SSL VPN User Guide Version 10 Version 7 Document Version 10.04.5.0007-30/11/2013 Document Version 10.04.4.0028-08/10/2013 Version 7 Version 7
Important Notice Cyberoam Technologies Pvt. Ltd. has supplied this Information believing it to be accurate and reliable at the time of printing, but is presented without warranty of any kind, expressed or implied. Users must take full responsibility for their application of any products. Cyberoam Technologies Pvt. Ltd. assumes no responsibility for any errors that may appear in this document. Cyberoam Technologies Pvt. Ltd. reserves the right, without notice to make changes in product design or specifications. Information is subject to change without notice. USER S LICENSE Use of this product and document is subject to acceptance of the terms and conditions of Cyberoam End User License Agreement (EULA) and Warranty Policy for Cyberoam UTM Appliances. You will find the copy of the EULA at http://www.cyberoam.com/documents/eula.html and the Warranty Policy for Cyberoam UTM Appliances at http://kb.cyberoam.com. RESTRICTED RIGHTS Copyright 1999-2013 Cyberoam Technologies Pvt. Ltd. All rights reserved. Cyberoam, Cyberoam logo are trademark of Cyberoam Technologies Pvt. Ltd. Corporate Headquarters Cyberoam Technologies Pvt. Ltd. 901, Silicon Tower, Off. C.G. Road, Ahmedabad 380006, INDIA Phone: +91-79-66065606 Fax: +91-79-26407640 Web site: www.cyberoam.com 2
Contents Introduction... 7 Concepts... 8 SSL VPN Access Modes... 8 Portal... 10 Cyberoam Configuration for SSL VPN... 11 Tunnel Access... 11 Web Access... 13 Policy... 14 Bookmark... 20 Bookmark Group... 22 Portal... 24 Live SSL VPN Users... 25 Client Configuration for SSL VPN... 26 Access End-User Portal... 26 Accessing SSL VPN Using Tunnel Access... 27 Download Client... 28 Download and Import Client Configuration... 31 Establish connection... 33 Accessing SSL VPN Using Web Access... 34 Accessing SSL VPN Using Application Access... 35 3
Preface Welcome to Cyberoam s - User guide. Cyberoam Unified Threat Management appliances offer identity-based comprehensive security to organizations against blended threats - worms, viruses, malware, data loss, identity theft; threats over applications viz. Instant Messengers; threats over secure protocols viz. HTTPS; and more. They also offer wireless security (WLAN) and 3G wireless broadband and analog modem support can be used as either Active or Backup WAN connection for business continuity. Cyberoam integrates features like stateful inspection firewall, VPN, Gateway Anti-Virus and Anti- Spyware, Gateway Anti-Spam, Intrusion Prevention System, Content & Application Filtering, Data Leakage Prevention, IM Management and Control, Layer 7 visibility, Bandwidth Management, Multiple Link Management, Comprehensive Reporting over a single platform. Cyberoam has enhanced security by adding an 8th layer (User Identity) to the protocol stack. Advanced inspection provides L8 user-identity and L7 application detail in classifying traffic, enabling Administrators to apply access and bandwidth policies far beyond the controls that traditional UTMs support. It thus offers security to organizations across layer 2 - layer 8, without compromising productivity and connectivity. Cyberoam UTM appliances accelerate unified security by enabling single-point control of all its security features through a Web 2.0-based GUI. An extensible architecture and an IPv6 Ready Gold logo provide Cyberoam the readiness to deliver on future security requirements. Cyberoam provides increased LAN security by providing separate port for connecting to the publicly accessible servers like Web server, Mail server, FTP server etc. hosted in DMZ which are visible the external world and still have firewall protection. Note Default Web Admin Console username is admin and password is admin Cyberoam recommends that you change the default password immediately after installation to avoid unauthorized access. 4
About this Guide This Guide provides information on how to configure Cyberoam SSL VPN connections and helps you to manage and customize Cyberoam to meet your organization s various requirements for remote users. Typographic Conventions Material in this manual is presented in text, screen displays, or command-line notation. Item Convention Example Server Client User Username Topic titles Shaded font typefaces Machine where Cyberoam Software - Server component is installed Machine where Cyberoam Software - Client component is installed The end user Username uniquely identifies the user of the system Introduction Subtitles Bold & Black typefaces Navigation link Bold typeface Notation conventions Group Management Groups Create it means, to open the required page click on Group management then on Groups and finally click Create tab Name of a particular parameter / field / command button text Cross references Notes & points to remember Prerequisite s Lowercase italic type Hyperlink in different color Bold typeface between the black borders Bold typefaces between the black borders Enter policy name, replace policy name with the specific name of a policy Or Click Name to select where Name denotes command button text which is to be clicked Refer to Customizing User database Clicking on the link will open the particular topic Note Prerequisite Prerequisite details 5
