- Netgear VPN Concentrator Reference Manual

ManualsBrandsNETGEAR ManualsNetwork CardProSafe SSL312

202-10208-04

May 2007

v2.0

NETGEAR, Inc.

4500 Great America Parkway

Santa Clara, CA 95054 USA

NETGEAR ProSafe SSL

VPN Concentrator 25

SSL312 Reference

Manual

Summary of content (122 pages)

PAGE 1
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual NETGEAR, Inc. 4500 Great America Parkway Santa Clara, CA 95054 USA 202-10208-04 May 2007 v2.
PAGE 2
© 2007 by NETGEAR, Inc. All rights reserved. Technical Support Please register to obtain technical support. Please retain your proof of purchase and warranty information. To register your product, get product support or obtain product information and product documentation, go to http://www.NETGEAR.com. If you do not have access to the World Wide Web, you may register your product by filling out the registration card and mailing it to NETGEAR customer service.
PAGE 3
EU Regulatory Compliance Statement ProSafe SSL VPN Concentrator 25 is compliant with the following EU Council Directives: 89/336/EEC and LVD 73/23/EEC. Compliance is verified by testing to the following standards: EN55022 Class B, EN55024 and EN60950. Certificate of the Manufacturer/Importer It is hereby certified that the ProSafe SSL VPN Concentrator 25 has been suppressed in accordance with the conditions set out in the BMPT-AmtsblVfg 243/1991 and Vfg 46/1992.
PAGE 4
Product and Publication Details Model Number: SSL312 Publication Date: May 2007 Product Family: Concentrator Product Name: ProSafe SSL VPN Concentrator 25 Home or Business Product: Business Language: English Publication Part Number: 202-10208-04 Publication Version Number: 2.0 iv v2.
PAGE 5
Contents About This Manual Conventions, Formats and Scope .................................................................................... ix Using This Manual ............................................................................................................. x Printing this Manual ........................................................................................................... x Revision History .......................................................................................
PAGE 6
Steps for Further Configuration ....................................................................................2-14 Chapter 3 Authenticating Users Authentication Domains ..................................................................................................3-1 Local User Database Authentication ..............................................................................3-2 RADIUS and NT Domain Authentication ........................................................................
PAGE 7
Editing a User .........................................................................................................4-16 Defining and Editing User Policies .........................................................................4-18 Defining and Editing a User Bookmarks ................................................................4-19 Deleting a User ......................................................................................................
PAGE 8
Erasing the Configuration and Restoring the Default Settings ...............................7-13 Upgrading the SSL VPN Concentrator Firmware ..................................................7-13 Additional Notes on the Management Interface ...........................................................7-14 Chapter 8 Monitoring and Logging SSL VPN Concentrator Status ........................................................................................8-1 Active Users .........................................
PAGE 9
About This Manual The NETGEAR® Prosafe™ SSL VPN Concentrator 25 SSL312 Reference Manual describes how to install and configure the SSL312. The information in this manual is intended for administrators who will configure the SSL312. You should have intermediate computer and Internet skills. Conventions, Formats and Scope The conventions, formats, and scope of this manual are described in the following paragraphs: • • Typographical Conventions.
PAGE 10
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Danger: This is a safety warning. Failure to take heed of this notice could result in personal injury or death. • Scope.
PAGE 11
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Each page in the HTML version of the manual is dedicated to a major topic. Use the Print button on the browser toolbar to print the page contents. • Printing a Chapter. Use the PDF of This Chapter link at the top left of any page. – Click the PDF of This Chapter link at the top right of any page in the chapter you want to print. The PDF version of the chapter you were viewing opens in a browser window.
PAGE 12
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Revision History Version Date Description of Changes -01, v1.1 November 2006 • Restructured the contents so that common setup and configuration tasks are easier to find • Added new topics • Added a link to a Microsoft Word template for creating an end-user guide -02, v1.0 December 2006 • Refined Portal layout behavior • Added Full Tunnel Support for VPN Tunnels -02,v1.
PAGE 13
Chapter 1 Introduction This chapter describes some of the key features of the NETGEAR® ProSafe™ SSL VPN Concentrator 25 SSL312. It also includes the minimum prerequisites for installation (“Web Browser Requirements” on page 1-2.), package contents (“What’s in the Box” on page 1-3), and a description of the front and back panels of the SSL312 (“Hardware Description” on page 1-3).
PAGE 14
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual • Supports multiple user authentications, including local database, Microsoft Active Directory, LDAP, NT Domain and RADIUS. • Provides client-less access with customizable user portals and support for a wide variety of user repositories.
PAGE 15
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual End Users can use Microsoft Internet Explorer 5.1 or higher, Apple Safari 1.2 or higher or Mozilla Firefox 1.x (for VPN tunnel, VNC, Network Places and Utilities). The browsers should also support JavaScript, Java, cookies, SSL and ActiveX to take advantage of the full suite of applications.
