Upload
aure
View
52
Download
1
Tags:
Embed Size (px)
DESCRIPTION
SSL312 VPN Concentrator 25 Training. Presented by: Vivek Chugh – Product Line Manager Hien Ly – L3 Support Engineer Satish Nandi – Product/Engineering Manager. Agenda. What is SSL ? What is SSL VPN? Why SSL? What is the NETGEAR SSL312 SSL VPN Concentrator? Deployment Scenario - PowerPoint PPT Presentation
Citation preview
SSL312 VPN Concentrator 25 Training
Presented by:Vivek Chugh – Product Line ManagerHien Ly – L3 Support EngineerSatish Nandi – Product/Engineering Manager
2.© 1996-2004 NETGEAR® . All rights reserved
Agenda• What is SSL ?• What is SSL VPN?• Why SSL?• What is the NETGEAR SSL312 SSL VPN Concentrator?
» Deployment Scenario» Product Description
• NETGEAR SSL VPN Benefits» Features and Benefits» NETGEAR SSL312 Unique Features» Feature comparisons» ProSafe SSL VPN Value Proposition
• SSL Technology Overview» SSL Architecture» SSL Protocols» SSL Handshake» SSL Key Exchange Methods
• Demo
3.© 1996-2004 NETGEAR® . All rights reserved
What is SSL?
• SSL stands for secure sockets layer• Provides protection of data • Data sent over the wire is encrypted using SSL thus providing
data confidentiality.
4.© 1996-2004 NETGEAR® . All rights reserved
What is SSL VPN?» Extends Virtual Private Network (VPN) over the Internet and enables remote
users to connect securely.» Uses SSL to provide remote access
• SSL is now called TLS by the IETF• Refer to RFC 2246: http://www.ietf.org/rfc/rfc2246.txt
» Uses same kind of encryption and authentication protocols as IPSEC• DES, 3DES, AES, supports assymetric or public key cryptography
» SSL is an application level protocol• Transmits data over SSL (port 443)• IPSEC is layer 3 protocol, encrypts packets over IP
» SSL VPN an deliver remote access from web browsers• No client required (Client-less VPN)• Less skilled internet users don’t require to remember IP addresses, use VNC,
pcAnywhere. • All resources are available as bookmarks.
» Users are not confined from accessing their remote network from a dedicated PC» Access data anytime and anywhere.
5.© 1996-2004 NETGEAR® . All rights reserved
Why SSL?• Confidentiality (Data is encrypted)• Data Integrity (Tamper Proof)
» No “Man in the Middle” attacks• Server Authentication (Prove who you are)
» Windows Active Directory/Domain Controller» RADIUS» LDAP
• Optional client authentication • Dominant Security Technology on the web• Runs over TCP
» Transport Layer Security» HTTPS is HTTP over SSL (port 443)
• Worldwide e-commerce transactions occur over SSL• Well Tested (Several years of public scrutiny)• Supported in commercially available browsers today
» Lock icon at the bottom right of web browser
6.© 1996-2004 NETGEAR® . All rights reserved
What is the NETGEAR SSL312 SSL VPN Concentrator?» State of the art remote access SSL VPN solution tailored for the SMB market» Supports up to 25 concurrent sessions» Industry’s most cost effective twenty five tunnel SSL VPN solution.» Unrestricted User License» Allows anywhere, anytime access to your corporate resources, without
requiring a VPN client» Browser based access (Internet Explorer, Macintosh Safari)» Provides Seamless “LAN-like” user experience» Customizable user portal for ease of use and enhanced user experience» Offers automatic session and software clean-up mode for kiosk based
access» Provides granular access control to your network resources» Wide variety of user authentication methods including Active Directory,
LDAP and RADIUS
7.© 1996-2004 NETGEAR® . All rights reserved
NETGEAR SSL VPN for Any Deployment Scenario
InternetFirewall
ProSafe SSL VPN Concentrator
Internal Network
Corporate Business Network
Web Database
File Shares
Access Your network at the airport, using a kiosk or your laptop
Access your network while you are at a partner site.
Access your network while you are a coffee shop
Access your network while working at home
IT Administrators can decide whether you have full access to the corporate network based upon user credentials
IT Administrators can decide whether you have limited access to the corporate network, based upon user credentials
Access Your network using a PDA
Denotes Limited Access to the Corporate Network
Denotes Full Access to the Network
8.© 1996-2004 NETGEAR® . All rights reserved
SSL 312 Product Description
3 series blue metal case 2 10/100 Ethernet LAN Ports, 1 console port 16M Flash/128M SDRAM Internal Power Supply High Performance SSL VPN using the Cavium NITROX Soho CN220
200MHz Unlimited user license – other vendors restrict access
Total Number of SSL VPN Tunnels Supported = 25 Customized User Experience List Price of $545.00 Industry’s most cost effective 25 Tunnel SSL VPN Solution !