Technical Support You may direct all questions, comments, or requests concerning the software you purchased, your registration status, or similar issues to Customer care/service department at the following address: Corporate Office Cyberoam Technologies Pvt. Ltd. 901, Silicon Tower Off C.G. Road Ahmedabad 380006 Gujarat, India. Phone: +91-79-66065606 Fax: +91-79-26407640 Web site: www.cyberoam.com Cyberoam contact: Technical support (Corporate Office): +91-79-26400707 Email: support@cyberoam.com Web site: www.cyberoam.com Visit www.cyberoam.com for the regional and latest contact information. 6
Introduction A Virtual Private Network (VPN) is a network that uses public telecommunication infrastructure, such as the Internet, to provide remote offices or traveling users with access to a central organizational network. A secure tunnel is formed across the public network which carries private network traffic between distant offices. This traffic is usually encrypted and compressed for enhanced performance and security. VPN technology has replaced the need to acquire and maintain expensive dedicated leased-line telecommunication circuits once typical in wide-area network installations. Note All the screen shots in the Cyberoam User Guides have been taken from NG series of appliances. The feature and functionalities however remains unchanged across all Cyberoam appliances. A VPN user can access the central network in a manner that is identical to being connected directly to the central network. Hence, it is ideal for business telecommuters or employees working from home. It is essential that the connection between the central network and remote location meets certain requirements like: Flexible Access: The remote users must be able to access the organization s network from various locations, like Internet cafes, hotels, airport etc. The range of applications available must include web applications, mail, file shares, and other more specialized applications required to meet corporate needs. Secure connectivity: Guaranteed by the combination of authentication, confidentiality and data integrity for every connection. Usability: Installation must be easy. No configuration should be required as a result of network modification at the remote user end. The given solution should be seamless for the connecting user. SSL (Secure Socket Layer) VPN fulfills the above requirements by providing simple-to-use and secure access to remote users. It allows access to the corporate network and provides the ability to create point-to-point encrypted tunnels between remote user and the company s internal network. It requires a combination of SSL certificates and username/password for authentication to enable access to the internal resources. Cyberoam extends its VPN feature to include SSL VPN functionality to provide secure access of a company s central network to remote users. It delivers a set of features and benefits which are easy to use and control and which allow access to the corporate network from anywhere, anytime. Depending upon requirement, remote users can access through SSL VPN Client or End user Web Portal (clientless access). It offers a secure web portal which can be accessed by each authorized user to download a free SSL VPN Client, SSL certificates and a client configuration. In addition, it offers granular access policies, bookmarks to designated network resources and portal customization. Note SSL VPN is not supported when Cyberoam is deployed as Bridge. SSL VPN feature is not available for Cyberoam CR15i models. 7
Concepts SSL VPN Access Modes Cyberoam appliance authenticates any remote user based on user name and password. A successful login determines the access rights of remote users according to user, group and the SSL VPN policy. The SSL VPN policy specifies whether the connection will operate in Tunnel Access Mode, Web Access Mode or Application Access Mode. Tunnel Access Mode Tunnel Access Mode provides remote users with access to the corporate network through laptops as well as from Internet cafes, hotels, airport etc. It requires an SSL VPN Client at the remote end. Hence, remote users are required to download and install SSL VPN Client from the SSL VPN Portal. The Client establishes an SSL VPN tunnel over HTTPS link between remote user and Cyberoam appliance to encrypt and send the traffic. Here