Netgear ProSafe SSL312 User's Manual
Contents
1. TCP Application Port Number FTP Data usually not needed 20 FTP Control Protocol 21 Configuring the SSL VPN Tunnel Client and Port Forwarding 6 7 v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Table 6 1 Port Forwarding Applications TCP Port Numbers continued TCP Application Port Number SSH 22a Telnet 23a SMTP send mail 25 HTTP web 80 POP3 receive mail 110 NTP network time protocol 123 Citrix 1494 Terminal Services 3389 VNC virtual network computing 5900 or 5800 a Users can specify the port number together with the host name or IP address Configuring Host Name Resolution Once the server and port information has been configured remote users will be able to access private network servers using Port Forwarding As a convenience for users the SSL VPN Concentrator administrator can also specify host name to IP address resolution for network servers Host Name Resolution allows users to access TCP applications at familiar addresses such as mail mycompany com or ftp mycompany com rather than by IP addresses To add a host name for client name resolution 1 In the Configured Host Names for Port Forwarding section enter an IP address in the Local Server IP Address field The address should already be defined in the Configured Applications for Port Forwarding table 2 Inthe Fully Qualified Domain Name field enter a2. Users Configuration SSL VPN Concentrator users are defined from the Users and Groups menu Under the Access and Administration menu in the left navigation pane select the Users and Groups option The Users and Groups menu displays Setting Up User and Group Access Policies 4 13 v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Users and Groups Global Policies Edit Global Policies Groups Name Domain Group geardomain Delete geardomain geardomain Add Group Users Name Group Type admin geardomain Administrator Figure 4 10 Adding a New User To create a new user 1 Inthe Users and Groups menu click Add User An Add User menu displays Add User User Name User Group Group i Figure 4 11 2 Inthe User Name field enter the user name for the user This is the name the user will enter in order to log into the SSL VPN portal 3 From the Group pull down menu select the name of the group to which the user belongs 4 14 Setting Up User and Group Access Policies v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 4 Click Apply If the selected group is in a domain that uses external authentication such as Active Directory RADIUS NT Domain or LDAP then the Add User menu will close and the new user will be added to the Users and Groups table ___ Note Groups config
3. NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual NETGEAR NETGEAR Inc 4500 Great America Parkway Santa Clara CA 95054 USA 202 10208 04 May 2007 v2 0 2007 by NETGEAR Inc All rights reserved Technical Support Please register to obtain technical support Please retain your proof of purchase and warranty information To register your product get product support or obtain product information and product documentation go to http vwww NETGEAR com If you do not have access to the World Wide Web you may register your product by filling out the registration card and mailing it to NETGEAR customer service You will find technical support information at http Avww NETGEAR com through the customer service area If you want to contact technical support by telephone see the support information card for the correct telephone number for your country Trademarks NETGEAR the NETGEAR logo ProSafe and Auto Uplink are trademarks or registered trademarks of NETGEAR Inc Microsoft Windows and Windows NT are registered trademarks of Microsoft Corporation Other brand and product names are registered trademarks or trademarks of their respective holders Statement of Conditions In the interest of improving internal design operational function and or reliability NETGEAR reserves the right to make changes to the products described in this document without notice NETGEAR does not assume any liabilit
4. Year Month Day Hour Minute Second Hours are displayed in 24 hour clock format so 2 00 PM is displayed as hour 14 in the event log The date and time are based on the local time of the SSL VPN Concentrator which is configured on the Date and Time screen under the System Configuration menu e Source address The Source IP address shows the IP address of the user or administrator that generated the log event The source IP address may not be displayed for certain events such as system errors e Destination address The destination IP address field shows the name or IP address that received the event For example if a user accessed an Intranet web site through the SSL VPN portal the corresponding log entry would display the IP address or fully qualified domain name of the web site accessed 8 4 Monitoring and Logging v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual e User name The User name field shows the authenticated name of the user or administrator that generated the log event e Log message The message field describes the event that occurred Examples of log messages include Administrator login successful and SSL VPN Concentrator restarting The event log table may be sorted and filtered To sort the event log by category 1 Click the category header to be sorted such as Time or Source 2 Enter the search term in the Search field 3 Select an event category from the pull down men
5. group settings defining 2 14 Groups Add Name 4 8 configuring 4 7 Domain 4 8 editing 4 8 Inactivity Timeout 4 8 H Host Name resolution configuring 6 8 Hostname 7 8 HTTP meta tags 5 5 https 10 0 0 1 2 4 192 168 1 1 2 4 Inactivity Timeout 4 8 setting 4 9 user 4 17 internal user database 3 2 IP Address Ranges configuring 6 3 L LDAP 3 2 3 6 Attribute Rules 3 7 Attributes 3 7 querying 3 8 LDAP Authentication Domains 3 6 LDAP BaseDN 3 9 LED indicators 1 4 Lightweight Directory Access Protocol see LDAP Log categories 8 8 lookup 8 9 Management Interface 2 5 Login 2 4 MSCHAP 3 4 MSCHAPv 2 3 4 N NAT 2 2 Network Address 4 5 Network Address Translation 2 3 7 4 network configuration example 7 1 Network Host Table 7 6 mapping FQDNs 7 6 mapping host names 7 6 Network Interface configuring 7 2 Network Resources 4 20 editing 4 21 FTP 4 21 RDP 4 2 SSH 4 21 table 4 21 Video Network Computing 4 21 VPN Tunnel 4 21 Network Route add default 7 1 configuration of 7 4 Network Settings configuring 7 1 Network Time Protocol see NTP NT 4 15 NT Domain 3 2 3 3 NTP custom servers O one port topology 2 1 P PAP RADIUS 3 4 ping 8 9 Index 3 v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Policy service type 4 6 policy hierarchy 4 2 Port 1 default login 2 4 port addresses 8 2 Port Forwarding 6 6 6 8 adding Configured Applicat
6. 1 Under the System Configuration menu in the left navigation pane select Certificates The Certificates menu will display as shown in the previous section In the Import Digital Certificate table select Browse to locate the zipped digital certificate file on your disk or network drive Click Upload to save the file to the Cert Description table Once the certificate has been uploaded the certificate is displayed in the Current Certificates table ___ Note Valid certificates generated by an authorized Certificate Authority CA or a non authorized CA require a password Before you enable the certificate and restart the software be sure to enter the correct certificate password in the Enable Certificate window The password for the NETGEAR default certificate is password Installing the SSL312 2 11 v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Certificates Import Digital Certificate i i Upload Cancel Upload a zip file containing server key and server crt files Digital Certificate Management Create a Certificate Signing Request for an SSL certificate OR New CSRICRT Greate a Self signed Certificate ertificates ert Description Status Expiration ruzio com Active Dec 27 11 28 14 1970 GMT Enable etGear Active May 7 07 38 56 2011 GMT Figure 2 7 4 Click the Enable link adjacent to the new certificate The Enable C
7. LDAP Attribute Rules If multiple attributes are defined for a group all attributes must be met by LDAP users If no attributes are defined then any user authorized by the LDAP server can be a member of the group If multiple groups are defined and a user meets all the LDAP attributes for two groups then the user will be considered part of the group with the most LDAP attributes defined If the matching LDAP groups have an equal number of attributes then the user will be considered a member of the group based on the alphabetical order of the groups If an LDAP user fails to meet the LDAP attributes for all LDAP groups configured on the SSL VPN Concentrator then the user will not be able to log into the portal So the LDAP attributes feature not only allows the administrator to create individual rules based on the LDAP group or organization it also allows the administrator to only allow certain LDAP users to log into the portal Authenticating Users 3 7 v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Sample LDAP Users and Attributes Settings If you manually add a user to an LDAP group then the user setting will take precedence over LDAP attributes For example An LDAP attribute ob ject Class Person is defined for group Group and an LDAP attribute membe rOf CN WINSUsers DC netgear DC net is defined for Group2 e If user Jane is defined by an LDAP server as a member of the Per
8. and for other internal purposes Date and Time Current time 12 31 1969 16 04 14 Select Your Time Zone Pacific Time US amp Canada GMT 8 00 v Automatically adjust for Daylight Saving Time Use Network Time Protocol NTP Set date and time manually 16 Hours 4 Minutes 14 Seconds 12 Month 31 Day 1969 Year Network Time Protocol NTP Use default NTP servers Use custom NTP servers Primary Server NamellP Address time b netqear com Secondary Server Name IP Address time c netgear com Figure 7 1 2 From the Select Your Time Zone drop down menu select your time zone 3 Automatically adjust for Daylight Saving Time is enabled by default Uncheck the radio box to disable this feature 4 Select either the Use Network Time Protocol NTP radio box or the Set date and time manually radio box If you select the manual option enter the desired time in 24 hour time format in the Hours Minutes Seconds Month Day and Year fields and proceed to step 6 5 Select the Network Time Protocol NTP servers to be used Additional System Configuration 7 9 v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual e If you selected Use default NTP servers NETGEAR s primary and secondary NTP servers for your time zone will appear e If you selected Use custom NTP servers enter an NTP server IP address or fully qualified domain name FQDN in the address fields For r
9. 1 Active Users Ethernet Port2 IP 10 0 0 1 Event Log Diagnostics Portal Layouts Launch Portal Knowledge Base Documentation Figure 2 4 Configuring Basic Network Settings Before deploying the SSL VPN Concentrator into your existing network you should configure the following basic settings e Change the administrator password e Configure DNS server IP address e Configure a default route e Configure Ethernet interface IP addresses v2 0 May 2007 Installing the SSL312 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual To prepare for installation 1 Change the administrator account password a b c d On the left side of the browser window select the Users and Groups link In the Users table click on admin Type your new Password and re type to Confirm Password Click Apply 2 Configure the DNS server IP address On the left side of the browser window select the Network link In the Network menu click the DNS Settings radio button Enter at least one DNS server IP address Click Apply 3 Configure a default route for Internet access d On the left side of the browser window select the Network link In the Network menu click the Static Routes radio button Specify the Default Gateway Address e Ifyou plan a single arm topology the Default Gateway is your corporate firewall Specify that IP address for the ethernet 1 interface e Ifyou plan a routing
10. 1 4 Tiger e Browsers The Firefox browser supports only VPN tunnel VNC Network places and Utilities IE is required for Port Forwarding Applications and Terminal Services Adding IP Address Ranges Determine the address range you will assign to VPN Tunnel Clients then define the address range in the SSL VPN Concentrator administrative interface To configure the SSL VPN Tunnel client address range 1 Under Access Administration in the left navigation pane select VPN Tunnel The VPN Tunnel Client screen displays In the Client IP Address Range section of the screen you can define the IP address range to assign to incoming VPN Tunnel clients The default range begins with 192 168 251 1 and ends with 192 168 251 254 2 Inthe Client Address Range Begin field enter the first IP address of the IP address range In the Client Address Range End field enter the last IP address of the IP address range 4 Select one of the following e Enter the Network Subnet to enable Split Tunnel Mode point to point If you choose a different subnet for the VPN Tunnel client range than the subnet used by the corporate network then you must a Add a client route to configure the VPN Tunnel client to connect to the corporate network using the VPN tunnel b Create a static route on the corporate network firewall to forward traffic intended for the VPN clients to the SSL VPN gateway e Select the Enable Full Tunnel Support check box to enab
11. E OE Ea EE 3 12 Dor T B23 cats 10 ieee peer er cee rere reser perry fel resi er oreeerer err eer rere ree rr seer reenter 3 13 Chapter 4 Setting Up User and Group Access Policies Determine Your Regquiremenis ccccenosicccecsnscckssnndveciennistecdeemudecernaudvecenmmmstecteemerecareumd 4 1 Users Groups and Global Policies x sincssiianiseiiasedeudinieddsierivaueoibiniandeitierivausdoeiviaduters 4 2 Glopa PaE aaa E A 4 3 Editing Global Polity Sets ssuctsssstsacasinsmnsinninashaxanaipentesiarmuaniebanuaaets 4 4 Adding and Editing Global POMC Sita sis sesscanirsertcdaand desrendanvosreeenssurndiannssessiadinunnl 4 5 Defining and Editing Global Bookmarks cis cccvssiestcanictenpeencdsaitythadeietsentiaieincaeteners 4 6 APM Cs aale lre 1e I MA A TT E A E aa abate 4 7 Adanaga New rU Puinen aan R 4 7 Editing Group SEMNE serried aieiaa EAN A EAN 4 8 Deming and Editing Gtoup POGES sic csi cnisanransirasainiassdeanmiuermecusabeddaniiaeadalsnien 4 9 Defining and Editing Group Bookmarks cssccccassscoisciniacniacseceesalcoreseosedeniseudcaderaiaias 4 11 Delano a OUD Renner ere eerr mT re rreee trrery A A re Terence rr rrr e rrr 4 12 Uras COn A see eee REE Once E onrr mete ren tt a 4 13 PGI Sr New ISGP ccc cssinaccccconcesciecemieiecautennetsacedantagy sccemnnee RNE 4 14 vi v2 0 May 2007 Eding ESP sisie A 4 16 Defining and Editing User Policies sca accuses ss ca ccucin sec ccetiasarvaneiaccckauie Sede eciebsaetumas 4 18 Defining and Editing a User
12. Inc OU ProSafe SSL YPN Concentrator CN NetGearemailAddress suppont netgear com C US ST California Santa Clara O NETGEAR Subject Inc OU ProSafe SSL VPN Concentrator CN NetGearfemailAddress suppont netgear com Serial Number 7 Status Active Expiration Date May 7 07 38 56 2011 GMT Figure 2 9 You can also delete an expired or incorrect certificate Click Delete do delete the certificate ____ Note The Delete button will not be displayed if the SSL certificate is active To gt delete a certificate upload and activate another SSL certificate Then you can delete the inactive certificate from the View Certificate window Installing the SSL312 2 13 v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Steps for Further Configuration The next steps in configuring the SSL VPN Concentrator are e Create authentication domains Chapter 3 Authenticating Users e Define user and group settings Chapter 4 Setting Up User and Group Access Policies 2 14 Installing the SSL312 v2 0 May 2007 Chapter 3 Authenticating Users Remote users connecting to the SSL VPN Concentrator must be authenticated before being allowed to access the network The login window presented to the user requires three items a User Name a Password and a Domain selection The Domain determines the authentication method to be used and the portal layout that will be presented
13. May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 3 14 v2 0 May 2007 Authenticating Users Chapter 4 Setting Up User and Group Access Policies This chapter describes how to define users and groups and how to configure SSL VPN Concentrator access policies and bookmarks for the users and groups This chapter includes the following topics Determine Your Requirements Users Groups and Global Policies Global Policies Groups Configuration Users Configuration Using Network Resource Objects to Simplify Policies Determine Your Requirements The ProSafe SSL VPN Concentrator 25 provides an extremely flexible and granular architecture for managing users and groups Depending on your requirements you can implement a simple or complex policy structure Some general guidelines are If you have a small number of users all with the same privileges and no central authentication server you can just add your users to the SSL VPN Concentrator s local user database using the default group and domain If you use a RADIUS LDAP NT or Active Directory authentication server you do not need to add individual users into the SSL VPN Concentrator unless you wish to define specific policies or bookmarks per user Configure groups using the same group names as defined in your authentication server ____ Note When adding Group Global policies if the user is authenticated using an external repository such as
14. This chapter explains how to define authentication domains It describes e Authentication Domains e Local User Database Authentication e RADIUS and NT Domain Authentication e Configuring for NT Domain Authentication e LDAP Authentication e Active Directory Authentication e Kerberos Authentication e Deleting a Domain If your implementation consists of a small number of users a single portal layout and no central authentication server you can skip this chapter and simply use the default domain geardomain Authentication Domains To view the SSL VPN Concentrator Domains window from the Administrative User Interface click the Domains option under the Access Administration menu in the left navigation pane 3 1 v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Domains Domain Name Authentication Server IP Address geardomain local local Add Domain Figure 3 1 All of the configured domains will be listed in the table in the Domains window The domains are listed in the order in which they were created By default the geardomain authentication domain is already defined using the SSL VPN Concentrator s local internal user database for user authentication Additional domains may be created that use the internal user database authentication or require authentication to remote authentication servers The SSL VPN Concentrator supports RADIUS PAP CHAP MSCHAP and MSCHAPV2 L
15. closed their browser windows An administrator may terminate a user session and log the user out by clicking the Delete link in the Logout column adjacent to the user Monitoring and Logging 8 3 v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Event Log The SSL VPN Concentrator provides web based logging It also provides the ability to send log messages to an external syslog server using the syslog protocol and to E mail log files and alert messages to an E mail address or pager To configure syslog and event log settings see Log Settings on page 8 5 To view the SSL VPN Concentrator event log Click Event Log under the Monitoring menu in the left navigation menu The Event Log window displays Event Log Search in Time W Find Exclude Reset Time Source Destination User Message 1969 12 31 16 4 29 192 168 110 192 168 1 1 admin User login successful 8 Figure 8 3 The Event Log window displays log messages in a sortable searchable table The SSL VPN Concentrator stores 250Kb of log data or approximately one thousand log messages Once the log file reaches the log size limit the log is cleared and optionally e mailed to the SSL VPN Concentrator administrator Each event log entry displays the following information if applicable e Time and date of log event The time stamp displays the date and time of log events The time and date is displayed as
