Table of Contents
Advertisement
Terminator IP must be set to the external IP address of the firewall's listening interface.
The PPP Agent Options should be set to PAP.
Agent options are discussed further in Section 8.2.5, "Authentication Rules".
iii.
If only a specific IP address, network or network range is to be made available to the
client through the tunnel then this can be specified as an option on the SSL VPN
interface. Otherwise, it is assumed that all client traffic will be routed through the tunnel.
iv.
Client users need to be defined in the Authentication Source of the authentication rule.
This source can be a local user database, a RADIUS server or an LDAP server.
v.
Define appropriate NetDefendOS IP rules to allow data flow within the SSL VPN tunnel.
As discussed below, IP rules do not normally need to be defined for the setup of the SSL
VPN tunnel itself, they are only needed for the traffic that flows inside the tunnel.
vi.
Specify the interfaces on which client IPs will be ARP published. This is necessary so a
server behind the firewall knows how to send replies back to an SSL VPN client.
Usually, the only time proxy ARP needs to be enabled is if the IPs assigned to clients are
part of an already existing subnet that clients need access to. In that case, proxy ARP
must be enabled on the interface that has the corresponding subnet. If the traffic is
routed by the firewall, for example with an Allow or NAT rule, proxy ARP is not needed.
The option exists with NetDefendOS SSL VPN to automatically ARP publish all client IPs
on all firewall interfaces but this is not recommended because of the security issues that
are raised.
vii. Routes for clients do not need to be defined in the routing tables as these are added
automatically by NetDefendOS when SSL VPN tunnels are established.
•
On the Windows based client side:
A proprietary D-Link VPN SSL client application needs to be installed and configured to route
traffic to the correct interface on the firewall.
Installing and running the SSL VPN client software is done as part of the logging in process
for users as they access the firewall through a web browser. The Windows based client
software is automatically downloaded through the browser directly from the firewall.
SSL VPN with PPPoE
Where PPPoE is used as the method of connection to the NetDefend Firewall over the public
Internet, it is possible to have SSL VPN function over the PPPoE connection.
This is done by setting up the SSL VPN tunnel so that the Outer Interface property of the SSL VPN
tunnel object is specified to be a PPPoE configuration object instead of a physical Ethernet
interface. Setting up a PPPoE interface object is described in Section 3.4.6, "PPPoE".
9.7.2. Configuring SSL VPN in NetDefendOS
To configure the SSL VPN in NetDefendOS, an SSL VPN Interface object must be defined for each
interface on which connections will be made. The object properties are as follows:
General Options
•
Name
753
Chapter 9: VPN
- Quick Links:
- User Manual
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