Cyberoam acts as a secure HTTPS gateway and authenticates remote users. Cyberoam allows two types of tunneling: Split Tunnel: This ensures that only traffic for the private network is encrypted and tunneled while Internet traffic is sent through the usual unencrypted route. This is configured by default and is used to avoid bandwidth choking. Full Tunnel: This ensures that not only private network traffic but other Internet traffic is also tunneled and encrypted. Web Access Mode Web Access Mode is used when remote users want to access SSL VPN using a web browser only, i.e., clientless access. It provides users with access to certain Enterprise Web Applications/Servers. This feature comprises of an SSL daemon running on the Cyberoam unit and an SSL VPN Portal which provides users with access to network resources behind Cyberoam and certain web applications as configured in the SSL VPN policy. Application Access Mode Application Access Mode also provides clientless access. It gives the user access to web applications as well as certain enterprise applications through a web browser. The feature comprises of an SSL daemon running on the Cyberoam unit and an SSL VPN Portal which provides users with access to different TCP based applications like HTTP, HTTPS, RDP, TELNET, SSH and FTP without installing a client. In this mode, appliance acts as a secure gateway and authenticates the remote users. On successful authentication, appliance redirects the web browser to the Web portal from where remote users can access the applications behind the appliance. Configuring Application Access mode is a two-step process: 1. Select Application Access mode in SSL VPN policy 2. Assign policy to the User or Group For administrators, Web Admin Console provides SSL VPN management. Administrator can configure SSL VPN users, access methods and policies, user bookmarks for network resources, and system and portal settings. 8
For remote users, customizable End user Web Portal enables access to resources as per the configured SSL VPN policy. With no hassles of client installation, it is also a clientless access. Prerequisite The following requirements should be fulfilled for the remote user to access SSL VPN in Application Access Mode: OS should be Windows 2000, Windows XP, Windows 7, Windows Vista or Windows Server 2003. Remote user should have Administrator privileges. Java Runtime Environment V 1.6 or above should be installed. Threat - Free Tunneling Cyberoam scans VPN Tunnel Traffic (incoming and outgoing) for malware, spam, inappropriate content and intrusion attempts, ensuring Threat-free Tunneling. Furthermore, VPN traffic is subjected to DoS inspection, although Cyberoam does provide the option of bypassing DoS inspection for specific traffic. Cyberoam does not have an exclusive port assigned for the VPN Zone like the LAN, WAN and DMZ ports. As soon as a VPN connection is established, the port/interface used by the connection is automatically added to the VPN zone, and on disconnection, the port is removed by itself. VPN zone is used by both IPSec and SSL VPN traffic. Note Threat Free Tunneling is applicable only when SSL VPN tunnel is established through Tunnel Access Mode. Network Resources Network Resources are the components that can be accessed using SSL VPN. SSL VPN provides access to HTTP or HTTPS servers in the internal network, Internet, or any other network segment that can be reached by Cyberoam. The Administrator can configure Web (HTTP), Secure Web (HTTPS), RDP, Telnet, SSH or FTP bookmarks and internal network resources to allow access to web-based resources and applications. If required, custom URL access can also be provided. Network resources: Resource Bookmarks Bookmark Groups Custom URLs - Not defined as Bookmark Enterprise Private Network resources Accessible in Mode Web Access Mode, Application Access Mode Web Access Mode, Application Access Mode Web Access Mode Tunnel Access Mode 9
Portal Cyberoam s SSL VPN Portal is the entry point for any remote user to the corporate network. It provides easy access to network resources through a secure tunnel. It is possible to customize the portal interface by including company logo and a customized message to be displayed to users when they log into the portal. The Portal displays only those network resources that are assigned to the logged in user through SSL VPN Policy and Access Mode. 10
