|
Configure SSL VPN in Cyberoam
Posted by Julius Montealegre on 24 June 2010 04:06 PM
|
Configure SSL VPN in Cyberoam
SSL (Secure Socket Layer) VPN provides simple-to-use and implement secure access for the remote users. It allows access to the corporate network
from anywhere, anytime and provides the ability to create point-to-point encrypted tunnels between remote user and company’s internal network,
requiring combination of SSL certificates and a username/password for authentication to enable access to the internal resources.
Depending on the access requirement, remote users can access corporate network through SSL VPN Client or End user Web Portal (clientless access).
This document describes procedure to configure SSL VPN in Cyberoam:
Network Diagram
Configuration Table
|
Configuration Parameter
|
Value
|
|
Cyberoam WAN IP
|
203.10.10.100
|
|
Cyberoam LAN IP
|
172.16.16.0/24
|
|
Intranet Server IP
|
172.16.16.1
|
|
Web Server IP
|
172.16.16.2
|
|
IP Range Leased to user after successful connection through SSL VPN
|
10.1.1.1 to 10.1.1.254
|
Following are the steps to configure SSL VPN in Cyberoam.
1. Global Configuration
2. Access Resource Configuration
3. Policy Configuration
4. Portal Settings
5. SSL-VPN Client Installation for Full Access Mode
Step 1: Global Configuration
a. Create Certificate Authority
1. Go to Systemà Certificate Managementà Manage Certificate Authority
2. Click Default certificate authority.
3. Update certificate authority as per following screen shot.
4. Click Re-Generate
If the customer is using an external certificate authority, then upload the external certificate authority as follows:
Go to Systemà Certificate Managementà Upload CA.
b. Create Local Certificate
1. Go to System à Certificate Managementà New Certificate
2. Check option to Generate Self Signed Certificate
3. Generate local certificate with following values:
|
Parameter
|
Value
|
|
Action
|
Generate Self Signed Certificate
|
|
Certificate Name
|
Certificate_1
|
|
Valid upto
|
Jul 30, 2010 ( change the date from given calendar, if required)
|
|
Key length
|
1024 (change Key length from the drop down, if required)
|
|
Password
|
Specify password (at least 10 characters long)
|
|
Confirm Password
|
Re-enter the password for confirmation. Password is case sensitive.
|
|
Certificate ID
|
E-mail: cyber@cyberoam.com
|
4. Click Generate
c. Configure SSL Global Parameters
1. Go to SSL VPNà Global settings
2. Configure global settings with following values:
|
Parameter
|
Value
|
|
Global Settings
|
|
Protocol
|
TCP
|
|
Port
|
8443
|
|
SSL Server Certificate
|
Certificate_1(created in Step 1.b)
|
|
SSL Client Certificate
|
Certificate_1(created in Step 1.b)
|
|
Full Access Settings
|
|
IP Lease Range
|
10.1.1.1-10.1.1.254
|
|
Subnet Mask
|
255.255.255.0
|
|
Primary DNS
|
4.2.2.2 (change, if required)
|
|
Secondary DNS
|
203.1.3.194(change, if required)
|
|
Primary WINS
|
Specify IP address of primary WINS, if required
|
|
Secondary WINS
|
Specify IP address of primary WINS, if required
|
|
Enable DPD
|
Select option to detect dead peers.
- Check Peer after every: 60 seconds (change, if required)
- Disconnect after:300 seconds(change, if required)
|
|
Idle Time Out
|
10 Minutes (change, if required)
|
|
Web Access Settings
|
|
Idle Time Out
|
10 Minutes(change, if required)
|
Step 2: Access Resource Configuration
Cyberoam SSL VPN can be configured in two modes.
* Full Access Mode :
Full Access mode provides access to the corporate network with the help of SSL VPN client. Remote user has to download and install SSL VPN client
from end user web portal.
* Web Access Mode
Web Access mode provides access of corporate network through web browser only.