16. da dieses Ger t auf den Markt gebracht wurde und es ist berechtigt die Serie auf die Erf llung der Vorschriften hin zu berpr fen Export This software product and related technology is subject to U S export control and may be subject to export or import regulations in other countries Purchaser must strictly comply with all such laws and regulations A license to export or reexport may be required by the U S Department of Commerce Licensing This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit http www openssl org This product includes software developed by the Apache Software Foundation http www apache org This product includes SSLeay cryptographic software written by Tim Hudson tjh cryptsoft com and Eric Young eay cryptsoft com iii v2 0 May 2007 Product and Publication Details Model Number Publication Date Product Family Product Name Home or Business Product Language Publication Part Number Publication Version Number SSL312 May 2007 Concentrator ProSafe SSL VPN Concentrator 25 Business English 202 10208 04 2 0 v2 0 May 2007 Contents About This Manual Conventions Formats And SCOPE c ccccccccescecceecseneeeeeecseeeeeeseceeeeeeeesseneseeesseeesaeesseeeeaaees ix Lei TMS Manual scaiccsaiencsssreidintanentadcnaunrietenstenpnacetameriddencusnenddenranriaiennmrinaaderamernekatannensdes X PONING TE RANU ea aie
17. field e Enter the Port Range or Port Number for the IP Address or IP Network you selected Note Only default ports are allowed for Terminal Services FTP and CIFS An E Administrator cannot configure user desired ports for these services 3 Click Add Resource to add the IP address or IP network to the Network Resource The new configuration appears in the Defined Resource Addresses table as shown in the example below 4 22 Setting Up User and Group Access Policies v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Edit Network Resource Network Resource Name Resource Name Remote Users Service Telnet Defined Resource Addresses Type Resource Port Network Range 10 0 0 0 10 63 255 255 40 Delete Host Address 192 168 10 10 8080 Delete Add Resource Addresses Object Type IP Address Nj IP Address Name Port Range Port Number Back Add Resource Figure 4 21 eed Note You may define up to 128 addresses or address ranges per Network Resource To delete a defined resource click Delete in the Defined Resource Addresses table adjacent to the resource you wish to delete Setting Up User and Group Access Policies 4 23 v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 4 24 Setting Up User and Group Access Policies v2 0 May 2007 Chapter 5 Configuring the Remote Access Web Portal Th
18. on page 2 3 To erase your SSL VPN Concentrator configuration settings using the Erase button 1 Inthe Utilities menu click Erase 2 A dialog box will prompt you to confirm the change Click OK to restore the initial factory default configuration settings Microsoft Internet Explorer 8 P Are you sure you want to restore the default settings The SSL VPN Gateway will be restarted and all current connections will be dropped OK Cancel Figure 7 5 The SSL VPN Concentrator software will automatically be restarted and all active connections will be dropped p Note Imported certificates will not be lost when the SSL VPN Concentrator configuration is erased Upgrading the SSL VPN Concentrator Firmware ____ Note Be sure to export the SSL VPN Concentrator configuration file before upgrading gt the firmware in case the software is corrupted or the entire system needs to be reinstalled You can download new versions of firmware from NETGEAR s SSL312 support page at http kbserver netgear com products ss13 12 asp To install a new version of the SSL VPN Concentrator firmware Additional System Configuration 7 13 v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 1 Download the new firmware from NETGEAR s support site If the file is a zip archive extract it and save it to your PC 2 In the Utilities menu click Upgrade A submenu will display tili
19. updated the new group policy appears in the table in the Edit Group Settings menu The group policies in the Group Policies table are ranked by the order of priority from the highest priority policy to the lowest priority policy Defining and Editing Group Bookmarks SSL VPN Concentrator bookmarks provide a convenient way for SSL VPN users to access computers on the local area network that they will connect to frequently Group bookmarks will apply to all members of the specific group When group bookmarks are defined all group members will see the defined bookmarks from the SSL VPN portal Individual users will not be able to delete or modify group bookmarks To define group bookmarks 1 In the Group Bookmarks section of the Group Settings menu click Add Bookmark An Add Bookmark menu displays When group bookmarks are defined all group members will see the defined bookmarks from the SSL VPN Portal Individual group members will not be able to delete or modify group bookmarks Setting Up User and Group Access Policies 4 11 v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Add Bookmark Bookmark Name Name or IP Address Service Terminal Services RDP5 N Screen Size 640x480 vj Figure 4 9 2 In the Bookmark Name field enter a descriptive name In the Name or IP Address field enter the domain name or the IP address of a host machine on the LAN 4 Fr
20. v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 5 Enter the subnet mask The subnet mask specifies the network number portion of an IP address The factory default is 255 255 255 0 6 Click Apply to save your settings From the Network screen you can define the default network route The default route is required for Internet access 1 In the Default Gateway section enter the IP address of the router or default gateway of the network in the Default Gateway Address field The default gateway address is the same gateway address used by local area network computers to connect to the Internet and it may be the address of a network firewall 2 From the Interface pull down menu select the Ethernet interface ethernet 1 or ethernet 2 that should be used to connect to the default gateway address 3 Click Apply to save your settings _____ Note The SSL VPN Concentrator does not perform Network Address Translation NAT And the SSL VPN Concentrator only enforces access policies on SSL VPN traffic not on other TCP IP protocols Therefore the SSL VPN Concentrator should be used in conjunction with a network firewall If the interface is configured to terminate SSL VPN connections then restart the SSL VPN Concentrator software for the change to take effect _____ Note The SSL VPN Concentrator administrative session will end when the software is restarted To log in to the SSL VPN Co
21. which the receiver is connected e Consult the dealer or an experienced radio TV technician for help v2 0 May 2007 EU Regulatory Compliance Statement ProSafe SSL VPN Concentrator 25 is compliant with the following EU Council Directives 89 336 EEC and LVD 73 23 EEC Compliance is verified by testing to the following standards EN55022 Class B EN55024 and EN60950 Certificate of the Manufacturer Importer It is hereby certified that the ProSafe SSL VPN Concentrator 25 has been suppressed in accordance with the conditions set out in the BMPT AmtsblVfg 243 1991 and Vfg 46 1992 The operation of some equipment for example test transmitters in accordance with the regulations may however be subject to certain restrictions Please refer to the notes in the operating instructions The Federal Office for Telecommunications Approvals has been notified of the placing of this equipment on the market and has been granted the right to test the series for compliance with the regulations Bestatigung des Herstellers Importeurs Es wird hiermit best tigt da dasProSafe SSL VPN Concentrator 25 gem der im BMPT AmtsblVfg 243 1991 und Vfg 46 1992 aufgef hrten Bestimmungen entst rt ist Das vorschriftsmaBige Betreiben einiger Ger te z B Testsender kann jedoch gewissen Beschr nkungen unterliegen Lesen Sie dazu bitte die Anmerkungen in der Betriebsanleitung Das Bundesamt f r Zulassungen in der Telekommunikation wurde davon unterrichtet
22. 19 User Group define 4 14 User Name define 4 14 User Policies 4 2 adding 4 18 editing 4 18 user settings defining 2 14 Users editing 4 16 Utilities 7 70 V Video Network Computing 4 21 VPN Tunnel adding IPAddress ranges 6 3 adding static route 6 5 Client address range 6 5 VPN Tunnel Client 6 1 VPN Tunnel client configuring address range 6 3 VPN Tunnel Client Route adding 6 5 deleting 6 6 VPN Tunnel Clients adding routes 6 4 web based logging 8 5 WebTrends Enhanced Log Format see WELF WELF 8 5 Index 5 v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Index 6 v2 0 May 2007
23. 2007 Removed references to SNMP not supported Bug fixes e v1 5 firmware Expanded feature set e v2 0 firmware xii About This Manual v2 0 May 2007 Chapter 1 Introduction This chapter describes some of the key features of the NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 It also includes the minimum prerequisites for installation Web Browser Requirements on page 1 2 package contents What s in the Box on page 1 3 anda description of the front and back panels of the SSL312 Hardware Description on page 1 3 About the ProSafe SSL VPN Concentrator 25 The ProSafe SSL VPN Concentrator 25 is a hardware based SSL VPN solution designed specifically to provide remote access for mobile users to their corporate resources without requiring a pre installed VPN client on their laptops Using the familiar Secure Sockets Layer SSL protocol commonly used for e commerce transactions the SSL VPN Concentrator can authenticate itself to an SSL enabled client such as a standard web browser Once the authentication and negotiation of encryption information is completed the server and client can establish an encrypted connection With support for 25 concurrent sessions users can easily access the remote network for a customizable secure user portal experience from virtually any available platform Key Features The ProSafe SSL VPN Concentrator 25 is easy to use and to administer th
24. 5 SSL312 Reference Manual d Check the Enable HTTP meta tags for cache control checkbox to apply HTTP meta tag cache control directives to this Portal Layout Cache control directives include lt meta http equiv pragma content no cache gt lt meta http equiv cache control con tent no cache gt lt meta http equiv cache control content must revalidate gt These directives help prevent clients browsers from caching SSL VPN portal pages and other web content Note NETGEAR strongly recommends enabling HTTP meta tags for security gt reasons and to prevent out of date web pages themes and data being stored in a user s web browser cache e Check the ActiveX web cache cleaner checkbox to load an ActiveX cache control when users log in to the SSL VPN portal The web cache cleaner will prompt the user to delete all temporary Internet files cookies and browser history when the user logs out or closes the web browser window The ActiveX web cache control will be ignored by web browsers that don t support ActiveX 3 Inthe SSL VPN Portal Pages to Display section select the portal pages you wish users to access Any pages that are not selected will not be visible from the portal navigation menu ___ Note If you hide portal pages or applications you should also create SSL VPN access policies that deny access to the corresponding applications The portal layo
25. AR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual console port A 2 crt zip 2 11 CSR 2 9 csr zip 2 10 D Date and Time settings 7 9 default password 2 5 Settings A 1 user name 2 5 default authentication 3 2 default domain name 2 5 3 2 Default Gateway Address 7 4 Defined Resource user 4 18 Deleteing a User 4 20 Diagnostics 8 9 Digital Certificates Management 2 9 2 11 disk space 8 2 DNS 6 Domain field 7 8 Domain authentication 3 1 deleting 3 13 domain name 2 5 E Edit User 4 16 E mail Alerts 8 7 sending messages 8 5 E mail Settings 8 7 error messages 8 Ethernet Port 1 default address 7 2 IP default login 2 4 Ethernet Port 2 default address 7 3 IP default login 2 4 Event Log 8 4 event logging 7 14 F factory default settings reset button 4 Features firmware upgrading 7 13 FTP 4 21 G Gateway Address router 7 5 geardomain 2 5 3 2 Global Bookmarks add name 4 6 4 12 4 19 adding 4 6 editing 4 6 Service type 4 6 4 12 4 19 Global Policies 4 2 adding 4 5 editing 4 5 table 4 6 Global Policy configuring 4 4 Group Bookmarks adding 4 11 editing 4 11 Group Policies 4 2 adding 4 9 deleting 4 13 editing 4 9 Group Policies table 4 11 Group Policy Add 4 10 Add Bookmark 4 11 Add Name 4 10 network resource 4 10 rules 4 10 Service Type 4 11 Index 2 v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual
26. BOOKMARKS x ciscssccissesascccusostetecvisnssdeceiacsaberesionietcessnnes 4 19 pacing a US eh aa amined ieee aan 4 20 Using Network Resource Objects to Simplify Policies ccccceescceeseeeeeeeeeeeeteeeeneees 4 20 Chapter 5 Configuring the Remote Access Web Portal Fr bred AWG cies cascade ae cuenteieas A 5 1 Portal ODUONG acta cuca ce aside sae cc serna cee Saeco mnen a ben dy iaaa aa 5 2 Adamg Fonal INS en os criaiery re cea tier tnce hs ui aai bau atinai tia ce 5 3 Adding Terminal Services Applications to the Portal ccccscseeeseeeeetteeeeeeeees 5 6 Custom 16 IB ANIOE ariiraa EAA N AARAA 5 7 Duplicating and Editing Portal Layouts icc ccecsuirc cacusscccessducurreseransah ct conan iaai 5 8 Creating a Guide to Using the Ponal sorrire ei 5 9 Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding TOAD ACDS IO did cali aa mere tener ter treerr or tener er tccnr tr eertr rt rete rr 6 1 SSL YPN Cert Conhgur atori hci ceceiuivinetiauin teenie suuteaainiaie a A a iA 6 2 Adding IF Address Ranges serros arsino ninna nE 6 3 Adding Routes for VPN Tunnel Clients sianissrinsroniiinnin inida 6 4 Configuring Applications for Port Forwarding cc c c cscccesccssaeccccsuscceseecersssntnessacconenseendarere 6 6 Contiguring Host Name Resoltitigi sirsiran nnn 6 8 Chapter 7 Additional System Configuration Gonkgunng Natwvork SENGS riirii ANA NAE AAN leamannads 7 1 Sample SSL VPN Concentrator Configuration 0 c cccccseeeeeceeeee
27. DAP NT Domain and Active Directory authentication in addition to internal user database authentication Because a portal layout such as portal pages themes banners etc must be associated with a domain multiple domains are necessary if you wish to display different portal layouts to different users Local User Database Authentication You can create multiple domains that authenticate users with user names and passwords stored in a local user database on the SSL VPN Concentrator To add a new authentication domain using the local user database 3 2 Authenticating Users v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual In the Domains menu click Add Domain An Add Domain window similar to the following displays Add New Domain Authentication Type Local User Database R Domain Name Portal Layout Name SSL VPN v Back Apply Cancel Figure 3 2 From the Authentication Type pull down menu select Local User Database In the Domain Name field enter a descriptive name for the authentication domain This is the domain name users will select in order to log into the SSL VPN portal In the Portal Layout Name pull down menu select the name of the layout The default layout is SSL VPN You can define additional layouts in the Portal Layouts screen Click Apply to update the configuration Once the domain has been added the domain is displayed in the table on the Domains scree
28. Microsoft NT or RADIUS then the user name must be added to the local database If the user is authenticate by the LDAP repository then the user is added to the policy automatically 4 1 v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual e To create complex policies involving groups of host names IP addresses or IP address ranges you can define these groups as network objects using Network Resources as described in Using Network Resource Objects to Simplify Policies on page 4 20 e To present different portal content to different users for example external suppliers create the new portal layout then add a new domain selecting the new portal layout Users Groups and Global Policies An administrator can define and apply user group and global policies to predefined network resource objects IP addresses address ranges or all IP addresses and to different SSL VPN services A specific hierarchy is invoked over which policies take precedence The SSL VPN Concentrator policy hierarchy is defined as 1 User Policies take precedence over all Group Policies 2 Group Policies take precedence over all Global Policies 3 If two or more user group or global policies are configured the most specific policy takes precedence For example a policy configured for a single IP address takes precedence over a policy configured for a range of addresses And a policy that applies to a ran
29. VPN Concentrator To generate a self signed certificate file 1 Under the System Configuration menu in the left navigation pane select Certificates The Certificates menu will display as shown in the previous section 2 10 Installing the SSL312 v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 6 In the Digital Certificate Management section click New CSR CRT The Create CSR screen will display Fill out all of the fields with the appropriate information This information will appear in your certificate and will be visible to users Check the Generate a Self signed Certificate checkbox to generate a new CRT Click Apply If all information is entered correctly a file download screen displays Click Save to save the crt zip file to a disk location This file includes a servercrt and a serverkey key file Upload and enable the certificate according to the instructions later in this chapter Uploading and Enabling the New Certificate For uploading to the SSL VPN Concentrator the certificate information must be in a zipped file containing a certificate file named servercrt and a certificate key file named serverkey If the zipped file does not contain these two files the zipped file will not be uploaded Any file name will be accepted but it must have the zip extension Note Do not upload the CSR file to the SSL VPN Concentrator To upload and enable the new certificate
30. a default LDAP group will be created with the same name as the LDAP domain name Although you can add additional groups to or delete groups from this domain you cannot delete the default LDAP group 3 6 Authenticating Users v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual For an LDAP group you can define LDAP attributes For example you can specify that users in an LDAP group must be members of a certain group or organizational unit defined on the LDAP server Or you can specify a unique LDAP distinguished name gt Active Directory database can be queried using Kerberos authentication the Note The Microsoft Active Directory database uses an LDAP organization schema The standard authentication type this is labeled Active Directory domain authentication in the SSL VPN Concentrator NTLM authentication labeled NT Domain authentication in the SSL VPN Concentrator or using LDAP database queries So an LDAP domain configured in the SSL VPN Concentrator can authenticate to an Active Directory server To add an LDAP authentication domain see Authentication Domains in Chapter 3 Sample LDAP Attributes You can enter up to 4 LDAP attributes per group The following are some example LDAP attributes of Active Directory LDAP users name Administrator memberOf CN TerminalServerComputers CN Users DC netgear DC net objectClass user msNPA1lowDialin FALSE