Cyberoam Configuration for SSL VPN Configuration of Cyberoam for SSL VPN can be done from VPN SSL. This menu covers configuring global settings for Tunnel Access and Web Access, defining Policies, creating Bookmarks and Bookmark Groups and customizing the SSL VPN Portal. Detailed explanations for each of these tasks are given below. Tunnel Access Configure Tunnel Access Mode for the remote users who are to be provided with the corporate network access from laptops, Internet cafes, hotels etc. It requires an SSL VPN Client at the remote end. Remote users can download and install SSL VPN Client from the End-user Web Portal. To configure and update certain parameters globally for Tunnel Access Mode, go to VPN SSL Tunnel Access. Screen - Tunnel Access Configuration Screen Elements Tunnel Access Settings Protocol Select protocol TCP or UDP. Selected network protocol will be the default protocol for all the SSL VPN clients. 11
SSL Server Certificate Connection over UDP provides better performance. Select SSL Server certificate to be used for authentication from the dropdown list. If you do not have certificate, generate the same. Per User Certificate Certificate can be created from System Certificate Certificate. Click Per User Certificate if you want to use individual user certificates for authentication. One can use a common certificate for all the users or create individual certificate for each user. Cyberoam automatically generates certificate valid up to 31st December, 2036 for all the users added in Cyberoam. SSL Client Certificate IP Lease Range Subnet Mask Primary DNS To enable Per User Certificate, you need to configure the Default CA. Configure Default CA from System Certificate Certificate Authority. Select the SSL Client certificate from the dropdown list if you want to use common certificate for authentication. If you do not have certificate, generate a Self-signed certificate. The selected certificate is bundled with the Client installer and is downloaded when remote users install SSL client. Remote users/ssl Clients represent the selected certificate to the server for authenticating themselves. Same certificate can be used for both SSL Server and Client. Specify the range of IP Addresses reserved for the SSL Clients. SSL clients will be leased IP Address from the configured pool. Specify Subnet mask. Specify IP Addresses of Primary DNS servers to be provided for the use of Clients. Note Do not assign the private IP Address space that is already configured for any ports via Network Configuration. Secondary DNS Primary WINS Secondary WINS Dead Peer Detection Check Peer After Every Specify IP Addresses of Secondary DNS servers to be provided for the use of Clients. Specify IP Addresses of Primary WINS servers to be provided for the use of Clients. Specify IP Addresses of Secondary WINS servers to be provided for the use of Clients. Click Enable Dead Peer Detection checkbox to enable Dead Peer Detection. Specify time after which the peer must be checked for its status. Time Range (in seconds): 60-3600. By default, the duration is 60 seconds. Disconnect After Specify time after which the connection must be disconnected if the peer is not live. 12
Time Range (in seconds): 300-1800. Idle Timeout By default, the duration is 300 seconds. Specify idle timeout. Connection will be dropped after the configured inactivity time and user will be forced to re-login. Idle Timeout Range (in minutes): 15-60. Data Transfer Threshold By default, the duration is 15 minutes. Specify data transfer threshold. Once the idle timeout is reached, before dropping the connection, appliance will check the data transfer. If data transfer is more than the configured threshold, connection will not be dropped. Administrator can check the data transfer for the live connections from the VPN Live Connections SSL VPN Users page. Data Transfer Threshold Range (in bytes): 1-65536. By default, the value is 250 bytes. Table - Tunnel Access screen elements Web Access Configure Web Access Mode for the remote users who are equipped with the web browser only and when access is to be provided to the certain Enterprise Web applications/servers through web browser only. In other words, it is a clientless access. To configure Web Access Mode, go to VPN SSL Web Access. Screen - Web Access Configuration Screen Elements Web Access Settings Idle Time Specify idle time. Connection will be dropped after the configured inactivity time and user will be forced to re-login. Idle Time Range (in minutes): 10-60. By default, the duration is 10 minutes. 13
Table - Web Access screen elements Policy SSL VPN Policies determine the Access Mode assigned to the remote users and the network resources available to users and also controls the access to the private network (corporate network) in the form of bookmarks. To configure SSL VPN Policies, go to VPN SSL Policy. You can: Add View Edit Click the Edit icon in the Manage column against the SSL VPN Policy to be modified. Edit SSL VPN Policy is displayed in a new window which has the same parameters as the Add SSL VPN Policy window. Delete Click the Delete icon in the Manage column against a SSL VPN Policy to be deleted. A dialog box is displayed asking you to confirm the deletion. Click OK to delete the SSL VPN Policy. To delete multiple SSL VPN policies, select them and click the Delete button. Add SSL VPN Policy Members Manage SSL VPN Policy Members Manage SSL VPN Policies Screen - Manage SSL VPN Policies Screen Elements Add Button Name Access Mode Tunnel Type Edit Icon Delete Button Add a new SSL VPN Policy. Displays name of the SSL VPN Policy. Displays the selected access mode of Policy: Tunnel Access, Web Access or Application Access. Displays the type of SSL VPN Tunnel established: Split or Full Tunnel. Edit the SSL VPN Policy. Delete the SSL VPN Policy. Alternately, click the delete icon against the policy to be deleted. Table - Manage SSL VPN Policies screen elements 14