PAGE 16
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 1. LED Power Indicator: • Off – No power • On – Power is on. 2. LED Self test Indicator. • Self test – on while initializing. (~2 minutes) • Loading Software – blinking while uploading software • System fault – on (prolonged) This LED will blink for 1-2 minutes before going off. 3. Two 10/100M Ethernet ports: • A solid green LED indicates a connectivity link has been established on either the 10M or 100M interface.
PAGE 17
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Steps for Deploying the SSL312 Three basic steps are involved in deploying the ProSafe SSL VPN Concentrator 25 in your network. • Installing the SSL312: choosing a network topology, configuring its IP addressing scheme, connecting the SSL312, and provisioning the SSL certificate. Refer to Chapter 2, “Installing the SSL312”.
PAGE 18
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 1-6 Introduction v2.
PAGE 19
Chapter 2 Installing the SSL312 This chapter describes how to install the ProSafe SSL VPN Concentrator 25 SSL312. The installation includes choosing a network topology, configuring the IP addressing scheme, connecting the SSL312, and provisioning the SSL certificate. Choosing a Network Topology The physical connection of the SSL VPN Concentrator to your network is determined by the network topology you choose.
PAGE 20
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual . Corporate Server IP Address 192.168.1.3 Firewall/Router IP Address 192.168.1.254 LAN Subnet 192.168.1.0/24 SSL312 IP Address 192.168.1.1 Figure 2-1 Single arm mode has the advantage of being protected by your firewall. In later steps, you will use the following settings when configuring for single arm operation. • Assign Ethernet Port 1 an IP address on your local network. • Disable Ethernet Port 2. • Disable Routing Mode.
PAGE 21
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual authorized for that user. The user’s subsequent requests for network services are decrypted by the SSL VPN Concentrator and relayed to the appropriate network servers on the corporate network. 10.0.0.10 10.0.0.254 10.0.0.20 66.123.4.80 10.0.0.1 SSL312 Red = Public (untrusted) Green = Local (trusted) Figure 2-1 Routing mode has the advantage of unloading SSL traffic from your firewall.
PAGE 22
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 1. Prepare a PC with an Ethernet adapter. If this PC is already part of your network, record its TCP/IP configuration settings so that you can restore them later. 2. Configure your PC with a static IP address of 192.168.1.10 and 255.255.255.0 as the subnet mask. 3. Connect an Ethernet cable from your computer to Ethernet Port 1 on the front of the SSL VPN Concentrator. 4.
PAGE 23
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 2. A certificate security warning may appear. Click Yes or OK to continue. A login screen with User Name and Password dialog boxes displays. Figure 2-3 3. When prompted, enter admin for the User Name and password for the Password, both in lower case letters. Note: Both the user name and password are case-sensitive. 4. From the Domain drop-down menu, select geardomain. 5.
PAGE 24
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Figure 2-4 Configuring Basic Network Settings Before deploying the SSL VPN Concentrator into your existing network, you should configure the following basic settings: • Change the administrator password • Configure DNS server IP address • Configure a default route • Configure Ethernet interface IP addresses 2-6 Installing the SSL312 v2.
PAGE 25
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual To prepare for installation: 1. Change the administrator account password. a. On the left side of the browser window, select the Users and Groups link. b. In the Users table, click on admin. c. Type your new Password and re-type to Confirm Password. d. Click Apply. 2. Configure the DNS server IP address. a. On the left side of the browser window, select the Network link. b. In the Network menu, click the DNS Settings radio button. c.
PAGE 26
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Installing the SSL VPN Concentrator You are now ready to physically install your SSL VPN Concentrator using the following steps: 1. Turn off the power to the SSL VPN Concentrator and connect it to your network in your chosen topology. • For a single arm topology, connect Ethernet Port 1 to your corporate network and leave Ethernet Port 2 disconnected.
PAGE 27
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual strong assurance of the server’s identity. A self-signed certificate will trigger a warning from most browsers as it provides no protection against identity theft of the server. Your SSL VPN Concentrator contains a self-signed certificate from NETGEAR. NETGEAR recommends that you replace this certificate prior to deploying the SSL VPN Concentrator in your network.
PAGE 28
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 3. Fill out all of the fields with the appropriate information. This information will appear in your certificate and will be visible to users. Figure 2-6 4. Click Apply. A file download screen will display. Click Save to save the CSR.ZIP file to a disk location. You will need to provide this file to the Certificate Authority. 5. Contact the CA to purchase your certificate using the CSR file you generated. 6.
PAGE 29
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 2. In the Digital Certificate Management section, click New CSR/CRT. The Create CSR screen will display. 3. Fill out all of the fields with the appropriate information. This information will appear in your certificate and will be visible to users. 4. Check the Generate a Self-signed Certificate checkbox to generate a new CRT. 5. Click Apply. If all information is entered correctly, a file download screen displays. Click Save to save the crt.
PAGE 30
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Figure 2-7 4. Click the Enable link adjacent to the new certificate. The Enable Certificate screen displays Figure 2-8 2-12 Installing the SSL312 v2.