31. ain An Add Domain window displays In the Add Domain window 1 From the Authentication Type menu select LDAP The Add Domain Window displays the fields for a domain with LDAP authentication Add Domain Add New Domain Authentication Type Radius PAP Radius CHAP Server Address Radius MSCHAP Radius MSCHAPV2 LDAP BaseDN NT Domain Active Directory Kerberos Domain Name Add Domain Portal Layout Name Add New Domain Do not include quotes Local User Database Authentication Type LDAP v Domain Name Server Address LDAP BaseDN Portal Layout Name SSL VPN x Do not include quotes Example cn users dc company dc com Back Apply Cancel Figure 3 5 2 In the Domain Name field enter a descriptive name for the authentication domain This is the domain name users will select in order to log into the SSL VPN portal It can be the same value as the Server Address field 3 Inthe Server Address field enter the IP address or domain name of the server 4 Inthe LDAP BaseDN field enter the search base for LDAP queries An example of a search base string is CN Users DC yourdomain DC com 4 Note Do not include quotes in the LDAP BaseDN field Authenticating Users 3 9 v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 5 From the Portal Layout Name drop down menu select the name
32. an the IP address range defined in Policy 1 e An FTP server at ftp company com the user would be granted access by Policy 3 A single host name is more specific than the IP address range configured in Policy 2 DNS lookups ____ Note The user would not be able to access ftp company com using its IP address gt 10 0 1 3 The SSL VPN Concentrator policy engine does not perform reverse Global Policies You can view and configure the SSL VPN Concentrator Global Policies Groups and Users by selecting Users and Groups under the Access Administration menu in the left navigation pane Users and Groups Global Policies Edit Global Policies Groups Name Domain Groupi geardomain Delete geardomain geardomain Add Group Users Name Group Type admin geardomain Administrator Figure 4 1 Setting Up User and Group Access Policies v2 0 May 2007 4 3 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Editing Global Policy Settings To edit global settings 1 In the Global Policies table click the Edit Global Policies link The Global Settings screen displays Global Settings Global Settings Inactivity Timeout 10 Minutes Global Policies Name Action Service Destination Port Add Policy Global Bookmarks Bookmark Name Name IP Address Application Add Bookmark Figure 4 2 2 In the Inactivity Timeout field enter the number of minutes of i
33. ath C Program Files Microsoft Office Oiffice pp Name Icon Image Microsoft Word Microsoft Word Microsoft Excel Microsoft PowerPoint he Host Address Optional Microsoft Front Page Generic Application Figure 5 4 To add a Terminal Services Application 1 Inthe Application Description field enter a description of the application This name appears beneath the application icon on the SSL VPN Portal Applications page 5 6 Configuring the Remote Access Web Portal v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 2 Inthe Application and Path field enter the path and application name of the Terminal Services application _____ Note To launch a Terminal Services application individually the Terminal Server must be run in Application mode In addition the application must be installed through the Control Panel Add Remove Programs For more information see the NETGEAR Support Site 3 From the Icon Image menu select an image to appear on the Applications page 4 Click Add Application to add the new application to the SSL VPN Portal Applications page Apply the portal layout to one or more SSL VPN Concentrator authentication domains Customizing the Banner An administrator can further customize the portal by uploading a a customized image for the banner To upload a banner image 1 On the Portal Layout screen see Figure 5 2 on page 5 4 click Upload Banner Th
34. ation pane select the Users and Groups option The Users and Groups menu displays Users and Groups Global Policies Edit Global Policies Groups Name Domain Groupi geardomain Delete geardomain geardomain Add Group Users Name Group Type admin geardomain Administrator Add User Figure 4 5 Adding a New Group To create a new group 1 In the Users and Groups menu click Add Group The Add Group menu displays Setting Up User and Group Access Policies 4 7 v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Add Group Group Name Group Domains geardomain x Figure 4 6 In the Group Name field enter a descriptive name for the group In the Domain menu select the appropriate domain The domain will determine the authentication method for the group Click Apply to update the configuration Once the group has been added the new group appears in the Groups table on the User and Groups menu All of the configured groups are displayed in the table in the Users and Groups menu The Groups are listed in alphabetical order Editing Group Settings To edit group settings 1 In the Groups table click the name of the group The Edit Group Settings menu displays The general group information including the Group Name Domain Name and Inactivity Timeout are displayed The Group Name and Domain Name are not configurable In the Inactivity Timeout field
35. by service type The most specific policy will take precedence over less specific policies For example a policy that applies to only one IP address will have priority over a policy that applies to a range of IP Setting Up User and Group Access Policies 4 9 v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual addresses If two policies apply to a single IP address then a policy for a specific service for example RDP will take precedence over a policy that applies to all services _____ Note User policies take precedence over all group policies and group policies take precedence over all global policies regardless of the policy definition A user policy that allows access to all IP addresses will take precedence over a group policy that denies access to a single IP address To define group access policies 1 In the Group Policies section of the Group Settings menu click Add Policy An Add Policy menu displays Add Policy Apply Policy To Network Resource v Policy Name Defined Resource Remote Users Nj Status PERMIT v Figure 4 8 2 From the Apply Policy To pull down menu select whether the policy will be applied to a predefined network resource an individual host a range of addresses or all addresses 3 Inthe Policy Name field define a name for the policy ____ Note SSL VPN Concentrator policies apply to the destination address es of the SSL VPN connectio
36. cation to save the configuration file The file is named CONF ZIP by default but it can be renamed 4 Click Save to save the configuration file Importing a Configuration File To import a saved configuration file 1 Inthe Utilities menu click Import A submenu will display Utilities Import Configuration Zip File Browse and select a saved configuration file to import File Browse Upload Cancel Figure 7 4 2 Click Browse to locate a saved configuration zip file The configuration zip file should contain the GEARHOST CONF SMM CONF and TUNNELD COMF files Select the file and then click Import 4 Restart the SSL VPN Concentrator server for the settings changes to take effect 7 12 Additional System Configuration v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Erasing the Configuration and Restoring the Default Settings Two methods are available for erasing the configuration and restoring the factory default settings You can press and hold the front panel Factory Defaults push button for more than five seconds or you can use the Erase button in the Utilities menu All settings will be restored to defaults with the exception of the Certificates Table Any certificates that you have imported will remain in the table After erasing the configuration you must access the device using its factory default IP address as described in Initial Connection to the SSL VPN Concentrator
37. ccssceeeeeeeeeeeeeeeeteeeeseeeeees 2 9 Generating a Self Signed Certificate aiias neay 2 10 Uploading and Enabling the New Certificate 0 ccccececeeeeeee essere eeeeeeeteaeeeeeeeees 2 11 Viewing and Deleting Certificates errnit aia 2 13 v v2 0 May 2007 Stepe tor FURNES CONTAUISUON dasiesctewetsscteecdetneticctierse deen ened EO 2 14 Chapter 3 Authenticating Users PIL CIR atan OU EIS a tetra at enety al aeemstante exetvaeit enim neasteaNa mi AERTS 3 1 Local User Database Authenticatioi seccsssisscscsstisisassastsscrsouthnetundissscud eos 3 2 RADIUS and NT Domain AMiMGMGAUOI sessionis 3 3 Configuring for RADIUS Domain Authentication cccccceeeceeeeeeeeeeeeeeseaeeneeeeees 3 4 Configuring for NT Domain Authentication cecceeeeceeeeeeeeeeecaeeseeeeeesnaeeeeeeeeess 3 5 LDAP AuMNenieaUON siinid 3 6 Sample LOAF CUBIS saa ccvacetcnstlucis a a aai ewtibierdoaetuaaly au iwiubadi 3 7 LEAP Fira wee RNa accsio cp creche tine pi ecat na datecebetipaeyicaeta T 3 7 Sample LDAP Users and Attributes Settings ccccccesseeeeeeeeeeeneeeeeeeeeeeaeeeeeeeeees 3 8 eying an LDAP Ser isudede enad eaaa niaaa a EaD 3 8 Configumg for LDAP AutMenitalgN armine a oads 3 9 Pavel Directoy Autheniicaton senssa 3 10 Configuring for Windows Active Directory Authentication ccceecceesteeeeeneees 3 10 Troubleshooting Active Directory Authentication 0 0 eecceeeeeeeeeeeeeeeeeeeeeeeeees 3 12 PSEC PS PUTTIN eposini Ea EE aE
38. certificate will trigger a warning from most browsers as it provides no protection against identity theft of the server Your SSL VPN Concentrator contains a self signed certificate from NETGEAR NETGEAR recommends that you replace this certificate prior to deploying the SSL VPN Concentrator in your network From the Certificates menu you can view the currently loaded certificates upload a new certificate and generate a Certificate Signing Request CSR Obtaining a Certificate from a Certificate Authority To obtain a certificate from a CA you must generate a Certificate Signing Request CSR for your SSL VPN Concentrator The CSR is a file containing information about your company and about the device that will hold the certificate Refer to the CA for guidelines on the information you include in your CSR To generate a new Certificate Signing Request CSR file 1 Under the System Configuration menu in the left navigation pane select Certificates The Certificates screen displays Certificates Import Digital Certificate File Browse Upload Cancel Upload a zip file containing server key and server crt files Digital Certificate Management Create a Certificate Signing Request for an SSL certificate OR New CSP CRT Greate a Self signed Certificate ertificates Cert Description Status Expiration NetGear Active May 7 07 38 56 2011 GMT Figure 2 5 2 In the Digital Certificate Management section cli
39. checkbox to display a custom message at the top of the new page Modify any of the services in the SSL VPN Portal Pages to Display Services Page Available Services or Desktop Page Available Remote Desktop Clients sections of the Portal Layouts screen For example e Leave the Desktop Page Add Bookmark button checkbox checked to display all applicable user group and global bookmarks in a single table on the desktop page e Leave the Display banner message on login page checkbox checked and enter a custom message to be displayed at the top of the portal login page in the Banner message field Enter a text message Click Apply to update the home page content Creating a Guide to Using the Portal The application note is a template document created in Microsoft Word that can be customized according to the way that your portal is configured Configuring the Remote Access Web Portal 5 9 v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 5 10 Configuring the Remote Access Web Portal v2 0 May 2007 Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding This chapter describes the configuration for the SSL VPN Tunnel Client and for Port Forwarding When a remote user accesses the SSL VPN Concentrator from a PC that allows ActiveX content these two powerful features can be activated For each of these features the SSL312 installs a small client program on the user s PC tha
40. ck New CSR CRT The Create CSR screen displays Installing the SSL312 2 9 v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 3 Fill out all of the fields with the appropriate information This information will appear in your certificate and will be visible to users reate CSR Generate a New Certificate Signing Request CSR OR Generate a New Self signed Certificate CRT Name Group1 Organization Cruzio UnitDepartment Sales CityiLocality NoCity State Full Name CA Country US FQDN Domain Name cruzio com Email sales cruzio com Password eeseseee New key pair length 1024 adil Generate a Self signed Certificate NOTE A CSR may be provided to a Certificate Authority CA to generate a valid certificate It should not be directly uploaded to the SSL VPN gateway Figure 2 6 4 Click Apply A file download screen will display Click Save to save the csr z1P file to a disk location You will need to provide this file to the Certificate Authority 5 Contact the CA to purchase your certificate using the CSR file you generated 6 When you receive your certificate from the CA store the certificate file on your PC 7 Upload and enable the certificate according to the instructions later in this chapter Generating a Self Signed Certificate As an alternative to obtaining a certificate from a CA you can generate a self signed certificate for your SSL
41. col Telnet Apply Secure Shell SSH YPN Tunnel Port Forwarding All Services Figure 4 18 In the Resource Name field enter a name for the Network Resource 4 From the Services pull down menu select the type of service to which the Network Resource will apply 5 Click Apply The new Network Resource appears in the table on the Network Resources menu Network Resources Resource Name Service RemoteUsers Telnet Delete Add Resource Figure 4 19 To edit the Network Resource 1 In the table on the Network Resources menu click the name of the resource in the Resource Name column The Edit Network Resource screen displays Setting Up User and Group Access Policies 4 21 v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Edit Network Resource Network Resource Name Resource Name Remote Users Service Telnet Defined Resource Addresses Type Resource Port Add Resource Addresses Object Type IP Address lt IP Address Name Port Range Port Number Back Add Resource Figure 4 20 2 From the Object Type pull down menu under Add Resource Addresses select either IP Address or IP Network e Ifyou selected IP Address enter an IP address or fully qualified domain name in the IP Address Name field e Ifyou selected IP Network enter the IP network address in the Network Address field Enter the mask length in the Mask Length 0 31
42. connection to the desktop of various platforms Network Places Network Neighborhood display of the corporate network Port Forwarding A thin web based client that provides a secure tunnel for specified TCP ports A client program is downloaded to the remote PC from the SSL312 Utilities Telnet SSH and FTP clients are implemented on the SSL VPN Concentrator 5 2 Configuring the Remote Access Web Portal v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual The configuration of the VPN Tunnel and Port Forwarding features are described in Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding Adding Portal Layouts The SSL VPN Concentrator administrator may define individual layouts for the SSL VPN portal The layout configuration includes the theme menu layout portal pages to display portal application icons to display and web cache control options The default portal layout is the SSL VPN portal You can add additional portal layouts You can also make the any new portal the default portal for the SSL VPN gateway by selecting the default radio button adjacent to the portal layout name Note To apply a portal layout to a domain add a new domain and select the portal layout gt from the Portal Layout Name menu on the domain configuration page The selected portal layout will be applied to all users in the new domain To add a new portal lay
43. d TCP applications available to remote users 6 6 Configuring the SSL VPN Tunnel Client and Port Forwarding v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual To configure applications for Port Forwarding 1 From the Access Administration menu in the left navigation pane select the Port Forwarding option The Port Forwarding configuration screen displays Port Forwarding Configured Applications for Port Forwarding Local Server IP Address TCP Port Number IP Address TCP Port Apply Cancel Configured Host Names for Port Forwarding Local Server IP Address Fully Qualified Domain Name Local Server IP Address Fully Qualified Domain Name Apply Cancel Configured host names allow Port Forwarding clients to access servers by name Addresses should correspond with TCP application s configured above Figure 6 3 2 Inthe Configured Applications for Port Forwarding section enter the IP address of an internal server or host computer in the IP Address field 3 Inthe TCP Port field enter the TCP port number of the application to be tunneled The table below lists many commonly used TCP applications and port numbers see http www iana org for a more complete list of registered port numbers 4 Click Apply The IP address and port number submitted appear in the Configured Applications for Port Forwarding table Table 6 1 Port Forwarding Applications TCP Port Numbers
44. d configuration and status monitoring Concurrent Users 25 tunnels Supported Encryption DES 3DES AES MD5 SHA 1 Modes Single Arm one port and Routed Bridged two ports Authentication Local User database RADIUS LDAP MS Active Directory Certificates supported X 509 CRL Aggregate Throughput 6 5 Mbps Status LEDs Power Test Ethernet LAN1 and LAN2 Electromagnetic Compliance FCC Part 15 Class B CE and C TICK Environmental Specifications Operating temperature 0 to 50 C Operating humidity 5 95 non condensing A 2 Default Settings and Technical Specifications v2 0 May 2007 Appendix B Related Documents This appendix provides links to reference documents you can use to gain a more complete understanding of the technologies used in your NETGEAR product Document Link Template for creating an end user guide Internet Networking and TCP IP Addressing Wireless Communications Preparing a Computer for Network Access Virtual Private Networking VPN Glossary http documentation netgear com ssl312 enu 202 10208 01 appnote doc http documentation netgear com reference enu tcpip index htm http documentation netgear com reference enu wireless index htm http documentation netgear com reference enu wsdhcp index htm http documentation netgear com reference enu vpn index htm http documentation netgear com reference enu glossary index h
45. domain name of the internal server Click Apply to submit the host to name mapping The IP address and domain name should appear in the Configured Host Names for Port Forwarding table Now remote users will be able to securely access network applications once they have logged into the SSL VPN portal and launched Port Forwarding 6 8 Configuring the SSL VPN Tunnel Client and Port Forwarding v2 0 May 2007 Chapter 7 Additional System Configuration This chapter describes additional network and configuration management functions provided by the Web Management Interface The additional functions include Configuring Network Settings Setting Date and Time System Configuration Utilities Additional Notes on the Management Interface Configuring Network Settings The IP settings and interface settings of the SSL VPN Concentrator appliance are configured through the Network screen under the System Configuration menu on the left navigation panel From the Network window an SSL VPN Concentrator administrator can Set the Ethernet Port 1 and Ethernet Port 2 addresses Define the default network route and add additional static IP routes Map host names or fully qualified domain names to IP addresses Manage SSL Certificates as described in Managing Certificates in Chapter 2 A Warning These advanced network settings should only be configured by a network administrator Sample SSL VPN Concentrator Configuratio