SSL VPN Policy Parameters To add or edit SSL VPN Policies, go to VPN SSL Policy. Click Add Button to add a new policy or Edit Icon to modify the details of the policy. Screen - Add SSL VPN Policy 15
Screen Elements Add SSL VPN Policy Name Access Mode Specify a name to identify the SSL VPN policy. Select the access mode by clicking the appropriate option. Available Options: Tunnel Access Mode For the remote users who are to be provided with the Corporate network access from laptops, Internet cafes, hotels etc. It requires an SSL VPN Client at the remote end. Remote users can download and install SSL VPN Client from the SSL VPN Portal. Web Access Mode For remote users who want to access SSL VPN using a web browser only, i.e., clientless access. It provides users with access to certain Enterprise Web Applications/Servers. This feature comprises of an SSL daemon running on the Cyberoam unit and an SSL VPN Portal which provides users with access to network resources behind Cyberoam and certain web applications as configured in the SSL VPN policy. Application Access Mode It also provides clientless access. It gives the user access to web applications as well as certain enterprise applications through a web browser. The feature comprises of an SSL daemon running on the Cyberoam unit and an SSL VPN portal which provides users with access to different TCP based applications like HTTP, HTTPS, RDP, TELNET, SSH and FTP without installing a client. Tunnel Access Settings Tunnel Type Provide SSL VPN Policy. Select the tunnel type. Tunnel type determines how the remote user s traffic will be routed. Available Options: Split Tunnel - ensures that only the traffic for the private network is tunneled and encrypted. Full Tunnel - ensures not only private network traffic but other Internet traffic is tunneled and encrypted. Accessible Resources By default, Split Tunnel is enabled. Accessible Resources allows restricting the access to certain hosts of the private network. User s access to private network is controlled through his SSL VPN policy while Internet access is controlled through his Internet Access policy. Available Host/Network list displays the list of available hosts and network. All the hosts added from Hosts menu, IP Host will be displayed in the list. Select or Clear the Hosts to add or remove from the list. Selected Host/Network list displays the list of Host/Network that remote user can access. Advanced Settings (DPD & Idle Timeout) 16
Screen - DPD & Idle Timeout Advanced Settings DPD Settings One can customize and override the global Dead Peer Detection setting. Click Use Global Settings to apply the default DPD Settings. Click Override Global Settings to configure the DPD Settings manually. Click Enable DPD checkbox to enable Dead Peer Detection check at regular interval whether peer is live or not. Specify time after which the peer must be checked for its status. Time Range (in seconds): 60-3600. By default, the duration is 60 seconds. Idle Timeout Specify time after which the connection must be disconnected if peer is not live. Time Range (in seconds): 300-18000. By default, the duration is 300 seconds. Connection will be dropped after the configured inactivity time and user will be forced to re-login. One can use the global settings or customize the idle timeout. Click Use Global Settings to apply the default Idle Timeout value. By default, the duration is 15 minutes. Web Access Settings Click Override Global Settings to configure the Idle Timeout value manually. Idle Timeout Range (in minutes): 15-60. 17