Full Access Mode Pre-Requisite:
Add Hosts/Networks
Host and networks are internal corporate resources, which are available to a remote user in Full Access mode while bookmark is a URL which
remote user can access in Web access mode.
Full Access mode supports two tunnel types
* Split tunnel : In split tunnel mode, only the traffic for the private network is tunneled and encrypted
* Full tunnel: In full tunnel mode, private network traffic as well as other Internet traffic is also tunneled and encrypted.
In case of split tunnel, you need to add host and networks in Cyberoam.
To add Host
1. Go to Firewall à Host à Add
2. Add host with following values:
|
Parameter
|
Value
|
|
Host Name
|
Host_1
|
|
Host Type
|
IP/Subnet (change host type to Range, IP List, MAC Address, MAC List , if required)
|
|
Network
|
172.16.16.1/255.255.255.255
|
|
Select Host Group
|
host_grout_1
|
3. Click Create to add new host
Web Access Mode Pre-Requisite
Create Bookmarks/ Bookmark Groups
Bookmark is a URL which remote user can access in Web access mode and a bookmark group is a logical grouping of several bookmarks
based on user’s access requirements.
To create Book Mark
1. Go to SSL VPNà Bookmarkà Add Bookmark.
2. Add bookmark with following values:
|
Parameter
|
Value
|
|
Bookmark Name
|
SSLVPN_1
|
|
Type
|
HTTP (change to HTTPS, as per requirement)
|
|
URL
|
http://msn.com
|
|
Description
|
Description of bookmark, if required
|
3. Click Create to add new bookmark
To create Bookmark Group
1. Go to SSL VPNà Bookmarkà Add Bookmark Group
2. Create a Bookmark Group with following values
|
Parameter
|
Value
|
|
Bookmark Group Name
|
BMG_1
|
|
Description
|
Description of bookmark group, if required
|
|
Select Bookmark
|
SSLVPN_1 (created in above step)
|
3. Click Create to add a new bookmark group
Step 3: Policy Configuration
To create policy for SSL VPN
1. Go to SSL VPN à SSL VPN Policyà Add SSL VPN Policy
2. Configure SSL VPN policy using following values:
|
Parameter
|
Value
|
|
SSL VPN Settings
|
|
Name
|
SSL_VPN_1
|
|
Description
|
Description of SSL VPN policy, if required
|
|
Access Mode
|
- Full Access Mode
- Web Access Mode
|
|
Full Access Settings
|
|
Tunnel Type
|
Split Tunnel
|
|
Accessible Resources
|
172.16.16.1 (host created in Step 2)
|
|
DPD Settings
|
Use Global Settings ( change, if required)
|
|
Idle Time out
|
Use Global Settings ( change, if required)
|
|
Web Access Settings
|
|
Accessible Resources
|
- Click “Enable Custom URL Access” to enable the access to the custom URLs not defined as Bookmarks.
- BMG_1 (Bookmarks Group created in Step 2)
|
|
Idle Time out
|
Use Global Settings ( change, if required)
|
Step 4: Portal Settings
To customize SSL VPN Web Access portal view
1. Go to SSL VPN à Portal Settings
2. In General Settings select your logo or keep it as default
3. Enter Window title, login page message and home page message.
4. Select appropriate color scheme from Color Scheme section
5. Click Save to save to the changes
Step 5: SSL-VPN Client Installation for Full Access Mode
1. Browse https://WANIPaddressofcyberoam:8443. Port number will be changed as per Step 1.c configuration
2. Logon to SSL VPN portal with the help of username and password of SSL VPN policy member
3. Portal home page for Web Access mode will display list of available bookmarks
4. Portal home page for Full Access mode will display option to download SSL VPN client.
5. Click Download SSL VPN Client to download and install SSL VPN client
6. Click Download SSL VPN Client Configuration todownload configuration of SSL VPN client.
7. Right click on the CRSSL VPN icon on the system tray and import the configuration
8. Login to CRSSL VPN Client
|
 (5 vote(s)) Helpful  Not helpful
|