46. e Custom Banner screen displays Custom Banner Browse and select a gif file to import File Browse Upload l Cancel Note 1 Banner Image to be Uploaded should be less than 10k 2 Recommend Gif file size 612 85 Figure 5 5 2 Click Browse to locate and upload a gif file If the upload is successful two new buttons appear on the Portal Layout screen View Banner and Delete Banner e Click View Banner to view the uploaded banner e Click Delete Banner to delete an uploaded banner Configuring the Remote Access Web Portal 5 7 v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Duplicating and Editing Portal Layouts You can edit the features of an existing portal for example create a banner or banner message that displays at the top of the page or show or hide all applicable bookmarks user group and global for each user You can optionally upload an HTML file You can also create another portal with all of the features of the existing portal by changing the existing portal layout name lt Tip To create another portal with all of the features of an existing portal open the existing portal and change the layout name field This will not rename the existing portal Instead it will create a new portal with the new name To add a new Portal by editing an existing Portal layout 1 Under the SSL VPN Portal menu on the left navigation pane click Por
47. e arm operation e Assign Ethernet Port 1 an IP address on your local network e Disable Ethernet Port 2 e Disable Routing Mode e Define a default route to the firewall e If your firewall performs NAT you must configure the firewall to forward incoming HTTPS traffic to the IP address of Ethernet Port 1 Note NETGEAR recommends single arm operation for most networks Routing In the routing or two port topology the SSL VPN Concentrator is connected in parallel with your existing firewall Ethernet Port 1 is connected to the untrusted side of your firewall while Ethernet Port 2 connects to your corporate network As shown in the following figure encrypted SSL traffic from a remote user is sent directly to the SSL VPN Concentrator which authenticates the user and displays the portal and resources 2 2 Installing the SSL312 v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual authorized for that user The user s subsequent requests for network services are decrypted by the SSL VPN Concentrator and relayed to the appropriate network servers on the corporate network 10 0 0 10 66 123 4 80 SSL312 Red Public untrusted Green Local trusted Figure 2 1 Routing mode has the advantage of unloading SSL traffic from your firewall However your network may not be as well protected since the firewall can not inspect this traffic In later steps you will use the fol
48. e front of your device to reset all settings to their factory defaults This is called a hard reset e To perform a hard reset push and hold the Factory Defaults button for approximately 5 seconds until the TEST light turns on Your device will return to the factory configuration settings shown in Table A 1 below Table A 1 SSL312 Default Configuration Settings Feature Description Management Login User Login URL 192 168 1 1 User Name case sensitive admin Login Password case sensitive password Ethernet Port 1 IP Address 192 168 1 1 Subnet Mask 255 255 255 0 Port Speed 10 100 Gateway Address 0 0 0 0 Ethernet Port 2 IP Address 10 0 0 1 Subnet Mask 255 0 0 0 Port Speed 10 100 Gateway Address 0 0 0 0 Default Settings and Technical Specifications v2 0 May 2007 A 1 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Table A 1 SSL312 Default Configuration Settings Feature Description Concentrator Ethernet MAC Address See bottom label Time Zone GMT Time Time Zone Adjusted for Daylight Saving Automatically enabled if DST available in area selected otherwise disabled Console Port 9600 bps 8 data bits 1 stop bit no parity no flow control Technical Specifications Table A 2 SSL312 Technical Specifications Parameter Network Management ProSafe SSL VPN Concentrator 25 Web base
49. eDirecton s Path Figure 3 6 Require CIFS Bookmark to home directory Add Domain Add New Domain Authentication Type Active Directory x Domain Name Server Address Active Directory Domain Portal Layout Name SSL VPN he C Require CIFS Bookmark to home directory Back Apply Cancel 3 Inthe Domain Name field enter a descriptive name for the authentication domain This is the domain name users will select in order to log into the SSL VPN portal It can be the same value as the Server Address field or the Active Directory Domain field depending on your network configuration 4 Inthe Server Address field enter the IP address or host and domain name of the Active Directory server 5 Inthe Active Directory Domain field enter the Active Directory domain name 6 From the Portal Layout Name menu select the name of the layout The default layout is SSL VPN You can define additional layouts in the Portal Layouts page Authenticating Users 3 11 v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 7 Check the Require CIFS bookmark to home directory radio box to automatically allow access to users of this domain and add the home directory path in the field provided 8 Click Apply to update the configuration Once the domain has been added the domain displays in the table on the Domains screen Troubleshooting Active Directory Authentication If
50. ednsn dsasvamniaaseenennaiuadeain aqsansees tsadaainassaaxiainaanaiy isanexdenaiasas xX PE P O aa R deed ae niaeeiaees xii Chapter 1 Introduction About the ProSale SSL VPN Concentrator 25 ssiiicriimisiiisnainniiann ina 1 1 He SM a A 1 1 Wep Brows ReguremeiS cnr cccturtacctaravecneteeerdeacte pevaneaetannvacneneenaeacte seamen ent enacts 1 2 Wha e i NO BOK cc tssseneccrenaseedoreaanieredenasunne AE 1 3 Hardware DeSonphON in ener nett eRe cretr ere tenteny an eaae EEEE EEEN ESAERA 1 3 Porat WP eee P A E A ee ee 1 3 SUE Fano MM eee eae eee Ce Cree ener Tre er ree cree Tete eee cr rrr rrr tren Teer 1 4 eps tor Deploying Wie Selle iss cc mr rrseerssuistanuieseen nme eiaTiNtice Teen 1 5 Chapter 2 Installing the SSL312 Choosing a Network aN A bc cass cevydcecnsccee ene oe pavanaten aiei aN 2 1 BPRS NO ssid scccaenee inca nnccccicetauepeacctbbat a EA odes ciaenidsaabeeegsRelaauddadeeamte 2 1 a e E TE E E tr teen ere Teter E T E E A er torrent 2 2 Initial Connection to the SSL VPN Concentrator ceccceeeeeeeseneeeeeeeeeeeeeeeeeaeeeeaeeenees 2 3 Accessing the Management Interface ic ssscsecsitsassesgendssastventssaadevendssovseeninasadesbelasateneent 2 4 Configuring Basic Network SOWINGS icici sarcisuiiansinnsiccee i aai aaia 2 6 lestalling the SSL VPN GOs NAIOP ncccssctrcscccncedescehcnsetasseaaatapascntsancesuaotardadtaandepaadenueet 2 8 Managing Cerneala zerrissen A AA TAE N AEA 2 8 Obtaining a Certificate from a Certificate Authority 2 0 00 c
51. edundancy enter a backup custom server address in the Secondary Server Name and IP Address fields ____ Note If you select the default NTP servers or if you enter a custom server FQDN the SSL VPN Concentrator must determine the IP address of the NTP server by a DNS lookup You must configure a DNS server address in the Network menu before the SSL VPN Concentrator can perform this lookup 6 Click Apply to update the configuration If you enabled NTP then the NTP time settings will override the manually configured time settings The NTP time settings will be determined by the NTP server and the time zone that is selected in the Select Your Time Zone menu System Configuration Utilities The Utilities menu allows you to e export the configuration file e import a saved configuration file e upgrade the SSL VPN Concentrator software e restore the settings to factory defaults e restart the SSL VPN Concentrator In addition the menu allows users to encrypt the configuration files To access the SSL VPN Concentrator software and system settings click Utilities under the System Configuration menu in the left navigation pane The Utilities menu will display 7 10 Additional System Configuration v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Utilities Save or Restore Configuration Save your current configuration file to disk Import a saved configuration file Revert to
52. eeeeeeeeeetetaeeeeeeeees 7 1 Network Interface and Default Gateway Configuration c ccceceeseeeeeteeeeeneeeeees 7 2 Stale POUL CO NIQUIFA BOM susine anina N E 7 4 Newore Host Table SetingS oraire a etia arae I 7 6 Conigunng DNS Se RNS siirsi aa deectena aetna 7 7 Seting Date And TIME neria a 7 9 Sy Sie C oniguranon UulNeS ereer eR 7 10 Encrypting ihe Goniguration Fie rensansisminaa 7 11 Exporting and Saving a Backup Configuration File cccccseeeeeeeeeeteeeeeeeeees 7 11 Naglerel gilts a Geel fel Tes i ol cg File sssi rear pret panei eee merrier A 7 12 v2 0 May 2007 vii Erasing the Configuration and Restoring the Default Settings cceeeeee 7 13 Upgrading the SSL VPN Concentrator Firmware seseseeesesessesssesrrsssrrssrrssrnsess 7 13 Additional Notes on the Management Interface ssssesseesrneessrrresesernensrsnnnnsrennneeerenns 7 14 Chapter 8 Monitoring and Logging OOL YPN Concontator SUAIUS sereine E 8 1 POU Sey aaninnanu kaa a a aa aa 8 3 EVON L n a casei elnino nie aanemeauens 8 4 Log SENS siiis eorr aaa a a a eee rere aaa 8 5 moea US N E E Ss canada TA E E E A E 8 9 Appendix A Default Settings and Technical Specifications Factory Datarik Seinge eiieeii R A 1 Teemal SAH aanrennen ana AEE Eaa n E E EENAA Aa A 2 Appendix B Related Documents Index viii v2 0 May 2007 About This Manual The NETGEAR Prosafe SSL VPN Concentrator 25 SSL312 Reference Manual describ
53. enter the number of minutes of inactivity to allow for users in the group Click Apply to save the configuration changes 4 8 Setting Up User and Group Access Policies v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Group Settings Edit Group Settings Group Name Group Domain Name geardomain Inactivity Timeout 0 Minutes Set the Inactivity Timeout to 0 to use the Global timeout setting Delete Group Apply Cancel Group Policies Name Action Service Destination Port Note Group policies take precedence over global policies Add Policy Group Bookmarks Bookmark Name Name IP Address Application Add Bookmark Figure 4 7 You can set the inactivity timeout at the user group and global level Set the timeout as 0 in the user and group configuration to use the global timeout setting If multiple timeout settings are configured the user timeout setting will take precedence over the group timeout and the group timeout will take precedence over the global timeout The maximum timeout setting is 23 or over 100 000 minutes although setting the timeout to 0 on the Global Settings page disables the inactivity timeout if 0 is also configured as the inactivity timeout for the user and group Defining and Editing Group Policies With group access policies all traffic is allowed by default You can create additional allow and deny policies by destination address or address range and
54. enu displays the fields for entering the DNS Settings Network Interfaces Static Routes Host Table DNS Settings DNS Settings Hostname qearhost Primary DNS Server Secondary DNS Server DNS domain Optional Figure 7 5 2 Enter the Hostname for the SSL VPN Concentrator The hostname identifies the SSL VPN Concentrator on the network Use only letters and numbers for the hostname do not enter non alphanumeric characters such as spaces or apostrophes In the Primary DNS Server field enter the IP address of your DNS server 4 Inthe Secondary DNS Server field enter the IP address of a backup DNS server for redundancy 5 Inthe DNS Domain field enter the domain name of your network This field is optional and is not required for most network environments 6 Click Apply to update the configuration Note If you update the SSL VPN gearhost hostname you must restart the SSL VPN gt Concentrator for the change to take effect DNS settings changes take effect immediately 7 8 Additional System Configuration v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Setting Date and Time To configure the SSL VPN Concentrator date and time settings 1 Under the System Configuration menu in the left navigation pane click Date and Time The SSL VPN Concentrator uses the date and time settings to timestamp log events verify certificate validity
55. er authentication services do not have the same hierarchal structure and gt group definitions as Active Directory if you want to apply specific policies or bookmarks to a group of RADIUS NT or LDAP users you must add each user on the Users and Groups screen Configuring for Windows Active Directory Authentication To configure Windows Active Directory authentication 1 Click Add Domain An Add Domain window displays Note Of all types of authentication Active Directory authentication is the most error prone If you are unable to authenticate using Active Directory please read the troubleshooting procedure at the end of this section 3 10 Authenticating Users v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 2 From the Authentication Type menu select Active Directory Fields for Active Directory configuration display Add Domain Add New Domain Authentication Type Active Directory x A Radius PAP Domain Name sserremrern Server Address Radius MSCHAP Radius MSCHAP 2 Active Directory Domain NT Domain Active Directory Portal Layout Name Kerberos oO LDAP Local User Database Back Apply Cancel Add Domain Add New Domain l Authentication Type Active Directory Domain Name Server Address Active Directory Domain Portal Layout Name SSL VPN he Home Directory Base Path iS enverName Hom
56. er group and giobal policies Add Policy User Bookmarks Bookmark Name Name IP Address Application Add Bookmark Figure 4 14 2 To modify the user password enter the new user password in the Password field 3 In the Confirm Password field enter the new password again 4 Click Apply to update the configuration To change the user inactivity timeout 1 In the Inactivity Timeout field enter the number of minutes of inactivity to allow 2 Click Apply to save the configuration changes Setting Up User and Group Access Policies 4 17 v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Defining and Editing User Policies To define user access policies 1 On the Edit User Settings screen click Add Policy An Add Policy menu displays dd Policy Apply Policy To Network Resource v Policy Name Defined Resource Remote Users v Status PERMIT v Figure 4 15 2 Inthe Apply Policy To pull down menu select whether the policy will be applied to a predefined network resource an individual host a network or all addresses 3 Inthe Policy Name field enter a name for the policy ____ Note SSL VPN Concentrator policies apply to the destination address es of the SSL VPN connection not the source address You cannot permit or block a specific IP address on the Internet from authenticating to the SSL VPN Concentrator through the policy engine e If your policy applies
57. ere are two common network topologies for installing the SSL VPN Concentrator single arm or routing Variations of these topologies are possible particularly if your firewall supports a DMZ connection Single Arm In the single arm or one port topology the SSL VPN Concentrator s Ethernet Port 1 is connected to your corporate Ethernet network behind your existing firewall while Ethernet Port 2 is not used The single active Ethernet port hosts both the encrypted connection to the Internet and the decrypted connection to the corporate network s resources As shown in the following figure encrypted SSL traffic from a remote user passes through the firewall and terminates at the SSL VPN Concentrator which authenticates the user and displays the portal and resources authorized for that user The user s subsequent requests for network services are decrypted by the SSL VPN Concentrator and relayed to the appropriate corporate network servers 2 1 v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Corporate Server IP Address 192 168 1 3 Firewall Router IP Address i E 192 168 1 254 i LAN Subnet i 192 168 1 0 24 Internet pseseeesresessegessesessseeseeeseeszeeeesed E ag SSL312 IP Address i al 192 168 1 1 Figure 2 1 Single arm mode has the advantage of being protected by your firewall In later steps you will use the following settings when configuring for singl
58. erpret the SSL VPN Concentrator log files The SSL VPN Concentrator syslog service transmits syslog messages to external syslog server s listening on UDP port 514 To configure Syslog Settings E mail Settings and Log and Alert Categories for syslog and alert settings 1 Under the System Configuration menu in the left navigation pane click Log Settings Log Settings Email Settings Syslog Settings Email Events Logs to Email Alerts to Primary Syslog Server Mail Server Secondary Syslog Server Mail From Address Mail User Name Mail Password Email Settings Send Event Logs Weekly x Email Events Logs to eB 5 v Email Alerts to _ Day Monday E f Maitsenweri Send Log Clear Log Mail From Address Send Logs Weekly Schedule Mail UserName Mail Password Send Event Logs When Full v Email Settings Send Log Clear Log Email Events Logs to Email Alerts to Mail Server Log and Alert Categories Syslog Messages Debug Mail Nger Name Event Log Debug x Mail Pasdygord Alerts Error x Send Event Logs ATE Time 5 v anpi Send Logs Daily Schedule Figure 8 4 2 Inthe SysLog Settings section enter the IP address or fully qualified domain name of your syslog server in the Primary Syslog Server field Leave this field blank if you do not re
59. ertificate screen displays Enable Certificate Certificate Description cruzio com Issuer C US ST CA L NoCity O Pretend OU Sales j CIE enaa comemal Addres st etecrizia omi C US ST CA L NoCity O Pretend OU Sales subject CNecruzio com emailAddress test cruzio com Serial Number 0 0x0 Status Active Expiration Date Dec 27 11 28 14 1970 GMT Certificate Password eecceees Figure 2 8 2 12 Installing the SSL312 v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 5 Enter the Certificate Password and click Enable The SSL VPN Concentrator software will restart using the new certificate _ Note The file serverkey contains your SSL VPN Concentrator s private encryption key which is used to decrypt messages It is extremely important that you safeguard this file Viewing and Deleting Certificates The Current Certificates table lists the valid SSL certificates The Certificate being used by the SSL VPN Concentrator will not show an Enable link To view details of currently available certificates In the Certificate table click the name of the certificate The View Certificate window is displayed for that certificate From the View Certificate window you can view the issuer and certificate subject information View Certificate View Certificate Certificate Description NetGear C US ST California L Santa Clara O NETGEAR Issuer