PAGE 31
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 5. Enter the Certificate Password and click Enable. The SSL VPN Concentrator software will restart using the new certificate. Note: The file server.key contains your SSL VPN Concentrator’s private encryption key, which is used to decrypt messages. It is extremely important that you safeguard this file. Viewing and Deleting Certificates The Current Certificates table lists the valid SSL certificates.
PAGE 32
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Steps for Further Configuration The next steps in configuring the SSL VPN Concentrator are: • Create authentication domains (Chapter 3, “Authenticating Users”). • Define user and group settings (Chapter 4, “Setting Up User and Group Access Policies”). 2-14 Installing the SSL312 v2.
PAGE 33
Chapter 3 Authenticating Users Remote users connecting to the SSL VPN Concentrator must be authenticated before being allowed to access the network. The login window presented to the user requires three items: a User Name, a Password, and a Domain selection. The Domain determines the authentication method to be used and the portal layout that will be presented. This chapter explains how to define authentication domains.
PAGE 34
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Figure 3-1 All of the configured domains will be listed in the table in the Domains window. The domains are listed in the order in which they were created. By default, the geardomain authentication domain is already defined, using the SSL VPN Concentrator’s local internal user database for user authentication.
PAGE 35
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 1. In the Domains menu, click Add Domain. An Add Domain window similar to the following displays. Figure 3-2 2. From the Authentication Type pull-down menu, select Local User Database. 3. In the Domain Name field, enter a descriptive name for the authentication domain. This is the domain name users will select in order to log into the SSL VPN portal. 4. In the Portal Layout Name pull-down menu, select the name of the layout.
PAGE 36
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual For example, if you create a RADIUS domain in the SSL VPN Concentrator called “Miami RADIUS server”, you can add users to groups that are members of the “Miami RADIUS server” domain. These user names must match the names configured in the RADIUS server. Then, when users log in to the portal, policies, bookmarks and other user settings will apply to the users.
PAGE 37
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 6. From the Portal Layout Name drop-down menu, select the name of the layout. The default layout is SSL-VPN. You can define additional layouts in the Portal Layouts page. 7. Click Apply to update the configuration. Once the domain has been added, the domain displays in the table on the Domains screen. Configuring for NT Domain Authentication To configure NT Domain authentication, click Add Domain. An Add Domain window displays.
PAGE 38
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 2. In the Domain Name field, enter a descriptive name for the authentication domain. This is the domain name selected by users when they authenticate to the SSL VPN portal. It may be the same value as the NT Domain Name. 3. In the NT Server Address field, enter the IP address or host and domain name of the server. 4. In the NT Domain Name field, enter the NT authentication domain.
PAGE 39
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual For an LDAP group, you can define LDAP attributes. For example, you can specify that users in an LDAP group must be members of a certain group or organizational unit defined on the LDAP server. Or you can specify a unique LDAP distinguished name. Note: The Microsoft Active Directory database uses an LDAP organization schema.
PAGE 40
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Sample LDAP Users and Attributes Settings If you manually add a user to an LDAP group, then the user setting will take precedence over LDAP attributes. For example: An LDAP attribute objectClass=Person is defined for group Group1 and an LDAP attribute memberOf=CN=WINSUsers,DC=netgear,DC=net is defined for Group2.
PAGE 41
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Configuring for LDAP Authentication To configure LDAP authentication, click Add Domain. An Add Domain window displays. In the Add Domain window: 1. From the Authentication Type menu, select LDAP. The Add Domain Window displays the fields for a domain with LDAP authentication: : Figure 3-5 2. In the Domain Name field, enter a descriptive name for the authentication domain.
PAGE 42
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 5. From the Portal Layout Name drop-down menu, select the name of the layout. The default layout is SSL-VPN. You can define additional layouts in the Portal Layouts page. 6. Click Apply to update the configuration. Once the domain has been added, the domain displays in the table on the Domains screen.
PAGE 43
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 2. From the Authentication Type menu, select Active Directory. Fields for Active Directory configuration display: Figure 3-6 3. In the Domain Name field, enter a descriptive name for the authentication domain. This is the domain name users will select in order to log into the SSL VPN portal. It can be the same value as the Server Address field or the Active Directory Domain field depending on your network configuration. 4.
PAGE 44
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 7. Check the Require CIFS bookmark to home directory radio box to automatically allow access to users of this domain and add the home directory path in the field provided. 8. Click Apply to update the configuration. Once the domain has been added, the domain displays in the table on the Domains screen Troubleshooting Active Directory Authentication If your users are unable to connect via Active Directory, verify the following: 1.
PAGE 45
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 5. Enter the Kerberos domain name in the Kerberos Domain field. 6. Enter the name of the layout in the Portal Layout Name field. The default layout is SSL-VPN. (Additional layouts may be defined from the SSL VPN Portal > Portal Layouts screen.) Note: If you selected a portal layout other than SSL-VPN, then the domain will not be displayed on the default login page. Users will need to log in at https:///portal/. 7.