Accessible Resources Accessible Resources also allows restricting the access to the bookmarks. Advanced Settings (Idle Timeout) Click Enable Arbitrary URL Access to enable the access to custom URLs. Available Bookmarks/Bookmarks Group list displays the list of available resources. All the Bookmarks/Bookmarks Group added will be displayed in the list. Select or Clear the Bookmarks to add or remove from the list. Selected Bookmarks/Bookmarks Group list displays the list of Bookmarks/Bookmarks Group that remote user can access. Screen - Idle Timeout Advanced Settings Idle Timeout Connection will be dropped after the configured inactivity time and user will be forced to re-login. One can use the global settings or customize the idle timeout. Click Use Global Settings to apply the default Idle Timeout settings. By default, the Idle Timeout is 10 minutes. Click Override Global Settings to configure the Idle Timeout settings manually. Application Access Settings Accessible Resources Idle Timeout Range (in minutes): 10-60 Accessible Resources also allows restricting the access to the bookmarks. Available Bookmarks/Bookmarks Group list displays the list of available resources. All the Bookmarks/Bookmarks Group added will be displayed in the list. Select or Clear the Bookmarks to add or remove from the list. Selected Bookmarks/Bookmarks Group list displays the list of Bookmarks/Bookmarks Group that remote user can access. Table - Add SSL VPN Policy screen elements 18
Add SSL VPN Policy Members Click Add Policy Member(s) button to add user or user groups to SSL VPN Policy members list. A pop-up window is displayed to select the users. Multiple users or user groups can be also selected. Screen - Add SSL VPN Policy Members Select Users or user groups who are to be allowed access through SSL VPN connection. Click Apply button to add these users and user groups to the SSL VPN Policy members list. Users or user groups to be added can also be searched in the Members list. Manage SSL VPN Policy Members Click Manage Policy Member(s) button to view user or user groups that are in SSL VPN Policy members list. A pop-up window is displayed to view the users. Multiple users or user groups can be selected and deleted. Screen - Manage SSL VPN Policy Members The page displays the list of SSL VPN Policy members who are allowed access through SSL connection. To delete users, select the users to be deleted and click Delete button. Users or user groups to be deleted can be searched from the Members list. 19
Bookmark Bookmarks are the resources whose access will be available through SSL VPN Portal. You can also create a group of bookmarks that can be configured in SSL VPN Policy. These resources will be available in Web Access and Application Access modes and is to be configured in SSL VPN Policy. To manage Bookmarks, go to VPN SSL Bookmark. You can: Add View Edit - Click the Edit icon in the Manage column against the Bookmark to be modified. Edit Bookmark pop-up window is displayed which has the same parameters as the Add Bookmark window. Delete - Click the Delete icon in the Manage column against a Bookmark to be deleted. A dialog box is displayed asking you to confirm the deletion. Click OK to delete the Bookmark. To delete multiple Bookmarks, select them and click the Delete button. Manage Bookmarks Screen - Manage Bookmarks Screen Elements Add Button Name Type URL Edit Icon Delete Button Add a new Bookmark. Displays name of the Bookmark. Displays selected Bookmark Type: HTTP, HTTPS, RDP, Telnet, SSH or FTP. Displays the URL for which the bookmark is created. Displays the Bookmark. Edit the Bookmark. Delete the Bookmark. Alternately, click the delete icon against the bookmark to be deleted. Table - Manage Bookmarks screen elements 20
Bookmark Parameters To add or edit Bookmarks, go to VPN SSL Bookmark. Click Add Button to add a new bookmark or Edit Icon to modify the details of the bookmark. Screen - Add Bookmark Screen Elements Name Type URL Referred Domains Specify a name to identify the Bookmark. Select the type of Bookmark from the options available. Available Options: HTTP HTTPS RDP Telnet SSH FTP IBM Server Terminal Specify the URL of the website for which the bookmark is to be created. Provide a set of domain(s)/url(s) required by Bookmarked URL to render it appropriately. Provide Bookmark. Table - Add Bookmark screen elements 21
Bookmark Group To manage Bookmark Groups, go to VPN SSL Bookmark Group. You can: Add View Edit - Click the Edit icon in the Manage column against the Bookmark Group to be modified. Edit Bookmark Group pop-up window is displayed which has the same parameters as the Add Bookmark Group window. Delete - Click the Delete icon in the Manage column against a Bookmark Group to be deleted. A dialog box is displayed asking you to confirm the deletion. Click OK to delete the Bookmark Group. To delete multiple Bookmark Groups, select them and click the Delete button. Manage Bookmark Groups Screen - Manage Bookmark Groups Screen Elements Add Button Name Edit Icon Delete Button Add a new Bookmark Group. Displays name of the Bookmark Group. Displays Bookmark Group. Edit the Bookmark Group. Delete the Bookmark Group. Alternately, click the delete icon against the bookmark group to be deleted. Table - Manage Bookmark Group screen elements 22
