Configuring SSL VPN Server Behavior

The SSL VPN > Server Settings page configures firewall to act as an SSL VPN server.

Server Settings page

 

• SSL VPN Status on Zones

• SSL VPN Server Settings

• RADIUS User Settings
• SSL VPN Client Download URL

SSL VPN Status on Zones

This section displays the SSL VPN Access status on each zone:

• Green indicates active SSL VPN status.
• Red indicates inactive SSL VPN status.

Enable or disable SSL VPN access by clicking the zone name.

SSL VPN Server Settings

To configure the SSL VPN server settings

1. Navigate to Network > SSL VPN > Server Settings.
2. In the SSL VPN Port field, enter the SSL VPN port number. The default is 4433.
3. From the Certificate Selection drop-down menu, select the certificate that used to authenticate SSL VPN users. The default method is Use Self-signed Certificate.
4. In the User Domain field, enter the user’s domain, which must match the domain field in the NetExtender client. The default is LocalDomain.
   • If authentication partitioning is not being used, this field has to match with the domain field in the NetExtender Client.
   • If authentication partitioning is being used, then in NetExtender, the user can enter any of the domain names configured with the partitions, for this reason, selecting the partition for authenticating their name/password externally through RADIUS or LDAP. In this case, the name set here is a default for the user to enter for local authentication, or if they have no local account, for authentication in the default partition.

   • Note that in either case, when used with external authentication, this user domain name is not passed to the RADIUS/LDAP server, sending just the simple user name without it.

     

5. To enable web management over SSL VPN, select Enabled from the Enable Web Management over SSL VPN drop-down menu. The default is Disabled.
6. To enable SSH management over SSL VPN, select Enabled from the Enable SSH Management over SSL VPN drop-down menu. The default is Disabled.
7. In the Inactivity Timeout (minutes) field, enter the number of minutes of inactivity before logging out the user. The default is 10 minutes.

RADIUS User Settings

This section is available only when either RADIUS or LDAP is configured to authenticate SSL VPN users on the Device|Users > Settings > Authentication page. Enabling MSCHAP mode for RADIUS allows users to change expired passwords when they log in.

To configure MSCHAP or MSCHAPv2 mode

1. Select Use RADIUS in.

2. Select one of these two modes:

   • MSCHAP
   • MSCHAPV2

   In LDAP, passwords can only be changed when using either Active Directory with TLS and binding to it using an administrative account or when using Novell eDirectory.

   If this option is set when LDAP is selected as the authentication method of login on the Users > Settings page, but LDAP is not configured in a way that allows password updates, then password updates for SSL VPN users are performed using MSCHAP-mode RADIUS after using LDAP to authenticate the user.

3. Click ACCEPT at the bottom of the page.

SSL VPN Client Download URL

In this section of the page, you set up where the client system downloads the SSL VPN client from. You can download the files from the appliance and put them on your web server to provide your own server to host this client package. Otherwise, clients can download the SSL VPN files from the firewall.

To configure your own web server for SSL VPN client file downloads

1. Select the link in Click here to download the SSL VPN zip file which includes all SSL VPN client files to download all the client SSL VPN files from the appliance. Open and unzip the file, and then put the folder on your HTTP server.
2. Select Use customer’s HTTP server as downloading URL: (http://) to enter your SSL VPN client download URL in the supplied field.
3. Click ACCEPT.