60. es displays NETGEAR User Name admin Password eecccece Domain geardomain b Figure 2 3 3 When prompted enter admin for the User Name and password for the Password both in lower case letters Note Both the user name and password are case sensitive 4 From the Domain drop down menu select geardomain 5 Click Login to log in to the SSL VPN Concentrator Management Interface Once you have logged in the following Status screen will display The navigation links under System Configuration Access Administration Monitoring SSL VPN Portal and Web Support headings on the left side of the browser window allow you to access and configure administrative settings When one of the navigation options is clicked the corresponding management configuration screen will display Installing the SSL312 2 5 v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Status Note You might need to refresh the page to get real time updates Network Certificates Date and Time System Information Log Settings Version NETGEAR SSL312 SSL VPN 2 0 02 Utilities RAM 119528 kB Memory Usage 38 CPU Usage 98 Users and Groups Free Space 8MB disk space Domains Network Resources VPN Tunnel System Activity Uptime 0 Days 5 Hours 28 Minutes 22 Seconds OC FOr ear cing Start Time Tue Jan 20 16 38 29 1970 Active Users 1 View current users Status Ethernet Portt IP 192 168 1
61. es how to install and configure the SSL312 The information in this manual is intended for administrators who will configure the SSL312 You should have intermediate computer and Internet skills Conventions Formats and Scope The conventions formats and scope of this manual are described in the following paragraphs e Typographical Conventions This manual uses the following typographical conventions Italics Emphasis books CDs file and server names extensions Bold User input IP addresses GUI screen text Fixed Command prompt CLI text code italic URL links e Formats This manual uses the following formats to highlight special messages Note This format is used to highlight information of importance or special interest Tip This format is used to highlight a procedure that will save time or resources Warning Ignoring this type of note could result in a malfunction or damage to the equipment v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual AY Danger This is a safety warning Failure to take heed of this notice could result in personal injury or death e Scope This manual is written for the SSL VPN Concentrator according to these specifications Product Version ProSafe SSL VPN Concentrator 25 SSL312 Manual Publication Date May 2007 For more information about network Internet firewall and VPN tech
62. factory default settings and restart C Encrypt configuration file Firmware Upgrade Upgrade Upgrade software file Figure 7 2 Encrypting the Configuration File For security purposes you can encrypt the configuration files However if the configuration files are encrypted they cannot be edited or reviewed for troubleshooting purposes To encrypt the configuration files In the Utilities menu check the Encrypt configuration file checkbox The Configuration files will be encrypted when they are exported to disk and decrypted when they are imported Exporting and Saving a Backup Configuration File You may save the SSL VPN Concentrator configuration settings to a backup file and then import the saved configuration file later To save a backup version of the SSL VPN Concentrator configuration 1 From the Save or Restore Configuration section of the Utilities menu click Export A screen will display prompting you to Open or Save the file 2 Click Save Additional System Configuration 7 11 v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual File Download Fi Do you want to open or save this file a Name conf zip Type WinZip File 1 14 KB From 192 168 1 1 Open Save While files from the Internet can be useful some files can potentially harm your computer If you do not trust the source do not open or save this file What s the risk Figure 7 3 3 Choose the lo
63. fields will display 3 Enter a descriptive name for the authentication domain in the Domain Name field Users will select this domain when they log into the SSL VPN portal It can be the same value as the Server Address field or the Kerberos Domain field depending on your network configuration 4 Enter the IP address or fully qualified domain name of the Kerberos server in the Server Address field 3 12 Authenticating Users v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 5 Enter the Kerberos domain name in the Kerberos Domain field 6 Enter the name of the layout in the Portal Layout Name field The default layout is SSL VPN Additional layouts may be defined from the SSL VPN Portal gt Portal Layouts screen Note If you selected a portal layout other than SSL VPN then the domain will not be displayed on the default login page Users will need to log in at https lt IP Domain Name gt portal lt Portal Name gt 7 Click Apply Once the domain has been added the domain will be added to the Domains table Deleting a Domain To delete a domain click the Delete link in the Domains table for the domain you wish to remove Once the SSL VPN Concentrator has been updated the deleted domain will no longer appear in the table in the Domains table A Note The SSL VPN Concentrator geardomain domain cannot be deleted Authenticating Users 3 13 v2 0
64. ge of IP addresses takes precedence over a policy applied to all IP addresses If two or more IP address ranges are configured then the smallest address range takes precedence Hostnames are treated the same as individual IP addresses Network Resources are prioritized just like other address ranges However the prioritization is based on the individual address or address range not the entire Network Resource For example let s assume the following global policy configuration e Policy 1 A Deny rule has been configured to block all services to the IP address range 10 0 0 0 10 0 0 255 e Policy 2 A Deny rule has been configured to block FTP access to 10 0 1 2 10 0 1 10 e Policy 3 A Permit rule has been configured to allow FTP access to the predefined network resource FTP Servers The FTP Servers network resource includes the following addresses 10 0 0 5 10 0 0 20 and ftp company com which resolves to 10 0 1 3 Assuming that no conflicting user or group policies have been configured if a user attempted to access e An FTP server at 10 0 0 1 the user would be blocked by Policy 1 4 2 Setting Up User and Group Access Policies v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual e An FTP server at 10 0 1 5 the user would be blocked by Policy 2 e An FTP server at 10 0 0 10 the user would be granted access by Policy 3 The IP address range 10 0 0 5 10 0 0 20 is more specific th
65. he Authentication Type pull down menu select a RADIUS domain The Add Domain window displays the fields for a domain for Radius authentication Add Domain Add New Domain Authentication Type Radius Radius PAP ius CHAP Radius Server Address ius MSCHAP een ius MSCHAPV2 Secret Password NT Domain Active Directory Kerberos LDAP Authentication Type REGIS Local User Database Cancel Domain Name Add New Domain Portal Layout Name Back PAP Domain Name Radius Server Address Secret Password Portal Layout Name SSL VPN x Figure 3 3 3 Inthe Domain Name field enter a descriptive name for the authentication domain This is the domain name users will select in order to log into the SSL VPN portal 4 Inthe Radius Server Address field enter the IP address or domain name of the Radius server 5 If an authentication secret is required by the Radius server enter it in the Secret Password field 3 4 Authenticating Users v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 6 From the Portal Layout Name drop down menu select the name of the layout The default layout is SSL VPN You can define additional layouts in the Portal Layouts page 7 Click Apply to update the configuration Once the domain has been added the domain displays in the table on the Domains screen Configuring for NT Domain Authentication To co
66. he power cord to the SSL312 turn on the concentrator and verify the following e The PWR power light goes on immediately e The TEST light goes off after about one minute indicating that the system has initialized e One of the Ethernet lights is lit either the 10 Mbps or the 100 Mbps LED should light showing that a connectivity link as been established Accessing the Management Interface Using the PC with the static IP address configured you can log into the SSL VPN Concentrator web management interface The initial administrative setup of the concentrator must be performed using a supported browser listed in Web Browser Requirements on page 1 2 The machine used for management is referred to as the Management Station gt Note You must have administrative access to the SSL VPN Concentrator to configure the e Management Interface settings To log into the management interface 1 Connect to the SSL312 by opening your browser and entering https 192 168 1 1 for the Ethernet Port 1 IP in the address field Be sure to type https not http https 192 168 1 1 Figure 2 2 If you are connected to Ethernet Port 2 IP the default address is https 10 0 0 1 2 4 Installing the SSL312 v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 2 A certificate security warning may appear Click Yes or OK to continue A login screen with User Name and Password dialog box
67. hine that will be mapped to a host name 7 6 Additional System Configuration v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 3 In the Host Name field enter the host name or Fully Qualified Domain Name of the machine For example enter mycomputer or www netgear com Do not enter names with spaces or other non alphanumeric characters such as apostrophes or commas 4 In the optional Alias field enter the host alias For example if you entered the FQDN www netgear com in the Host Name field then you can enter a shorter name such as www or web in the Alias field 5 Click Apply The new Host appears in the Host Table The Host Table displays a list of the configured host names and the corresponding IP addresses O Interfaces Static Routes Host Table DNS Settings Add Host IP Address Host Name Alias Optional Computer name or fully qualified domain name Host Table IP Address Host Name Optional Alias 192 168 1 1 gearhost gearhost Delete Figure 7 4 Configuring DNS Settings The DNS Settings menu allows the administrator to configure the hostname and DNS server addresses The DNS server configuration is required To configure the hostname and DNS settings Additional System Configuration 7 7 v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 1 Inthe Network menu check the DNS Settings radio button The Network m
68. ile is full If Daily or Weekly options are selected then e If Daily is selected the log file will be e mailed at the configured time between 00 hours and 23 hours selected from the Time pull down menu e If Weekly is selected the log file will be e mailed at the configured Day and Time selected from the Day and Time pull down menus ES Note If Daily or Weekly are chosen the log file will still be cleared if the log file is full before the end of the period You can manually clear the Event Logs by clicking Clear Log 5 In the Log and Alert Categories section define the priority level of events that will generate Syslog Messages Event Logs and Alert messages from the Syslog Messages Event Log and Alerts pull down menus Monitoring and Logging 8 7 v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Log categories are organized from most to least critical Once a category is selected then all events equal to or more critical than the selected log category and will be logged The default Log and Alert levels are e Syslog Messages Debug e Event Log Debug e Alerts Error 6 Click Apply to confirm your settings 8 8 Monitoring and Logging v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Diagnostics Basic network diagnostic tools are available in the Diagnostics menu Under the Monitoring menu in the
69. ions 6 7 configuring applications for 6 7 Port2 default 2 4 Portal add new 5 8 modify 5 9 Portal Layout Name 3 3 Portal Layouts 5 adding 5 3 duplicating 5 8 editing 5 8 Portal Site Title 5 4 PPP connection 6 1 Primary DNS Server setup 7 8 Primary Syslog Server 8 6 R RADIUS 3 2 4 15 CHAP 3 4 MSCHAP 3 4 MSCHAPv 3 4 PAP 3 4 RAM memory 8 2 RDP 4 21 Resource Addresses deleting 4 23 restart 8 9 routing topology 2 2 S Screen Size Terminal Services 4 6 4 12 4 19 Secondary DNS Server 7 8 Secondary Syslog Server 8 7 Secure Sockets Layer SSL 2 1 Self signed Certificate 2 11 Send Event Logs 8 7 serial console port 1 4 DTE connection 7 4 port 1 4 service type users 4 18 single arm topology 2 1 software version checking 8 2 SSH 4 21 SSL VPN Concentrator status of 8 1 start time and date S 2 static IP address 2 4 Static Routes add 7 5 Status SSL VPN Concentrator 8 1 Subnet Mask 4 5 subnet mask default 7 4 syslog logging 8 5 syslog server 8 4 system monitoring 7 14 T TCP IP 2 3 7 4 TCP IP settings 2 4 Technical Specifications A 2 Terminal Services Screen Size 4 6 4 12 4 19 Terminal Services Applications adding 5 6 traceroute 8 9 two port operation 7 3 two port topology 2 2 Index 4 v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual S DP port for syslog 8 6 User Bookmarks adding 4 19 editing 4
70. is chapter explains how to create multiple Web portals for different users and how to customize the appearance of a portal It describes e Portal Layouts e Portal Options e Adding Portal Layouts e Adding Terminal Services Applications to the Portal e Customizing the Banner e Duplicating and Editing Portal Layouts e Creating a Guide to Using the Portal If your implementation consists of only a single portal layout you can simply modify the default layout SSL VPN Portal Layouts The SSL VPN Portal Layouts screen allows you to create a custom page that remote users will see when they log into the portal Because the page is completely customizable it provides the ideal way to communicate remote access instructions support information technical contact info or VPN related news updates to remote users The page is also well suited as a starting page for restricted users if mobile users or business partners are only permitted to access a few files or web URLs the page you create will only show those links relevant to these users Portal Layouts are applied by selecting from available layouts in the configuration of a Domain When you have completed your Portal Layout you can apply the Portal Layout to one or more authentication domains see Authentication Domains on page 3 1 to apply a Portal Layout to a Domain You can also make the new portal the default portal for the SSL VPN gateway by selecting the default radio button ad
71. jacent to the portal layout name 5 1 v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 4 Note The default portal address is https lt P_Address gt If the default portal is changed from the default SSL VPN you can use the URL address https lt IP_Address gt portal SSL VPN to access the administration domain geardomain The administration domain geardomain is attached to the SSL VPN portal layer To view the Portal Layout screen Click Portal Layouts under the SSL VPN Portal menu on the left navigation pane A window similar to the following will display Portal Layouts Default Layout Name Portal URL SSL VPN https 192 168 1 1 Submit Add Layout Figure 5 1 Portal Options The SSL VPN Concentrator portal can present the remote user with all of the features listed in the table below or a subset depending on the configuration by the administrator Table 5 1 Portal Option Features for Remote Users Feature Description VPN Tunnel An ActiveX based SSL VPN client for Windows that provides full network connectivity A client program is downloaded to the remote PC from the SSL312 Applications Network enabled applications running on a Windows Server on the corporate network Remote Access Two common remote desktop clients are implemented on the SSL VPN Concentrator RDP allows connection to a Windows Server desktop e VNC allows
72. le Full Tunnel mode The VPN client will install an 0 0 0 0 route on the client machines that will forward all traffic to the SSL Concentrator 5 Click Apply to update the configuration Configuring the SSL VPN Tunnel Client and Port Forwarding 6 3 v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 6 Restart the SSL VPN Concentrator software if any VPN Tunnel Clients are actively connected Restarting will force the clients to obtain a new virtual IP address VPN Tunnel Clients are now able to connect to the SSL VPN Concentrator and receive a dynamic IP address in the client address range xx Note Be sure to configure DNS addresses in the Network menu VPN Tunnel Client VPN Tunnel Client Client IP Address Range Client IP Address Range Client Address Range Begin 192 168 251 1 Client Address Range Begin 192 168 251 1 Client Address Range End 192 168 251 254 Client Address Range End 192 168 251 254 i Enable Full Tunnel Support 7 Enable Full Tunnel Support Note Static routes should be added to reach any secure network in split tunnel mode Add Routes for VPN Tunnel Clients Add Routes for VPN Tunnel Clients Destination Network Destination Network Subnet Mask Subnet Mask Add Route Add Route Configured Client Routes Configured Client Routes Destination Network Subnet Mask Destination Network Subnet Mask 192 168 0 0 255 255 255 0 Dele
73. left navigation menu click Diagnostics The Diagnostics window displays Diagnostics Ping or Trace an IP address IP Address Ping Trace Route Perform a DNS Lookup Internet Name Lookup Restart SSL VPN Gateway Reboot Reboot your SSL VPN gateway now Figure 8 5 The following diagnostic functions are available e Ping an IP Address Enter an IP address and click Ping to send a ping packet request to the specified IP address The ping results will be displayed in a new screen click Back to return to the Diagnostics screen e Trace an IP Address Enter an IP address and click Trace to perform a traceroute to the specified IP address The trace results will be displayed in a new screen click Back to return to the Diagnostics screen e Perform a DNS Lookup Enter an Internet Name FQDN and click Lookup to resolve the name to an IP address A DNS server address must be configured in your Network settings e Restart the SSL VPN Concentrator Click Reboot to restart the SSL VPN Concentrator Monitoring and Logging 8 9 v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 8 10 Monitoring and Logging v2 0 May 2007 Appendix A Default Settings and Technical Specifications This appendix provides the factory default settings and technical specifications for the ProSafe SSL VPN Concentrator 25 SSL312 Factory Default Settings You can use the push button located on th
74. lowing settings when configuring for routing operation e Assign Ethernet Port 1 a public IP address e Assign Ethernet Port 2 an IP address on your local network e Enable Routing Mode ___ Note The SSL VPN Concentrator does not perform Network Address Translation NAT Also the SSL VPN Concentrator only enforces access policies on SSL VPN traffic not on other TCP IP protocols Therefore the SSL VPN Concentrator should always be used in conjunction with a network firewall Initial Connection to the SSL VPN Concentrator In its factory default state the SSL VPN Concentrator Ethernet Port 1 IP address is 192 168 1 1 and the Ethernet Port 2 IP address is 10 0 0 1 Unless these default IP addresses are compatible with your network you must configure and connect a computer directly to Ethernet Port 1 for initial configuration including reassignment of the Ethernet Port IP addresses This procedure is described in the following steps Installing the SSL312 2 3 v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 1 Prepare a PC with an Ethernet adapter If this PC is already part of your network record its TCP IP configuration settings so that you can restore them later 2 Configure your PC with a static IP address of 192 168 1 10 and 255 255 255 0 as the subnet mask 3 Connect an Ethernet cable from your computer to Ethernet Port 1 on the front of the SSL VPN Concentrator 4 Connect t