Bookmark Group Parameters To add or edit Bookmark Group, go to VPN SSL Bookmark Group. Click Add Button to add a new Bookmark Group or Edit Icon to modify the details of the Bookmark Group. - Screen - Add Bookmark Group Screen Elements Name Select Bookmark Specify a name to identify the Bookmark Group. Select bookmarks to be grouped. Bookmark List displays the list of bookmarks that can be added to the group. Selected Bookmark List displays the list of bookmarks that are included in the group. Select or clear the Bookmarks to add or remove from the list. Provide Bookmark Group. Table - Add Bookmark Group screen elements 23
Portal SSL VPN Portal is an entry point to the corporate network. It can be accessed by browsing to https://<wan IP Address of Cyberoam:port> from the web browser. Use default port: 8443 unless customized. Confirm port number from System Administration Settings. For users having Tunnel Access, SSL VPN Client and Configuration file can be downloaded from the portal. For users having Web and Application Access, a list of all the bookmarks will be displayed. URL Address bar will also be displayed to the user, if allowed in the User SSL VPN policy. User can type the URL in the address bar to access other URLs than bookmarks. All the downloadable components will be displayed only if the remote user is allowed the Full access. Cyberoam provides flexibility to customize the Portal page to offer consistent logon/log off page. This page can be exclusive to your business including your business name and logo. To customize the SSL VPN user portal, go to VPN SSL Portal. Screen - SSL VPN User Portal Screen Elements General Settings Logo Page Title Login Page Message Home Page Message To upload the custom logo, specify Image file name to be uploaded else click Default. Use Choose File button to select the complete path. The image size should not exceed 700 X 80 pixels. Change the Page Title, if required. Provide message to be displayed on the Portal login page. Provide message to be displayed on the Portal. 24
Color Scheme Preview Button Reset to Default Button This message can reflect your business or even a welcome message. Customize the color scheme of the portal if required. Specify the color code or click the square box to pick the color. Click to view the custom settings before saving the changes. Click to revert to the default settings. Table - SSL VPN Portal screen elements Live SSL VPN Users To view the list of all the currently logged on SSL VPN users, go to VPN Live Connections SSL VPN Users. Page displays important parameters like Username, Source and leased IP Address, Access mode, date and time when connection was established, tunnel type and data transferred. If the connection is established through Web Access mode, only username, access mode and date and time when connection was established will be displayed. Page allows disconnection of any live user. Screen - Live SSL VPN Users 25
Client Configuration for SSL VPN Access End-User Portal Cyberoam SSL VPN Portal can be accessed by remote users using the URL - https://<wan IP Address of Cyberoam:port>. Use the default port: 8443 unless customized. User is directed to the Cyberoam SSL VPN Portal Login Page. Access is available only to those users who have been assigned the SSL VPN Policy. Screen - Login Page Screen Elements Username Password Language Specify user login name. Specify user account Password. Select the language. Available Options: Chinese-Simplified Chinese-Traditional English French Hindi 26
Japanese Login Button By default, English is selected. Click to login to the Cyberoam SSL VPN Portal. Table - Login Page Accessing SSL VPN Using Tunnel Access After successfully logging into the Cyberoam SSL VPN Portal, user is directed to the Main Page which has only the Tunnel Access Mode section activated. Screen - Main Page for Tunnel Access Mode Screen Elements SSL VPN Client (Tunnel access mode) Download Client Click to download the SSL VPN Client Installer bundled with Configurations. Download SSL VPN Click to download the SSL VPN Configurations for Windows. Client Configuration - Windows Note Only the SSL VPN Configurations is available through this option. Download SSL VPN Client Configuration - MAC Tunnelblick Click to download the SSL VPN Configurations for MAC Tunnelblick. Note 27