PAGE 46
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 3-14 Authenticating Users v2.
PAGE 47
Chapter 4 Setting Up User and Group Access Policies This chapter describes how to define users and groups and how to configure SSL VPN Concentrator access policies and bookmarks for the users and groups.
PAGE 48
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual • To create complex policies involving groups of host names, IP addresses or IP address ranges, you can define these groups as network objects using Network Resources as described in “Using Network Resource Objects to Simplify Policies” on page 4-20. • To present different portal content to different users (for example, external suppliers), create the new portal layout, then add a new domain, selecting the new portal layout.
PAGE 49
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual • An FTP server at 10.0.1.5, the user would be blocked by Policy 2. • An FTP server at 10.0.0.10, the user would be granted access by Policy 3. The IP address range 10.0.0.5 - 10.0.0.20 is more specific than the IP address range defined in Policy 1. • An FTP server at ftp.company.com, the user would be granted access by Policy 3. A single host name is more specific than the IP address range configured in Policy 2.
PAGE 50
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Editing Global Policy Settings To edit global settings: 1. In the Global Policies table, click the Edit Global Policies link. The Global Settings screen displays. Figure 4-2 2. In the Inactivity Timeout field, enter the number of minutes of inactivity to allow. 3. Click Apply to save the configuration changes. You can set the inactivity timeout at the user, group and global level.
PAGE 51
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Adding and Editing Global Policies To define global access policies: 1. In the Global Policies section, click Add Policy. An Add Policy window displays. Note: User and group access policies will take precedence over global policies. Figure 4-3 2. From the Apply Policy To pull-down menu, select whether the policy will be applied to a predefined network resource, an individual host, a network, or all addresses. 3.
PAGE 52
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 4. From the Service pull-down menu, select the service type. If you are applying a policy to a network resource, the service type is defined in the network resource. 5. From the Status pull-down menu, select PERMIT or DENY to either permit or deny SSL VPN connections for the specified service and host machine. 6. Click Apply to update the configuration.
PAGE 53
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Groups Configuration When configuring Groups, remember that user policies take precedence over all group policies and group policies take precedence over all global policies, regardless of the policy definition. (A user policy that allows access to all IP addresses will take precedence over a group policy that denies access to a single IP address). SSL VPN Concentrator Groups are also defined from the Users and Groups menu.
PAGE 54
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual . Figure 4-6 2. In the Group Name field., enter a descriptive name for the group. 3. In the Domain menu, select the appropriate domain. The domain will determine the authentication method for the group. 4. Click Apply to update the configuration. Once the group has been added, the new group appears in the Groups table on the User and Groups menu. All of the configured groups are displayed in the table in the Users and Groups menu.
PAGE 55
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Figure 4-7 You can set the inactivity timeout at the user, group and global level. Set the timeout as 0 in the user and group configuration to use the global timeout setting. If multiple timeout settings are configured, the user timeout setting will take precedence over the group timeout and the group timeout will take precedence over the global timeout.
PAGE 56
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual addresses. If two policies apply to a single IP address, then a policy for a specific service (for example RDP) will take precedence over a policy that applies to all services.
PAGE 57
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual • If your policy applies to a specific host, enter the IP address of the local host machine in the IP Address field. • If your policy applies to a network, enter the network address and subnet bit mask (0-32) in the Network and Subnet Mask fields. 5. In the Service pull-down menu, select the service type. If you are applying a policy to a network resource, the service type is defined in the Defined Resource field. .
PAGE 58
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual . Figure 4-9 2. In the Bookmark Name field, enter a descriptive name. 3. In the Name or IP Address field, enter the domain name or the IP address of a host machine on the LAN. 4. From the Service pull-down menu, select the service type. 5. If Terminal Services (RDP) is selected, select the screen size that the bookmark will use from the Screen Size drop-down menu.) 6. Click Apply to update the configuration.
PAGE 59
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 2. In the Group Settings window, click Delete Group. The Users and Groups menu displays and the deleted group no longer appears in the list of defined groups. Note: A group cannot be deleted if users have been added to the group or if the group is the default group created for an authentication domain. You can also delete a group by clicking its Delete link. Note: The default group “geardomain” cannot be deleted.
PAGE 60
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Figure 4-10 Adding a New User To create a new user: 1. In the Users and Groups menu, click Add User. An Add User menu displays. Figure 4-11 2. In the User Name field, enter the user name for the user. This is the name the user will enter in order to log into the SSL VPN portal. 3. From the Group pull-down menu, select the name of the group to which the user belongs. 4-14 Setting Up User and Group Access Policies v2.
PAGE 61
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 4. Click Apply. If the selected group is in a domain that uses external authentication, such as Active Directory, RADIUS, NT Domain or LDAP, then the Add User menu will close and the new user will be added to the Users and Groups table. Note: Groups configured to use Radius, LDAP, NT Domain or Active Directory authentication do not require passwords because the external authentication server will validate user names and passwords.