75. n In the following network configuration example the SSL VPN Concentrator appliance is deployed as a standalone SSL VPN device A separate access router or firewall performs perimeter security Interface Ethernet Port 1 IP address 192 168 1 1 Interface Ethernet Port 1 subnet mask 255 255 255 0 subnet 192 168 1 0 24 7 1 v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual e Default gateway address Firewall Router address 192 168 1 254 In the configuration shown in the diagram the IP addresses of devices in the local network are configured in the 192 168 1 0 24 subnet and the default gateway for these devices is the internal IP address of the local firewall or router 192 168 1 254 Corporate Server IP Address 192 168 1 3 Firewall Router IP Address T IS 192 168 1 254 i i LAN Subnet i 192 168 1 0 24 Internet eee a a SSL312 IP Address too ij 192 168 1 1 i Figure 7 1 All connections initiated from the Internet can be blocked by the firewall except HTTPS traffic TCP port 443 HTTPS traffic should be forwarded to the SSL VPN Concentrator appliance address 192 168 1 1 Network Interface and Default Gateway Configuration Configure the SSL VPN Concentrator network Interface settings by selecting Network under the System Configuration menu in the left navigation pane and then clicking the Interface radio button To configure the Ethernet Por
76. n RADIUS and NT Domain Authentication For authentication to RADIUS or Microsoft NT domains using Kerberos you can individually define authentication authorization and accounting AAA users and groups This is not required but it allows you to create separate policies or bookmarks for individual AAA users When a user logs in the SSL VPN Concentrator will validate with the appropriate RADIUS or NT server that the user is authorized to log in If the user is authorized the SSL VPN Concentrator will check to see if a user exists in the SSL VPN Concentrator Users and Groups database If the user is defined then the policies and bookmarks defined for the user will apply Authenticating Users 3 3 v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual For example if you create a RADIUS domain in the SSL VPN Concentrator called Miami RADIUS server you can add users to groups that are members of the Miami RADIUS server domain These user names must match the names configured in the RADIUS server Then when users log in to the portal policies bookmarks and other user settings will apply to the users If the AAA user does not exist in the SSL VPN Concentrator then only the global settings policies and bookmarks will apply to the user Configuring for RADIUS Domain Authentication To create a domain with Radius authentication 1 Click Add Domain An Add Domain window displays 2 From t
77. n not the source address You cannot permit or block a specific IP address on the Internet from authenticating to the SSL VPN Concentrator through the policy engine That type of policy would need to be defined by a firewall rule 4 Select the appropriate policy e If your policy applies to a predefined network resource select the name of the resource from the Defined Resource pull down menu For information about creating network resources refer to Using Network Resource Objects to Simplify Policies on page 4 20 4 10 Setting Up User and Group Access Policies v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 5 6 e If your policy applies to a specific host enter the IP address of the local host machine in the IP Address field e If your policy applies to a network enter the network address and subnet bit mask 0 32 in the Network and Subnet Mask fields In the Service pull down menu select the service type If you are applying a policy to a network resource the service type is defined in the Defined Resource field Note Network Resources are configured in Network Resources under the Access Administration menu on the left navigation pane From the Status pull down menu select PERMIT or DENY to either permit or deny SSL VPN connections for the specified service and host machine Click Apply to update the configuration Once the configuration has been
78. n a suitable browser and access the SSL VPN Concentrator web management interface by typing https lt IP_address gt where P_address is the address that you assigned to the SSL312 Ethernet Port that is connected to the corporate network Note If the default portal SSL VPN is changed to another user defined portal the administration portal SSL VPN can be reached by typin p y typing https lt IP_address gt portal SSL VPN 4 Log in as admin using the new password that you assigned You can now continue the configuration of your SSL VPN Concentrator Managing Certificates Establishing an SSL connection requires that the SSL server such as your SSL VPN Concentrator provide a digital SSL certificate to the user s browser A certificate is a file that contains e A public encryption key to be used for encrypting your messages to the server e Information identifying the operator of the server e A digital signature confirming the identity of the operator of the server You can obtain a certificate from a well known commercial Certificate Authority CA such as Verisign or Thawte or you can generate and sign your own certificate Because a commercial CA takes steps to verify the identity of an applicant a certificate from a commercial CA provides a 2 8 Installing the SSL312 v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual strong assurance of the server s identity A self signed
79. nactivity to allow Click Apply to save the configuration changes You can set the inactivity timeout at the user group and global level If one or more timeouts are configured for an individual user the user timeout setting will take precedence over the group timeout and the group timeout will take precedence over the global timeout Setting the global settings timeout to 0 disables the inactivity timeout for users that do not have a group or user timeout configured 4 4 Setting Up User and Group Access Policies v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Adding and Editing Global Policies To define global access policies 1 In the Global Policies section click Add Policy An Add Policy window displays Note User and group access policies will take precedence over global policies Add Policy Apply Policy To Network Resource Policy Name Defined Resource Remote Users hd Status PERMIT v Figure 4 3 2 From the Apply Policy To pull down menu select whether the policy will be applied to a predefined network resource an individual host a network or all addresses 3 Inthe Policy Name field enter a name for the policy Note SSL VPN Concentrator policies apply to the destination address es of the SSL VPN connection not the source address You cannot permit or block a specific IP address on the Internet from authenticating to the SSL VPN Concentrator thro
80. ncentrator management interface enter the new IP address of the SSL VPN Concentrator device in the Address or Location field of your web browser Be sure that the management station is in the same subnet as the new SSL VPN Concentrator IP address To complete the IP settings configuration also configure SSL VPN Concentrator DNS settings and network routes Static Route Configuration If your corporate network contains other subnets whose resources will be made available through remote SSL connections you must configure static routes to those subnets 7 4 Additional System Configuration v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual To configure a static route 1 Inthe Add Static Routes section enter the destination network address of the static route in the Destination Network field The destination network address is an IP address in the remote network subnet Note The destination network address may be a valid IP address or it may be a aa subnet address that ends in 0 such as 192 168 0 0 2 Inthe Subnet Mask field enter the subnet mask of the remote network segment In the Gateway Address field enter the IP address of your router The gateway address should be in the same subnet as the ethernet 1 or ethernet 2 interface For example if the ethernet 1 interface address is 10 0 0 100 and the subnet mask is 255 255 255 0 then a router connected through the etherne
81. nfigure NT Domain authentication click Add Domain An Add Domain window displays In the Add Domain window 1 From the Authentication Type menu select NT Domain The Add Domain window displays the fields for a domain with NT authentication Add Domain Add New Domain Authentication Type NT Domain v Radius PAP Radius CHAP NT Server Address Radius MSCHAP Radius MSCHAPY2 Domain Name NT Domain Name ADASI Active Directory Portal Layout Name Kerberos LDAP Local User Database v Home Directory Base Path ServerName HomeDirectony s Path dd Domain Add Domain Add New Domain Add New Domain Authentication Type NT Domain lt Authentication Type NT Domain v Domain Name Domain Name NT Server Address NT Server Address NT Domain Name NT Domain Name Portal Layout Name SSL VPN x Portal Layout Name SSL VPN hy C Require CIFS Bookmark to home directory V Require CIFS Bookmark to home directory Home Directory Base Path ServerName HomeDirectons Path Back Apply Cancel Back L Apply LCancel_ Home Drectory Path required when Require CIFS Bookmark enabled Figure 3 4 Authenticating Users 3 5 v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 2 Inthe Domain Name field enter a descriptive name for the authentication domain This is the domain name selected by u
82. nologies see the links to the NETGEAR website in Appendix B Related Documents gt Note Product updates are available on the NETGEAR Inc website at http kbserver netgear com products SSL312 asp Usin g This Manual The HTML version of this manual includes the following e Buttons gt and lt for browsing forwards or backwards through the manual one page at a time e A button that displays the table of contents and an button Double click on a link in the table of contents or index to navigate directly to where the topic is described in the ma nual A button to access the full NETGEAR Inc online knowledge base for the product model e Links to PDF versions of the full manual and individual chapters Printing this Manual To prin t this manual you can choose one of the following several options according to your needs e Printing a Page in the HTML View About This Manual v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Each page in the HTML version of the manual is dedicated to a major topic Use the Print button on the browser toolbar to print the page contents e Printing a Chapter Use the PDF of This Chapter link at the top left of any page Click the PDF of This Chapter link at the top right of any page in the chapter you want to print The PDF version of the chapter you were
83. ntrator 25 SSL312 Reference Manual Steps for Deploying the SSL312 Three basic steps are involved in deploying the ProSafe SSL VPN Concentrator 25 in your network e Installing the SSL312 choosing a network topology configuring its IP addressing scheme connecting the SSL312 and provisioning the SSL certificate Refer to Chapter 2 Installing the SSL312 e Setting up SSL312 user accounts creating individual user accounts grouping users by common access privileges and defining those privileges Refer to Chapter 3 Authenticating Users and Chapter 4 Setting Up User and Group Access Policies e Configuring remote access to corporate network resources through the SSL312 designing the presentation Web portal that will display the available corporate resources to remotely connected users Refer to Chapter 5 Configuring the Remote Access Web Portal Introduction 1 5 v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 1 6 Introduction v2 0 May 2007 Chapter 2 Installing the SSL312 This chapter describes how to install the ProSafe SSL VPN Concentrator 25 SSL312 The installation includes choosing a network topology configuring the IP addressing scheme connecting the SSL312 and provisioning the SSL certificate Choosing a Network Topology The physical connection of the SSL VPN Concentrator to your network is determined by the network topology you choose Th
84. nty and Support Registration Card Hardware Description This section describes the front and rear hardware functions of the SSL312 Front Panel The SSL VPN Concentrator front panel hardware is shown below NETGEAR ProSafe SSL VPN Concentrator Figure 1 1 The SSL VPN Concentrator front panel hardware functions are described below Introduction 1 3 v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 1 LED Power Indicator e Off No power e On Power is on 2 LED Self test Indicator e Self test on while initializing 2 minutes e Loading Software blinking while uploading software e System fault on prolonged This LED will blink for 1 2 minutes before going off 3 Two 10 100M Ethernet ports e A solid green LED indicates a connectivity link has been established on either the 10M or 100M interface e A blinking green LED indicates activity on either the 10M or 100M interface 4 Serial Console Port for engineering and debugging only Male DB 9 serial port for serial DTE connections 5 Restore to Factory Defaults Button Back Panel The SSL VPN Concentrator back panel hardware is shown below and consists of the power On Off switch and the 110 240V power cord connection Figure 1 2 Note Never substitute a power cord Only use the power cord provided with the SSL VPN Concentrator 1 4 Introduction v2 0 May 2007 NETGEAR ProSafe SSL VPN Conce
85. of the layout The default layout is SSL VPN You can define additional layouts in the Portal Layouts page 6 Click Apply to update the configuration Once the domain has been added the domain displays in the table on the Domains screen Active Directory Authentication Active Directory authentication servers support a group and user structure that can be queried when an Active Directory user logs in This means that you can create policies and bookmarks for Active Directory users at the group level without needing to define Active Directory users in the SSL VPN Concentrator When a user logs in if no corresponding user name is configured in the the local database then SSL VPN Concentrator will query the Active Directory server for the list of groups that the user belongs to If any of the same groups are defined in the SSL VPN Concentrator then policies and bookmarks for the first Windows Active Directory group that matches a group configured in the SSL VPN Concentrator will be applied to the user Once you create an Active Directory domain you can add groups that correspond with groups on your Active Directory server If the Active Directory user is configured in the SSL VPN Concentrator then the SSL VPN Concentrator will ignore the group information provided by the Active Directory and instead implement policies and bookmarks based on the user settings and the settings of the group to which the user belongs ___ Note Because oth
86. om the Service pull down menu select the service type 5 If Terminal Services RDP is selected select the screen size that the bookmark will use from the Screen Size drop down menu 6 Click Apply to update the configuration Once the configuration has been updated the new group bookmark will be displayed on the Group Settings window in the Group Bookmarks table Deleting a Group To delete a group that is the default group for an authentication domain delete the corresponding domain you cannot delete the group in the Group Settings menu If a group is not the default group for an authentication domain first delete all users in the group Then you can delete the group on the Group Settings page using the following steps To delete a group 1 Click the name of the group that you wish to remove from the Groups table The Group Settings menu displays 4 12 Setting Up User and Group Access Policies v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 2 In the Group Settings window click Delete Group The Users and Groups menu displays and the deleted group no longer appears in the list of defined groups Note A group cannot be deleted if users have been added to the group or if the group a is the default group created for an authentication domain You can also delete a group by clicking its Delete link Note The default group geardomain cannot be deleted
87. ookmark Name Name or IP Address Service Terminal Services RDP5 v Screen Size 640x480 be Figure 4 4 When global bookmarks are defined all members will see the defined bookmarks from the SSL VPN portal Individual users will not be able to delete or modify global bookmarks 2 Inthe Bookmark Name field enter a descriptive name In the Name or IP Address field enter the domain name or the IP address of a host machine on the LAN 4 From the Service pull down menu select the service type If Terminal Services RDP is selected select the screen size that the bookmark will use from the Screen Size drop down menu 6 Click Apply to update the configuration Once the configuration has been updated the new global bookmark appears in the Global Bookmarks table on the Global Settings screen 4 6 Setting Up User and Group Access Policies v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Groups Configuration When configuring Groups remember that user policies take precedence over all group policies and group policies take precedence over all global policies regardless of the policy definition A user policy that allows access to all IP addresses will take precedence over a group policy that denies access to a single IP address SSL VPN Concentrator Groups are also defined from the Users and Groups menu Under the Access and Administration menu in the left navig
88. or Restarting forces clients to reconnect and receive new addresses and routes Now users are able to connect to the SSL VPN Concentrator and receive a virtual IP address from the client address range Configuring the SSL VPN Tunnel Client and Port Forwarding 6 5 v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual VPN Tunnel Client Client IP Address Range Client Address Range Begin 192 168 251 1 Client Address Range End 192 168 251 254 Enable Full Tunnel Support v Add Routes for VPN Tunnel Clients Destination Network 192 166 0 0 Subnet Mask 255 255 255 0 Add Route Cancel Configured Client Routes Destination Network Subnet Mask 192 168 0 0 255 255 255 0 Delete Figure 6 2 To delete a VPN Tunnel Client Route 1 In the Configured Client Routes table click the Delete link adjacent to the client route 2 Restart the SSL VPN Concentrator software if VPN Tunnel Clients are currently connected to the SSL VPN Concentrator Restarting forces clients to reconnect and receive new addresses and routes Configuring Applications for Port Forwarding The Port Forwarding screen allows you to specify the internal addresses and TCP applications port numbers that will be intercepted by the Port Forwarding client on the user s PC The client will reroute this traffic to the SSL VPN Concentrator To configure Port Forwarding you must define the internal host machines an
89. orate network if the VPN Tunnel Client s Ethernet interface shares the same IP address as the server or the SSL VPN Concentrator for example if your laptop has a network interface IP address of 10 0 0 45 then you won t be able to contact a server on the remote network that also has the IP address 10 0 0 45 e Ifyou assign an entirely different subnet to the VPN Tunnel Clients than the subnet used by the corporate network you must Add a client route to configure the VPN Tunnel client to connect to the corporate network using the VPN tunnel Create a static route on the corporate network s firewall to forward local traffic intended for the VPN Clients to the SSL VPN Concentrator e Select whether you want to enable full tunnel or split tunnel support based on your bandwidth Full tunnel Sends all of the traffic across the VPN tunnel 6 2 Configuring the SSL VPN Tunnel Client and Port Forwarding v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Split tunnel Sends only traffic destined for the internal network based on the specified client routes All other traffic is sent to the internet Split tunnel allows you to manage your company bandwidth by reserving the VPN tunnel for corporate traffic only Beyond what is defined in Web Browser Requirements on page 1 2 the VPN Tunnel Client has some specific operating requirements For e Mac OS VPN Tunnel supports Version