Only the SSL VPN Configurations is available through this option. Receive Passphrase Select a mode to receive the SSL VPN Certificate Passphrase. To receive the Passphrase in the SSL VPN Client Bundle itself, enable Key Encryption option in the selected SSL Client Certificate prior to downloading the SSL VPN Client Bundle. Available Options: Show - Select to Display the Passphrase on the screen. Send Email - Select to send the Passphrase to the Email Address of the logged-in user. It is mandatory to configure Email Address and SMTP Mail Server to be able to receive the SSL VPN Passphrase via Email. Configure User Email Address from Identity Users Users and configure SMTP Mail Server from System Configuration Notification in the section Mail Server Settings. Note Selecting Send Email returns an error Failed to send the Passphrase if the Email Address of the logged-in user is not configured in Cyberoam. To configure the mode for receiving the Passphrase, go to System Administration Settings and select from the options available against parameter "Receive Passphrase via" of section SSL VPN Settings. Note Only the configured modes are displayed against Receive Passphrase parameter. Table - Main Page for Tunnel Access Mode Screen Elements Download Client For downloading the client for the first time, click Download Client and follow the on-screen instructions: 28
Screen - Download Client Note Windows Vista users need Administrator privileges to install the client. On clicking Download Client, the following message appears. Screen - Prompt Message Click Save to save a copy of CrSSL.exe on your local machine, else click Run to run the setup. The following warning message appears. Screen - Warning Message On clicking Run, the Choose Install Location dialog box appears. 29
Screen - Choose Install Location Click Browse to change the location of the Destination Folder where the client is to be installed. Click Install. The following screen appears while installation is in progress. Screen - Installation in Progress 30
Once the installation is complete, the CrSSL Client icon appears in the system tray. Download and Import Client Configuration Note If you are installing SSL VPN Client for the first time, skip this section. Step 1: Download SSL VPN Client Configuration You need to download the configuration file if you have already installed Client or if the server configuration has changed. Click Download SSL VPN Client Configuration - Windows and follow the on- screen instructions. Screen - Download Configuration On clicking Download SSL VPN Client Configuration - Windows, the following message appears. Screen - Prompt Message Click Save to save clientbundle.tgz. 31
Step 2: Import SSL VPN Configuration Right click the CrSSL Client icon in the System Tray. Click Import Configuration. The Import Configuration screen appears. Screen - Import Configuration Click the ellipses ( ) to browse to the location at which the file clientbundle.tgz is saved. Click Import to import the SSL VPN Configuration from clientbudle.tgz. 32
Screen Import Configuration Status Establish connection Step 1: Login to access network resources or Internet Double click CrSSL Client icon button. and specify username and password and click Login Screen User Authentication Screen Elements Username Password Save username and password Auto Start SSL VPN Login Button Exit Button Specify user login name. Specify user account Password. Click to save username and password. Click to start SSL VPN Tunnel automatically with system restart. Click to login. Click to close the CrSSL Client. Table User Authentication Screen Elements User is prompted to provide an additional password as Passphrase when the selected SSL Client Certificate under Tunnel Access Settings page contains an Encrypted Key. 33
Screen - Enter Password Screen Elements Enter Password OK Button Cancel Button Specify the Passphrase. Click to login. Click to cancel the login session. The icon turns yellow indicating that connection is in progress and turns green the moment connection is established and IP Address is leased. To disconnect the connection, right click the CrSSL Client icon and click Logout. Accessing SSL VPN Using Web Access After successfully logging into the Cyberoam SSL VPN Portal, user is directed to the Main Page, which has only the Web Access Mode section activated. Screen - Main Page for Web Access Mode 34
Screen Elements Configured Bookmarks Sr. No. Bookmark Name Bookmark URL Service Displays serial number of the Bookmark. Displays name of the Bookmark. Displays URL of the Bookmark. Displays Service used for creating the Bookmark. Table - Main Page for Web Access Mode Screen Elements Accessing Applications User can access any of the Bookmarks listed on the Main Page which include certain Enterprise Web Applications/Servers. Accessing SSL VPN Using Application Access After successfully logging into the Cyberoam SSL VPN Portal, user is directed to the Main Page which has only the Application Access Mode section activated. Screen - Main Page for Application Access Mode Screen Elements Configured Bookmarks Sr. No. Bookmark Name Displays serial number of the Bookmark. Displays name of the Bookmark. 35
Bookmark URL Displays URL of the Bookmark. Service Displays Service used for creating the Bookmark. Table - Main Page for Application Access Mode Screen Elements Accessing Applications User can access any of the Bookmarks listed on the Main Page which include certain Enterprise Applications/Servers. 36