PAGE 62
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Figure 4-13 Editing a User To edit a user: 1. In the Users table in the Users and Groups menu, click the name of the user. The User Settings menu displays as shown in Figure 4-14. • The Edit User Settings section shows the User Name, Group Name, and Domain Name. These fields are not configurable. To modify information supplied in these fields, remove the user by clicking Delete User and then recreate the user with the correct information.
PAGE 63
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual . Figure 4-14 2. To modify the user password, enter the new user password in the Password field. 3. In the Confirm Password field, enter the new password again. 4. Click Apply to update the configuration To change the user inactivity timeout: 1. In the Inactivity Timeout field, enter the number of minutes of inactivity to allow. 2. Click Apply to save the configuration changes. Setting Up User and Group Access Policies v2.
PAGE 64
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Defining and Editing User Policies To define user access policies: 1. On the Edit User Settings screen, click Add Policy. An Add Policy menu displays. Figure 4-15 2. In the Apply Policy To pull-down menu, select whether the policy will be applied to a predefined network resource, an individual host, a network or all addresses. 3. In the Policy Name field, enter a name for the policy.
PAGE 65
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 6. Click Apply to update the configuration. Once the configuration has been updated, the new policy appears in the Edit User Settings menu. The user policies will be displayed in the Edit Users Settings screen in the User Policies table in the order of priority, from the highest priority policy to the lowest priority policy. Defining and Editing a User Bookmarks To define user bookmarks: 1. In the Edit User Settings menu, click Add Bookmark.
PAGE 66
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Deleting a User To delete a user: 1. Click the Delete link adjacent to the users name in the Users table. The user is removed from the table in the Users and Groups menu, or 2. Click the user name that you wish to remove. The Edit User Settings window will display. 3. In the Edit User Settings window, click Delete User. Once deleted, the user no longer appears in the table in the Users and Groups menu.
PAGE 67
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 2. Click Add Resource. An Add Network Resource menu similar to the following displays. Figure 4-18 3. In the Resource Name field, enter a name for the Network Resource. 4. From the Services pull-down menu, select the type of service to which the Network Resource will apply. 5. Click Apply. The new Network Resource appears in the table on the Network Resources menu. Figure 4-19 To edit the Network Resource. 1.
PAGE 68
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual . Figure 4-20 2. From the Object Type pull-down menu under Add Resource Addresses, select either IP Address or IP Network: • If you selected IP Address, enter an IP address or fully qualified domain name in the IP Address/Name field. • If you selected IP Network, enter the IP network address in the Network Address field. Enter the mask length in the Mask Length (0-31) field.
PAGE 69
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Figure 4-21 . Note: You may define up to 128 addresses or address ranges per Network Resource To delete a defined resource, click Delete in the Defined Resource Addresses table adjacent to the resource you wish to delete. Setting Up User and Group Access Policies v2.
PAGE 70
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 4-24 Setting Up User and Group Access Policies v2.
PAGE 71
Chapter 5 Configuring the Remote Access Web Portal This chapter explains how to create multiple Web portals for different users and how to customize the appearance of a portal.
PAGE 72
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Note: The default portal address is https://. If the default portal is changed from the default (SSL-VPN), you can use the URL address https:///portal/SSL-VPN to access the administration domain geardomain. The administration domain, geardomain, is attached to the SSLVPN portal layer. To view the Portal Layout screen: Click Portal Layouts under the SSL VPN Portal menu on the left navigation pane.
PAGE 73
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual The configuration of the VPN Tunnel and Port Forwarding features are described in Chapter 6, “Configuring the SSL VPN Tunnel Client and Port Forwarding”. Adding Portal Layouts The SSL VPN Concentrator administrator may define individual layouts for the SSL VPN portal. The layout configuration includes the theme, menu layout, portal pages to display, portal application icons to display, and web cache control options.
PAGE 74
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual : Figure 5-2 b. In the Portal Site Title field, enter the title for the web browser window. c. To display a banner message to users before they log in to the portal, enter the banner title text in the Banner Title field. Also enter the banner message text in the Banner Message text area. Enter a plain text message or include HTML and JavaScript tags. The maximum length of the login page message is 4096 characters.
PAGE 75
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual d. Check the Enable HTTP meta tags for cache control checkbox to apply HTTP meta tag cache control directives to this Portal Layout. Cache control directives include: These directives help prevent clients browsers from caching SSL VPN portal pages and other web content.
PAGE 76
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 6. Click Apply to confirm your settings. Note: An administrator can customize the portal layout by uploading a .gif file for the banner image. However, the custom banner can be uploaded only after adding the portal.
PAGE 77
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 2. In the Application and Path field, enter the path and application name of the Terminal Services application. Note: To launch a Terminal Services application individually, the Terminal Server must be run in Application mode. In addition, the application must be installed through the Control Panel Add/Remove Programs. For more information, see the NETGEAR Support Site. 3.
PAGE 78
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Duplicating and Editing Portal Layouts You can edit the features of an existing portal; for example, create a banner or banner message that displays at the top of the page; or show or hide all applicable bookmarks (user, group, and global) for each user. You can, optionally, upload an HTML file. You can also create another portal with all of the features of the existing portal by changing the existing portal layout name.