90. orwarding Applications and Terminal Services Java Sun JRE 1 1 or higher Microsoft JVM 5 or higher e Apple MacOS X Browser Safari 1 2 or higher Java Sun JRE 1 1 or higher e Unix Linux or BSD Browsers Mozilla Firefox 1 x supports VPN tunnel VNC Network Places and Utilities Microsoft Internet Explorer is required for Port Forwarding Applications and Terminal Services Safari 1 2 or higher Java Sun JRE 1 1 or higher To configure the NETGEAR ProSafe SSL VPN Concentrator 25 an administrator must use an Internet Explorer 5 1 or higher Apple Safari 1 2 or higher or Mozilla Firefox 1 x web browser with JavaScript cookies and SSL enabled 1 2 Introduction v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual End Users can use Microsoft Internet Explorer 5 1 or higher Apple Safari 1 2 or higher or Mozilla Firefox 1 x for VPN tunnel VNC Network Places and Utilities The browsers should also support JavaScript Java cookies SSL and ActiveX to take advantage of the full suite of applications What s in the Box The product package should contain the following items e ProSafe SSL VPN Concentrator 25 SSL312 e A power cord specific to your region e Straight through Category 5 Ethernet cable e A serial cable included for Engineering and debugging purposes only e Resource CD e ProSafe SSL VPN Concentrator 25 SSL312 Installation Guide e Warra
91. ot UDP or other IP protocols 6 1 v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual e Detects and reroutes individual data streams to the Port Forwarding connection rather than opening up a full tunnel to the corporate network e Offers more fine grained management than VPN Tunnel Administrators define individual applications and resources that will be available to remote users With VPN Tunnel administrators must create access policies to block undesirable traffic at the SSL VPN Concentrator rather than at the client level SSL VPN Client Configuration The IP addresses to be assigned to remote VPN Tunnel Clients are configured in the VPN Tunnel menu Because the connection is a point to point connection you can assign IP addresses from the corporate subnet to the remote VPN Tunnel Clients The DNS settings assigned to the VPN Tunnel Client are configured in the Network menu Some additional considerations e So that the virtual PPP interface address of the VPN Tunnel Client does not conflict with addresses on the corporate network configure an IP address range that does not directly overlap with addresses on your local network For example if 192 168 0 1 through 192 168 0 100 are currently assigned to devices on your local network then start the client address range at 192 168 0 101 or choose an entirely different subnet altogether e The VPN Tunnel Client cannot contact a server on the corp
92. out 1 Under the SSL VPN Portal menu on the left navigation pane click Portal Layouts and click Add Layout The Portal Layout page displays 2 In the Portal Layout and Theme Name section a Enter a descriptive name for the portal layout in the Portal Layout Name field This name will be part of the path of the SSL VPN portal URL ____ Note Custom portals are accessed at a different URL than the default portal For gt example if your SSL VPN portal is hosted at https vpn company com and you created a portal layout named sales then users will be able to access the sub site at https vpn company com portal sales Only alphanumeric characters hyphen and underscore _ are accepted for the Portal Layout Name If you enter other types of characters or spaces the layout name will be truncated before the first non alphanumeric character Please note that unlike most other URLs this name is case sensitive Configuring the Remote Access Web Portal 5 3 v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual SSL VPN Portal Pages to Display Portal Layout Utilities page Remote Access page Portal Layout and Theme Name Applications page Network Places page VPN Tunnel page Port Forwarding page Portal Layout Name j a o NETGEAR Documentation Change Password page Note Change Name to duplicate this Layout Bookmarks
93. p Users Name Group Type Usert Group User Delete admin geardomain Administrator Figure 4 13 Editing a User To edit a user 1 Inthe Users table in the Users and Groups menu click the name of the user The User Settings menu displays as shown in Figure 4 14 e The Edit User Settings section shows the User Name Group Name and Domain Name These fields are not configurable To modify information supplied in these fields remove the user by clicking Delete User and then recreate the user with the correct information e Ifthe user authenticates to an external authentication server then the User Type and Password fields are not shown The password fields are not configurable because the authentication server will validate the password The user type is not configurable because the SSL VPN Concentrator only allows users who authenticate to the internal user database to have administrative privileges 4 16 Setting Up User and Group Access Policies v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Edit User Settings UserName User1 Configure login policies In Group Groupi In Domain geardomain User Type User Password Confirm Password Inactivity Timeout 0 mintes Set the Inactivity Timeout to 0 to use the Group or Global timeout Delete User J Apply ji Cancel User Policies Name Action Service Destination Port lote User policies take precedence ov
94. page Portal Site Title Banner Title Banner Message Utilities Page Available Services FTP Telnet SSH Add Bookmark button Display banner message on login page HTTP meta tags for cache control recommended ActiveX web cache cleaner Remote Access Page Available Remote Desktop Clients Portal URL https 192 168 1 1 portav PORTALS Terminal Services Activex Custom Banner VNC Add Bookmark button Note Custom Banner can be uploaded only after adding the portal 7a Figure 5 2 b In the Portal Site Title field enter the title for the web browser window c To display a banner message to users before they log in to the portal enter the banner title text in the Banner Title field Also enter the banner message text in the Banner Message text area Enter a plain text message or include HTML and JavaScript tags The maximum length of the login page message is 4096 characters Then check the Display banner message on login page checkbox to show the banner title and banner message text on the Login screen as shown below NETGEAR This is the Banner Title This is the banner message Information specific to this portal can be added here User Name Password Domain suppliers Login Figure 5 3 5 4 Configuring the Remote Access Web Portal v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 2
95. privileges Using Network Resource Objects to Simplify Policies Network Resources are groups of host names IP addresses and IP address ranges By defining resource objects you can more quickly create and configure network policies This is because you will not need to redefine the same set of IP addresses or address ranges when configuring the same access policies for multiple users Defining Network Resources is optional smaller organizations can choose to create access policies using individual IP addresses or IP networks rather than predefined Network Resources But for most organizations it is recommended that you use Network Resources If your server or network configuration changes by using Network Resources you can perform an update quickly instead of individually updating all of the user and group policies To define a network resource 1 Under the Access Administration menu on the left navigation pane select Network Resources The Network Resources screen displays Network Resources Resource Name Service Add Resource Figure 4 17 4 20 Setting Up User and Group Access Policies v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 2 Click Add Resource An Add Network Resource menu similar to the following displays Add Network Resource Resource Name Remote Users Service v Terminal Services RDPS SS VRUG Network Computing File Transer Proto
96. quire syslog logging 8 6 Monitoring and Logging v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 3 Ifyou have a backup or second syslog server enter the IP address or domain name of the Secondary Syslog Server in the Secondary Syslog Server field 4 Inthe E mail Settings section a g To receive e mail notification enter your full e mail address username domain com in the E mail Event Logs to field The event log file will be e mailed to the specified e mail address before the event log is cleared If this field is left blank log files will not be e mailed To receive alert messages via e mail enter your full e mail address username domain com or an e mail pager address in the E mail Alerts to field An e mail will be sent to the e mail address specified if an alert event occurs Enter the name or IP address of your mail server in the Mail Server field to e mail log files or alert messages If this field is left blank log files and alert messages will not be e mailed Enter the e mail address that log and alert messages will be e mailed from in the Mail From Address field If the mail server requires authentication enter the user name and password in the Mail User Name and Mail Password fields Configure how frequently log files will be e mailed and cleared in the Send Event Logs field If When Full is selected the event log will be e mailed and then cleared when the log f
97. rough a customizable and intuitive interface Other key features e Uses Secure Sockets Layer SSL protocol to transfer data SSL is a protocol that is extensively used in the world of electronic commerce and has gone through years of public scrutiny e Browser based platform independent remote access through a number of popular browsers such as Microsoft Internet Explorer or Apple Safari e Supports 25 concurrent sessions e Provides granular access to corporate resources based upon user type or group membership v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual e Supports multiple user authentications including local database Microsoft Active Directory LDAP NT Domain and RADIUS e Provides client less access with customizable user portals and support for a wide variety of user repositories Access includes support for Full network access HTTP and HTTPS proxy and reverse proxy Remote Desktop and Application Access including File Sharing Web Browser Requirements The following web browsers are supported for the SSL VPN Concentrator web management interface and the SSL VPN portal Note that Java is only required for the SSL VPN portal not the web management interface e Microsoft Windows Browsers Microsoft Internet Explorer 5 1 or higher Mozilla Firefox 1 x supports VPN tunnel VNC Network Places and Utilities Microsoft Internet Explorer is required for Port F
98. s Service Terminal Services RDP5 Screen Size 640x480 4 Figure 4 16 When user bookmarks are defined the user will see the defined bookmarks from the SSL VPN portal Individual user members will not be able to delete or modify bookmarks created by the administrator 2 Inthe Bookmark Name field enter a descriptive name In the Name or IP Address field enter the domain name or the IP address of a host machine on the LAN 4 From the Service pull down menu select the service type 5 If Terminal Services RDP is selected select the screen size that the bookmark will use from the Screen Size drop down menu 6 Click Apply to update the configuration Once the configuration has been updated the new user bookmark appears in the User Bookmarks table in the Edit User Settings menu Setting Up User and Group Access Policies 4 19 v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Deleting a User To delete a user 1 Click the Delete link adjacent to the users name in the Users table The user is removed from the table in the Users and Groups menu or 2 Click the user name that you wish to remove The Edit User Settings window will display In the Edit User Settings window click Delete User Once deleted the user no longer appears in the table in the Users and Groups menu Note A user cannot be deleted if the user is the only user defined with administrative a
99. sers when they authenticate to the SSL VPN portal It may be the same value as the NT Domain Name In the NT Server Address field enter the IP address or host and domain name of the server 4 Inthe NT Domain Name field enter the NT authentication domain This is the domain name configured on the Windows authentication server for network authentication 5 From the Portal Layout Name pull down menu select the name of the layout The default layout is SSL VPN You can define additional layouts in the Portal Layouts page 6 Check the Require CIFS bookmark to home directory radio box to automatically allow access to users of this domain and add the home directory path in the field provided 7 Click Apply to update the configuration Once the domain has been added the domain displays in the table in the Domains screen LDAP Authentication LDAP Lightweight Directory Access Protocol is a standard for querying and updating a directory Since LDAP supports a multilevel hierarchy for example groups or organizational units the SSL VPN Concentrator can query this information and provide specific group policies or bookmarks based on LDAP attributes By configuring LDAP attributes the SSL VPN Concentrator administrator can leverage the groups that have already been configured in an LDAP or Active Directory database rather than manually recreating the same groups in the SSL VPN Concentrator Once an LDAP authentication domain is created
100. son object class but is not a member of the WINS Users group Jane will be a member of the SSL VPN Concentrator Group1 e But if the administrator manually adds the user Jane to the SSL VPN Concentrator Group 2 then the LDAP attributes will be ignored and Jane will be a member of Group2 Querying an LDAP Server To query your LDAP or Active Directory server to find out the LDAP attributes of your users you can use several different methods From a machine with LDAPsearch tools for example a Linux machine with OpenLDAP installed run the following command ldapsearch h 10 0 0 5 x D cn demo cn users dc netgear dc net w demol23 b dc netgear dc net gt tmp file where e 10 0 0 5 is the IP address of the LDAP or Active Directory server e cn demo cn users dc netgear dc net is the distinguished name of an LDAP user e demo1l23 is the password for the user demo e dc netgear dc net is the base domain that you are querying e gt tmp file is optional and defines the file where the LDAP query results will be saved For further information on querying an LDAP server from a Window server please see http www microsoft com technet prodtechnol windowsserver2003 library TechRef 8 1 96d68e 776a 4bbc 99a6 d8c1 9f36ded4 mspx 3 8 Authenticating Users v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Configuring for LDAP Authentication To configure LDAP authentication click Add Dom
101. t 1 and Ethernet Port 2 Interfaces 1 Enter the Ethernet Port 1 SSL IP address of your SSL VPN Concentrator This address should be a unique address in the same subnet as the rest of your local network The factory default is 192 168 1 1 7 2 Additional System Configuration v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Network Interfaces Static Routes Host Table DNS Settings Interfaces Ethernet Port 1 IP Address 192 168 1 1 SubnetMask 255 255 255 0 Ethernet Port 2 IPAddress 10 0 0 1 Enable routing Mode SubnetMask 255 0 0 0 Default Gateway Default Gateway Address Interface ethernet2 Bal Figure 7 2 2 Enter the Ethernet Port 1 subnet mask that has been configured for your network The subnet mask value should be the same value as the subnet mask configured on your network computers The factory default is 255 255 255 0 The subnet mask specifies the network number portion of an IP address 3 Only if you plan to use two port mode enable routing mode by checking this checkbox The second Ethernet port will be enabled ES Note NETGEAR recommends one port operation for most networks 4 Enter a local or internal IP address of your ProSafe SSL VPN Concentrator 25 This address should be in a different subnet than the Ethernet Port 1 IP address The default Ethernet Port 2 IP Address is 10 0 0 1 Additional System Configuration 7 3
102. t 1 interface should be 10 0 0 X 4 From the Interface menu ethernet 1 or ethernet 2 select the Ethernet interface that should be used to connect to the gateway address 5 Click Apply The new static route is added to the Routes table Note To add additional local subnets that can directly connect to the ProSafe SSL VPN Concentrator 25 device define the Destination Network address the Subnet Mask and the Interface but leave the Gateway Address field blank Additional System Configuration 7 5 v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Network O Interfaces Static Routes Host Table DNS Settings Add Static Routes Destination Network Subnet Mask i Gateway Address Interface ethernet 1 Static Routes Destination Gateway Interface Figure 7 3 Network Host Table Settings For the convenience of users you can configure the SSL VPN Concentrator to translate host names or fully qualified domain names FQDNs to IP addresses This function is configured in the Host Table menu mrg Note The SSL VPN Concentrator can act as a NetBIOS client to learn local network host gt names and their corresponding IP addresses To configure host resolution 1 In the Network menu check the Host Table radio button The Network menu displays the Add Host fields and the Host Table 2 Inthe IP Address field enter the IP Address of the mac
103. t enables a more direct level of network access than is possible from the browser alone This chapter includes e Two Approaches for VPN e SSL VPN Client Configuration e Configuring Applications for Port Forwarding Two Approaches for VPN Two portal features allow direct VPN access to the corporate network The SSL VPN Tunnel Client allows full network access similar to an IPSec VPN connection Port Forwarding allows direct network access for selected client server applications When a remote user accesses the SSL VPN Portal one of the listed options is to Establish an SSL VPN Tunnel When this feature is selected the SSL VPN Concentrator will install a small VPN Tunnel Client program on the user s PC that will allow the remote user to virtually join the corporate network The VPN Tunnel Client provides a PPP point to point connection between the client and the SSL VPN Concentrator and a virtual network interface is created on the user s PC The SSL VPN Concentrator will assign the PC an IP address and DNS server IP addresses allowing the remote PC to access network resources in the same manner as if it were connected directly to the corporate network Port Forwarding like VPN Tunnel is a web based client that installs transparently and then creates a virtual encrypted tunnel to the remote network However Port Forwarding differs from VPN Tunnel in several ways For example Port Forwarding e Only supports TCP connections n
