, be sure

to enter the correct certificate password on the Enable Certificate window.