PAGE 79
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual To modify the features of an existing portal: 1. Under the SSL VPN Portal menu on the left navigation pane, click Portal Layouts. The Portal Layouts screen displays. 2. In the Layout Name column, click the portal you want to edit. The Portal Layouts screen displays. 3. Enter a new Banner Title and Banner message, and check the Display banner message on login page checkbox to display a custom message at the top of the new page. 4.
PAGE 80
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 5-10 Configuring the Remote Access Web Portal v2.
PAGE 81
Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding This chapter describes the configuration for the SSL VPN Tunnel Client and for Port Forwarding. When a remote user accesses the SSL VPN Concentrator from a PC that allows ActiveX content, these two powerful features can be activated. For each of these features, the SSL312 installs a small client program on the user’s PC that enables a more direct level of network access than is possible from the browser alone.
PAGE 82
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual • Detects and reroutes individual data streams to the Port Forwarding connection rather than opening up a full tunnel to the corporate network. • Offers more fine grained management than VPN Tunnel. Administrators define individual applications and resources that will be available to remote users.
PAGE 83
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual – Split tunnel – Sends only traffic destined for the internal network based on the specified client routes. All other traffic is sent to the internet. Split tunnel allows you to manage your company bandwidth by reserving the VPN tunnel for corporate traffic only. Beyond what is defined in “Web Browser Requirements” on page 1-2, the VPN Tunnel Client has some specific operating requirements. For • Mac OS. VPN Tunnel supports Version 1.
PAGE 84
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 6. Restart the SSL VPN Concentrator software if any VPN Tunnel Clients are actively connected. Restarting will force the clients to obtain a new virtual IP address. VPN Tunnel Clients are now able to connect to the SSL VPN Concentrator and receive a dynamic IP address in the client address range. Note: Be sure to configure DNS addresses in the Network menu. .
PAGE 85
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual If the assigned client IP address range is in a different subnet than the corporate network or if the corporate network has multiple subnets, you must define Client Routes. To add an SSL VPN Tunnel client route: 1. Select the VPN Tunnel menu on the left navigation pane. 2. In the Destination Network field under Add Routes for VPN Tunnel Clients section, enter the network address of a local area network or subnet. For example, enter 192.168.0.
PAGE 86
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual . Figure 6-2 To delete a VPN Tunnel Client Route: 1. In the Configured Client Routes table, click the Delete link adjacent to the client route. 2. Restart the SSL VPN Concentrator software if VPN Tunnel Clients are currently connected to the SSL VPN Concentrator. Restarting forces clients to reconnect and receive new addresses and routes.
PAGE 87
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual To configure applications for Port Forwarding: 1. From the Access Administration menu in the left navigation pane, select the Port Forwarding option. The Port Forwarding configuration screen displays. Figure 6-3 2. In the Configured Applications for Port Forwarding section, enter the IP address of an internal server or host computer in the IP Address field. 3.
PAGE 88
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Table 6-1. Port Forwarding Applications/TCP Port Numbers (continued) TCP Application Port Number SSH 22a Telnet 23a SMTP (send mail) 25 HTTP (web) 80 POP3 (receive mail) 110 NTP (network time protocol) 123 Citrix 1494 Terminal Services 3389 VNC (virtual network computing) 5900 or 5800 a. Users can specify the port number together with the host name or IP address.
PAGE 89
Chapter 7 Additional System Configuration This chapter describes additional network and configuration management functions provided by the Web Management Interface.
PAGE 90
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual • Default gateway address (Firewall/Router address): 192.168.1.254 In the configuration shown in the diagram, the IP addresses of devices in the local network are configured in the 192.168.1.0/24 subnet and the default gateway for these devices is the internal IP address of the local firewall or router, 192.168.1.254. Corporate Server IP Address 192.168.1.3 Firewall/Router IP Address 192.168.1.254 LAN Subnet 192.168.1.
PAGE 91
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Figure 7-2 2. Enter the Ethernet Port 1 subnet mask that has been configured for your network. The subnet mask value should be the same value as the subnet mask configured on your network computers. The factory default is 255.255.255.0 (The subnet mask specifies the network number portion of an IP address.). 3. Only if you plan to use two port mode, enable routing mode by checking this checkbox. The second Ethernet port will be enabled.
PAGE 92
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 5. Enter the subnet mask. The subnet mask specifies the network number portion of an IP address. The factory default is 255.255.255.0. 6. Click Apply to save your settings. From the Network screen, you can define the default network route. The default route is required for Internet access. 1. In the Default Gateway section, enter the IP address of the router or default gateway of the network in the Default Gateway Address field.
PAGE 93
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual To configure a static route: 1. In the Add Static Routes section, enter the destination network address of the static route in the Destination Network field. The destination network address is an IP address in the remote network subnet. Note: The destination network address may be a valid IP address or it may be a subnet address that ends in .0, such as 192.168.0.0. 2.