104. tal Layouts The Portal Layouts screen displays 2 In the Portal Layouts table click the Portal Layout name you wish to duplicate The Portal Layout screen of the selected Portal displays 3 Inthe Portal Layout Name field enter the new name The new title is displayed at the top of the page You can also modify any features of the new Portal 4 Click Apply A new portal is created with the same features as the existing portal and is displayed in the Portal Layouts table Portal Layouts Default Layout Name Portal URL SSL VPN https 192 168 1 1 Netgear https 192 168 1 1 portaliNetgeart Delete Submit Add Layout Figure 5 6 __ Note The Available Terminal Services Applications displayed in the original Portal Layout page will apply to the new page if the Application and Path are the same If the path is not the same when the new page is created the Applications Services will no longer be available 5 8 Configuring the Remote Access Web Portal v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual To modify the features of an existing portal 1 5 Under the SSL VPN Portal menu on the left navigation pane click Portal Layouts The Portal Layouts screen displays In the Layout Name column click the portal you want to edit The Portal Layouts screen displays Enter a new Banner Title and Banner message and check the Display banner message on login page
105. te 192 168 0 0 255 255 255 0 Delete Figure 6 1 Adding Routes for VPN Tunnel Clients The VPN Tunnel Clients assume that the following networks are located across the VPN over SSL tunnel e The subnet containing the client IP address PPP interface as determined by the class of the address Class A B or C e Subnets specified in the Configured Client Routes table 6 4 Configuring the SSL VPN Tunnel Client and Port Forwarding v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual If the assigned client IP address range is in a different subnet than the corporate network or if the corporate network has multiple subnets you must define Client Routes To add an SSL VPN Tunnel client route 1 Select the VPN Tunnel menu on the left navigation pane 2 Inthe Destination Network field under Add Routes for VPN Tunnel Clients section enter the network address of a local area network or subnet For example enter 192 168 0 0 Enter the subnet mask of the local area network Subnet Mask field Click Add Route The client route appears in the Configured Client Routes table as shown in the figure below Note You must also add a static route on your corporate firewall or router that directs local traffic destined for the VPN Tunnel Client address range to the SSL VPN Concentrator 5 Restart the SSL VPN Concentrator software if VPN Tunnel Clients are currently connected to the SSL VPN Concentrat
106. tes MB e The uptime the length of time since the SSL VPN Concentrator has been rebooted e The start time the time and date when the SSL VPN Concentrator was last started e The number of active users The number of active users includes administrative users Click View current users or go to the Current Users page to view the list of current users e The Ethernet Port 1 and Ethernet Port 2 IP addresses 8 2 Monitoring and Logging v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Active Users The Active Users screen displays the active users and administrators logged into the SSL VPN portal To view the Active Users log file Click Active Users under the Monitoring menu in the left navigation pane Active Users Username Group IP Address Login Time Logout admin geardomain 192 168 1 10 Wed Dec 31 16 04 29 1969 Delete Figure 8 2 The Active Users window displays the current users or administrators logged into the SSL VPN Portal or the SSL VPN Concentrator administrative interface Each entry displays the name of the user the group in which the user belongs the IP address of the user and a time stamp indicating when the user logged in A user will continue to appear in the Active Users table until the user manually logs out of the SSL VPN Portal or until an inactivity timeout occurs Consequently some users may appear in the Active Users table for several minutes after they have
107. ties Upload Software Browse and select the upgrade file from your hard disk File Upload Cancel Figure 7 6 3 Click Browse to locate the saved firmware file on your PC 4 Select the file and then click Upload 5 Once the file has been uploaded restart the SSL VPN Concentrator server for the upgrade to be complete Additional Notes on the Management Interface e Under SSL VPN Portal in the navigation menu the Launch Portal option opens an SSL VPN portal window for users This allows the administrator to view the portal as an end user will see it e In addition to the online help provided with each menu you can access NETGEAR Web Support by clicking the KnowledgeBase link or the Documentation link under Web Support on the navigation menu e A Logout option at the bottom of the navigation menu terminates the management session and redisplays the Login window If you click the Logout link you must log in again in order to manage the SSL VPN Concentrator e If another administrator logs in to the SSL VPN Concentrator while you are logged in you will be logged out e The SSL VPN Concentrator management interface also includes System status event logging and log settings configuration pages described in Chapter 8 Monitoring and Logging 7 14 Additional System Configuration v2 0 May 2007 Chapter 8 Monitoring and Logging This chapter describes the SSL VPN Concentrator status information logging aler
108. ting and reporting features It describes SSL VPN Concentrator Status Active Users Event Log Log Settings Diagnostics SSL VPN Concentrator Status The Status window shows important state and configuration information Be sure to check the Status window for error messages and to confirm that the SSL VPN Concentrator is configured properly To view the SSL VPN Concentrator Status window Select Status from under the Monitoring menu options in the left navigation pane The Status screen will display Note The status information will be unique depending upon the hardware and software configuration of the SSL VPN Concentrator server 8 1 v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Status ote You might need to refresh the page to get real time updates System Information Version NETGEAR SSL312 SSL VPN 1 4 15 RAM 120768 kB Memory Usage 35 CPU Usage 95 Free Space 8MB disk space System Activity Uptime 0 Days 0 Hours 13 Minutes 53 Seconds Start Time Wed Dec 31 16 00 00 1969 Active Users 1 View current users Ethernet Port1 IP 192 168 1 1 Ethernet Port2 IP 10 0 0 1 Figure 8 1 From the Status page you may view e The SSL VPN Concentrator software version e The amount of RAM memory in kilo Bytes kB e The current memory usage in percent e The current CPU usage in percent e The available flash disk space in MegaBy
109. tm Related Documents B 1 v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual B 2 Related Documents v2 0 May 2007 Numerics 10 0 0 1 Port 2 default 7 3 192 168 1 1 Port 1 default 7 2 A Active Directory 3 2 3 10 4 15 synchronizing 3 12 Windows server config 3 12 Active Users 8 2 8 3 ActiveX web cache control 5 5 Add Bookmark 4 6 user 4 19 Add Default Route 7 4 Add Domain 3 3 Add Group 4 7 Add Policy user 4 18 Add User 4 14 Applications page adding 5 6 Apply Policy To user 4 18 Applying Policies 4 5 authentication Active Directory 3 10 4 15 internal database 4 15 LDAP 3 6 4 15 local user database 3 2 NT Domain 3 3 4 15 RADIUS 4 15 user fields 4 16 authentication domains Index creating 2 14 Authentication Type 3 3 Banner customizing 5 7 Banner Message 5 4 Banner Title 5 4 Bookmark Name 4 6 4 12 4 19 Browser Requirements 2 browsers supported 2 C Category 5 Ethernet cable 1 3 Certificate enable 2 12 generate new 2 9 generate new CSR 2 9 2 10 import 2 11 upload 2 9 2 11 Certificate file name 2 10 2 11 Certificate Signing Request see CSR Certificates management of 2 9 viewing current 2 13 CHAP 3 4 configuration files encrypting 7 10 7 11 exporting 7 10 7 11 importing 7 10 7 12 saving 7 11 configuration settings restoring defaults 7 13 configuration zip file name 7 12 Index 1 v2 0 May 2007 NETGE
110. to a predefined network resource select the name of the resource from the Defined Resource menu For information about creating network resources refer to Using Network Resource Objects to Simplify Policies on page 4 20 e If your policy applies to a specific host enter the IP address of the local host machine in the IP Address field e If your policy applies to a network enter the network address in the Network Address field and the subnet mask in the Subnet Mask field 4 From the Service pull down menu select the service type If you are applying a policy to a network resource the service type is defined in the network resource 5 From the Status pull down menu select PERMIT or DENY to either permit or deny SSL VPN connections for the specified service and host machine 4 18 Setting Up User and Group Access Policies v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 6 Click Apply to update the configuration Once the configuration has been updated the new policy appears in the Edit User Settings menu The user policies will be displayed in the Edit Users Settings screen in the User Policies table in the order of priority from the highest priority policy to the lowest priority policy Defining and Editing a User Bookmarks To define user bookmarks 1 In the Edit User Settings menu click Add Bookmark An Add Bookmark menu displays Add Bookmark Bookmark Name Name or IP Addres
111. topology the Default Gateway for the ethernet 1 interface is your Internet Service Provider s gateway The Default Gateway for the ethernet 2 interface is your corporate firewall Click Apply 4 Change the Ethernet port IP Addresses a b a p Select the Network link In the Network menu click the Interfaces radio button Enter your chosen Ethernet Port 1 IP Address and Subnet Mask If you plan a single arm topology clear the Enable Routing Mode checkbox If you plan a routing topology check the Enable Routing Mode checkbox and enter your chosen Ethernet Port 2 IP Address and Subnet Mask Click Apply If you changed the IP address for the Ethernet Port to which you are connected you will now lose your connection to the SSL VPN Concentrator Installing the SSL312 2 7 v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Installing the SSL VPN Concentrator You are now ready to physically install your SSL VPN Concentrator using the following steps 1 Turn off the power to the SSL VPN Concentrator and connect it to your network in your chosen topology e Fora single arm topology connect Ethernet Port 1 to your corporate network and leave Ethernet Port 2 disconnected e Fora routing topology connect Ethernet Port 1 to your public network and Ethernet Port 2 to your corporate network 2 Turn on the power to the SSL VPN Concentrator 3 From a PC on your corporate network ope
112. u and click Find To filter messages 1 Enter the term to be filtered in the Search field 2 Select the event category from the pull down menu and click Exclude To reset the search results and display all log messages click Reset Note The Find and Exclude search tools are both case sensitive By default 50 messages are displayed per page If more than 50 events have been logged then a Page number menu will be displayed at the top of the event log table Select the desired page number from the Page menu to see archived log messages On the Log Settings page you can configure the type of messages such as warning and alert messages that will be displayed in the event log You can also configure log rotate features on the Log Settings page which will determine when to clear the log files Log Settings The SSL VPN Concentrator supports web based logging syslog logging and e mail alert messages In addition the SSL VPN Concentrator may be configured to e mail the event log file to the SSL VPN Concentrator administrator before the log file is cleared Syslog is an industry standard logging protocol that records system and networking activity The SSL VPN Concentrator syslog messages are sent in WELF WebTrends Enhanced Log Format Monitoring and Logging 8 5 v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual so most standard firewall and networking reporting products can accept and int
113. ugh the policy engine e If your policy applies to a predefined network resource select the name of the resource from the Defined Resource menu For information about creating network resources refer to Using Network Resource Objects to Simplify Policies on page 4 20 e If your policy applies to a specific host enter the IP address of the local host machine in the IP Address field e If your policy applies to a network enter the network address in the Network Address field and the subnet mask in the Subnet Mask field Setting Up User and Group Access Policies 4 5 v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 4 From the Service pull down menu select the service type If you are applying a policy to a network resource the service type is defined in the network resource 5 From the Status pull down menu select PERMIT or DENY to either permit or deny SSL VPN connections for the specified service and host machine 6 Click Apply to update the configuration Once the configuration has been updated the new policy appears in the Global Policies table on the Global Settings screen The Global Policies will be displayed in the order of priority from the highest priority policy to the lowest priority policy Defining and Editing Global Bookmarks To define global bookmarks 1 In the Global Bookmarks section click Add Bookmark An Add Bookmark window displays Add Bookmark B
114. ured to use Radius LDAP NT Domain or Active Directory authentication do not require passwords because the external authentication server will validate user names and passwords It is only necessary to enter RADIUS LDAP NT and Active Directory user names if you wish to define specific policies or bookmarks per user If users are not defined in the SSL VPN Concentrator then global policies and bookmarks will apply to users authenticating to an external authentication server If the selected group is in a domain that uses internal database authentication such as the default geardomain domain then the following window displays Add User Password Confirm Password UserType User M Figure 4 12 5 In the Password field enter the user s password 6 Inthe Confirm Password field re enter the password Note Both the user name and password are case sensitive 7 From the User Type pull down menu select the user type either User or Administrator 8 Click Apply to update the configuration Once the user has been added the new user appears in the table in the Users and Groups menu Setting Up User and Group Access Policies 4 15 v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Users and Groups Global Policies Edit Global Policies Groups Name Domain Group1 geardomain Delete geardomain geardomain Add Grou
115. ut only affects the look and feel of the portal but it does not prevent users from accessing hidden sites 4 Inthe Utilities Page Available Services section select the services that users should be able to access Only the corresponding service icons will be visible on the Services page 5 In the Remote Access Page Available Remote Desktop Clients section select the desktop clients that users should be able to access Only the corresponding service icons will be visible on the My Desktop page Configuring the Remote Access Web Portal 5 5 v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 6 Click Apply to confirm your settings Note An administrator can customize the portal layout by uploading a gif file for the banner image However the custom banner can be uploaded only after adding the portal Adding Terminal Services Applications to the Portal If you selected the option Applications page in the SSL VPN Portal Pages to Display section then the Portal Layout screen will expand to include an Applications Page Available Terminal Services Applications section You can now add Terminal Services application icons to display in the Applications page Applications Page Available Terminal Services Applications Description Optional Host Address Icon Image Word m Delete PowerPoint Delete Add a Terminal Services Application Application and P
116. viewing opens in a browser window Your computer must have the free Adobe Acrobat reader installed in order to view and print PDF files The Acrobat reader is available on the Adobe Web site at http www adobe com Click the print icon in the upper left of the window ES Tip If your printer supports printing two pages on a single sheet of paper you can a save paper and printer ink by selecting this feature e Printing the Full Manual Use the Complete PDF Manual link at the top left of any page Click the Complete PDF Manual link at the top left of any page in the manual The PDF version of the complete manual opens in a browser window Click the print icon in the upper left of the window Q Tip If your printer supports printing two pages on a single sheet of paper you can save paper and printer ink by selecting this feature About This Manual xi v2 0 May 2007 NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Revision History Version Date Description of Changes 01 v1 1 November 2006 e Restructured the contents so that common setup and configuration tasks are easier to find Added new topics Added a link to a Microsoft Word template for creating an end user guide 02 v1 0 December 2006 Refined Portal layout behavior Added Full Tunnel Support for VPN Tunnels 02 v1 1 04 v2 0 April 2007 May
117. y that may occur due to the use or application of the product s or circuit layout s described herein FCC Statement This device complies with part 15 of the FCC Rules Operation is subject to the following two conditions e This device may not cause harmful interference e This device must accept any interference received including interference that may cause undesired operation FCC Requirements for Operation in the United States Radio Frequency Interference Warnings amp Instructions This equipment has been tested and found to comply with the limits for a Class B digital device pursuant to part 15 of the FCC Rules These limits are designed to provide reasonable protection against harmful interference in a residential installation This equipment generates uses and can radiate radio frequency energy and if not installed and used in accordance with the instructions may cause harmful interference to radio communications However there is no guarantee that interference will not occur in a particular installation If this equipment does cause harmful interference to radio or television reception which can be determined by turning the equipment off and on the user is encouraged to try to correct the interference by one or more of the following measures e Reorient or relocate the receiving antenna e Increase the separation between the equipment and receiver e Connect the equipment into an outlet on a circuit different from that to
118. your users are unable to connect via Active Directory verify the following 1 The time settings between the Active Directory server and the SSL VPN Concentrator must be synchronized Kerberos authentication used by Active Directory to authenticate clients permits a maximum of a 15 minute time difference between the Windows server and the client the SSL VPN Concentrator The easiest way to solve this issue is to configure Network Time Protocol on the Date and Time screen and check that the server s time settings are also correct 2 Confirm that your Windows server is configured for Active Directory authentication If you are using a Window NT 4 0 server then your server only supports NT Domain authentication Typically Windows 2000 and 2003 servers are also configured for NT Domain authentication to support legacy Windows clients Kerberos Authentication Of all types of authentication Kerberos authentication is the least error prone Users that have been defined in the Kerberos database can log into the SSL VPN portal by entering their Kerberos user name and password and selecting the new Kerberos authentication domain from the Domain menu on the SSL VPN login page To configure Kerberos authentication 1 From the Access Administration menu select Domains The Domains window will display Click Add Domains 2 On the Add New Domain screen select Kerberos from the Authentication Type drop down menu The Kerberos configuration
Download Pdf Manuals
Related Search