PAGE 94
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Figure 7-3 Network Host Table Settings For the convenience of users, you can configure the SSL VPN Concentrator to translate host names or fully qualified domain names (FQDNs) to IP addresses. This function is configured in the Host Table menu. Note: The SSL VPN Concentrator can act as a NetBIOS client to learn local network host names and their corresponding IP addresses. To configure host resolution: 1.
PAGE 95
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 3. In the Host Name field, enter the host name or Fully Qualified Domain Name of the machine. For example, enter mycomputer or www.netgear.com. Do not enter names with spaces or other non-alphanumeric characters such as apostrophes or commas. 4. In the optional Alias field, enter the host alias. For example, if you entered the FQDN www.netgear.com in the Host Name field, then you can enter a shorter name, such as www or web in the Alias field.
PAGE 96
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 1. In the Network menu, check the DNS Settings radio button. The Network menu displays the fields for entering the DNS Settings. Figure 7-5 2. Enter the Hostname for the SSL VPN Concentrator. The hostname identifies the SSL VPN Concentrator on the network. Use only letters and numbers for the hostname; do not enter nonalphanumeric characters such as spaces or apostrophes. 3.
PAGE 97
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Setting Date and Time To configure the SSL VPN Concentrator date and time settings: 1. Under the System Configuration menu in the left navigation pane, click Date and Time. The SSL VPN Concentrator uses the date and time settings to timestamp log events, verify certificate validity, and for other internal purposes. Figure 7-1 2. From the Select Your Time Zone drop-down menu, select your time zone. 3.
PAGE 98
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual • If you selected Use default NTP servers, NETGEAR’s primary and secondary NTP servers for your time zone will appear. • If you selected Use custom NTP servers, enter an NTP server IP address or fully-qualified domain name (FQDN) in the address fields. (For redundancy, enter a backup custom server address in the Secondary Server Name and IP Address fields.
PAGE 99
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Figure 7-2 Encrypting the Configuration File For security purposes, you can encrypt the configuration files. However, if the configuration files are encrypted, they cannot be edited or reviewed for troubleshooting purposes. To encrypt the configuration files: In the Utilities menu, check the Encrypt configuration file checkbox. The Configuration files will be encrypted when they are exported to disk and decrypted when they are imported.
PAGE 100
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Figure 7-3 3. Choose the location to save the configuration file. The file is named CONF.ZIP by default, but it can be renamed. 4. Click Save to save the configuration file. Importing a Configuration File To import a saved configuration file: 1. In the Utilities menu, click Import. A submenu will display. Figure 7-4 2. Click Browse to locate a saved configuration zip file. The configuration zip file should contain the GEARHOST.CONF, SMM.
PAGE 101
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Erasing the Configuration and Restoring the Default Settings Two methods are available for erasing the configuration and restoring the factory default settings. You can press and hold the front panel Factory Defaults push button for more than five seconds, or you can use the Erase button in the Utilities menu. All settings will be restored to defaults with the exception of the Certificates Table.
PAGE 102
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 1. Download the new firmware from NETGEAR’s support site. If the file is a zip archive, extract it and save it to your PC. 2. In the Utilities menu, click Upgrade. A submenu will display. Figure 7-6 3. Click Browse to locate the saved firmware file on your PC. 4. Select the file and then click Upload. 5. Once the file has been uploaded, restart the SSL VPN Concentrator server for the upgrade to be complete.
PAGE 103
Chapter 8 Monitoring and Logging This chapter describes the SSL VPN Concentrator status information, logging, alerting and reporting features. It describes: • SSL VPN Concentrator Status • Active Users • Event Log • Log Settings • Diagnostics SSL VPN Concentrator Status The Status window shows important state and configuration information. Be sure to check the Status window for error messages and to confirm that the SSL VPN Concentrator is configured properly.
PAGE 104
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Figure 8-1 From the Status page, you may view: • The SSL VPN Concentrator software version • The amount of RAM memory in kilo Bytes (kB) • The current memory usage in percent (%). • The current CPU usage in percent (%).
PAGE 105
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Active Users The Active Users screen displays the active users and administrators logged into the SSL VPN portal. To view the Active Users log file: Click Active Users under the Monitoring menu in the left navigation pane. Figure 8-2 The Active Users window displays the current users or administrators logged into the SSL VPN Portal or the SSL VPN Concentrator administrative interface.
PAGE 106
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Event Log The SSL VPN Concentrator provides web based logging. It also provides the ability to send log messages to an external syslog server using the syslog protocol and to E-mail log files and alert messages to an E-mail address or pager. To configure syslog and event log settings, see “Log Settings” on page 8-5. To view the SSL VPN Concentrator event log: Click Event Log under the Monitoring menu in the left navigation menu.
PAGE 107
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual • User name. The User name field shows the authenticated name of the user or administrator that generated the log event. • Log message. The message field describes the event that occurred. Examples of log messages include Administrator login successful and SSL VPN Concentrator restarting. The event log table may be sorted and filtered. To sort the event log by category: 1. Click the category header to be sorted, such as Time or Source. 2.
PAGE 108
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual so most standard firewall and networking reporting products can accept and interpret the SSL VPN Concentrator log files. The SSL VPN Concentrator syslog service transmits syslog messages to external syslog server(s) listening on UDP port 514. To configure Syslog Settings, E-mail Settings and Log and Alert Categories for syslog and alert settings: 1. Under the System Configuration menu in the left navigation pane, click Log Settings.
PAGE 109
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 3. If you have a backup or second syslog server, enter the IP address or domain name of the Secondary Syslog Server in the Secondary Syslog Server field. 4. In the E-mail Settings section: a. To receive e-mail notification, enter your full e-mail address (username@domain.com) in the E-mail Event Logs to field. The event log file will be e-mailed to the specified e-mail address before the event log is cleared.
PAGE 110
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Log categories are organized from most to least critical. Once a category is selected, then all events equal to or more critical than the selected log category and will be logged. The default Log and Alert levels are: • Syslog Messages: Debug • Event Log: Debug • Alerts: Error 6. Click Apply to confirm your settings. 8-8 Monitoring and Logging v2.
PAGE 111
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Diagnostics Basic network diagnostic tools are available in the Diagnostics menu. Under the Monitoring menu in the left navigation menu, click Diagnostics. The Diagnostics window displays. Figure 8-5 The following diagnostic functions are available: • Ping an IP Address – Enter an IP address and click Ping to send a ping packet request to the specified IP address.
PAGE 112
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual 8-10 Monitoring and Logging v2.
PAGE 113
Appendix A Default Settings and Technical Specifications This appendix provides the factory default settings and technical specifications for the ProSafe SSL VPN Concentrator 25 SSL312. Factory Default Settings You can use the push button located on the front of your device to reset all settings to their factory defaults. This is called a hard reset. • To perform a hard reset, push and hold the Factory Defaults button for approximately 5 seconds, until the TEST light turns on.
PAGE 114
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Table A-1. SSL312 Default Configuration Settings Feature Description Concentrator Ethernet MAC Address See bottom label. Time Zone GMT Time Zone Adjusted for Daylight Saving Time Automatically enabled if DST available in area selected; otherwise disabled. Console Port 9600 bps, 8 data bits, 1 stop bit, no parity, no flow control Technical Specifications Table A-2.
PAGE 115
Appendix B Related Documents This appendix provides links to reference documents you can use to gain a more complete understanding of the technologies used in your NETGEAR product. Document Link Template for creating an end-user guide http://documentation.netgear.com/ssl312/enu/202-10208-01/appnote.doc Internet Networking and TCP/IP Addressing http://documentation.netgear.com/reference/enu/tcpip/index.htm Wireless Communications http://documentation.netgear.com/reference/enu/wireless/index.
PAGE 116
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual B-2 Related Documents v2.
PAGE 117
Index Numerics creating 2-14 10.0.0.1 Port 2 default 7-3 Authentication Type 3-3 192.168.1.
PAGE 118
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual IP default login 2-4 console port A-2 crt.zip 2-11 Event Log 8-4 CSR 2-9 event logging 7-14 csr.
PAGE 119
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual group settings defining 2-14 Login 2-4 MSCHAP 3-4 Groups Add Name 4-8 configuring 4-7 Domain 4-8 editing 4-8 Inactivity Timeout 4-8 MSCHAPv2 3-4 H Network Address Translation 2-3, 7-4 N NAT 2-2 Network Address 4-5 network configuration example 7-1 Host Name resolution, configuring 6-8 Hostname 7-8 Network Host Table 7-6 mapping FQDNs 7-6 mapping host names 7-6 HTTP meta tags 5-5 https //10.0.0.1 2-4 //192.168.1.
PAGE 120
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Policy service type 4-6 Secondary Syslog Server 8-7 policy hierarchy 4-2 Self-signed Certificate 2-11 Port 1 default login 2-4 Send Event Logs 8-7 port addresses 8-2 serial console port 1-4 DTE connection 1-4 port 1-4 Port Forwarding 6-6, 6-8 adding Configured Applications 6-7 configuring applications for 6-7 Port2 default 2-4 Portal add new 5-8 modify 5-9 Portal Layout Name 3-3 Portal Layouts 5-1 adding 5-3 duplicating 5-8 editing 5-8
PAGE 121
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual U UDP port for syslog 8-6 User Bookmarks adding 4-19 editing 4-19 User Group define 4-14 User Name define 4-14 User Policies 4-2 adding 4-18 editing 4-18 user settings defining 2-14 Users editing 4-16 Utilities 7-10 V Video Network Computing 4-21 VPN Tunnel adding IPAddress ranges 6-3 adding static route 6-5 Client address range 6-5 VPN Tunnel Client 6-1 VPN Tunnel client configuring address range 6-3 VPN Tunnel Client Route adding 6-5 deleti
PAGE 122
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual Index-6 v2.