9.© 1996-2004 NETGEAR® . All rights reserved
NETGEAR SSL VPN Benefits» Easy to use:
• Browser Based (https://) network connection• Simple login (user name / password) • One time set-up• Simple un-install procedure for kiosks
» Access from any computer any where:• User laptops, home PCs or remote kiosks can all securely connect • Packets Look like Standard IP Packets• VPN Tunnel provides Firewall/NAT Traversal• Cache Clean Up after Session Termination• Unlimited User Access
» Zero Cost Access Client Software: • No Expensive VPN client software or IT support required.• Active-X client for full “IPsec-like” connectivity (<64K in size)
» Superior Remote Access Solution:• Remote Employee Access for Small Business• Secure Consumer/Retail Access for home users• Protocol Independent Full LAN Access
10.© 1996-2004 NETGEAR® . All rights reserved
NETGEAR SSL VPN Features & BenefitsFeatures Benefit
Ease of Use
Easy one-time installation of full package ActiveX / Java No IT staff support required – small client automatically loaded
Complete Application support ALL desktop, Microsoft or network applications available
Simple System Tray Icon for connect / disconnect / clean-up Easy client application and session management – automatic uninstall option
Access & Performance
Hardware based SSL Acceleration Unmatched SSL gateway processing throughput
Remote Desktop Access, Application Access and File Sharing Windows Terminal Services, VNC, Telnet support for access Windows CIFS and FTP for file sharing
Full Network Resource Access, any protocol, tunneling through Firewall / NAT limitations with SSL over VPN.
Access full remote network, printers, servers and tunnel through Airport and other NAT/FW barriers.
HTTP & HTTPS Proxy and reverse proxy Support for corporate intranet and Outlook Web Access
Security & Control
Full AAA (Authentication, Authorization & Accounting) Strongest AAA based on RADIUS, LDAP, MS Active Directory, NT Domain and local database
Comprehensive, Granular User Policy Control – individual and group access and application profiles
Tight administrative control over end user security policies & access
Strongest Encryption - Support of SSLv3 and TLSv1.0 coupled with AES-256
Peace of mind – all SSL VPN will be just as secure as IPsec VPN solutions
Client platforms supported: Windows 2000, 2003 & XP. MacOS, IE, Safari browsers
Broadest end user platform support. Access Anywhere Any Time !
11.© 1996-2004 NETGEAR® . All rights reserved
NETGEAR SSL VPN Unique Features» Access Modes Supported.
• “IPSec-like” Remote Access full LAN Level view – VPN over SSL • High performance TCP application access with LSP/NSP – Remote Control • Desktop & Application Level Remote Access – VNC, RDP• OWA & Intranet access – HttpRP• Other access: WebCIFS, Telnet/SSH, FTP & WebFTP
» Broadest client/browser support:• VPN Tunnel and Port Forwarding – through Windows & MAC OS clients
» Broadest support for authentication methods.• Local Database, Radius, NT Domain, LDAP, Active Directory
» Widest range of applications supported for application proxies.• Support for MSFT: IE, Outlook, Word, Excel, PowerPoint, Access & FrontPage
» Excellent Administrative Options• Book marking of Individual user & group configurations, Logging & Monitoring
» Highest performance in class
12.© 1996-2004 NETGEAR® . All rights reserved
SSL 312 Enterprise Class FeaturesSSL VPN Features
NETGEAR SSL 312
F5 FirePass Appliance
Juniper SA Series
Aventail EX-Series
Cisco VPN Concentrator
Web/Java Based Application AccessHTTP/HTTPS Proxy Yes Yes Yes Yes YesTerminal Services Adapter Yes Citrix Yes No NoFTP Client Yes No No No NoTerminal Access VT100,320 VT320 VT100,320 No NoWindows File Sharing Yes Yes Yes Yes No - Windows Workgroups Yes Yes Yes Yes No - NT4, Windows 2000 Domains Yes Yes Yes Yes No - SMB Shares Yes Yes Yes - NoWeb Based Email (OWA, etc) Yes Yes Yes Yes YesSSL VPN ClientClient for complete network access to remote users Yes Yes Yes Yes YesAuthentication ServersInternal Yes Yes Yes Yes YesActive Directory LDAP Yes Yes Yes Yes YesLDAP Directory Yes Yes Yes Yes YesRADIUS Yes Yes Yes Yes YesKerberose Yes - Yes Yes YesInactivity TimeoutsSession Inactivity Reports Yes Yes Yes Yes -Logging and ReportingEvent Logging Yes Yes Yes Yes YesSyslog Support Yes Yes Yes Yes YesEmail Logs/alerts Yes Yes Yes YesPolicy ManagementUser, Group and Global access policies Yes Yes Yes Yes YesWeb Cache CleanerHTTP "no cache" directives Yes Yes Yes Yes YesWeb Cache Active X Control Yes Yes Yes NoHTTP to HTTPS redirect Yes Yes Yes -UI CustomizationCustomized Look and Feel Yes Yes Yes Yes Yes
13.© 1996-2004 NETGEAR® . All rights reserved
ProSafe SSL VPN Value Proposition» For Small and Mid-Sized Businesses (up to 100 person company) who need to
be in the office to get access to their information and applications• Examples: Real Estate Agents, Lawyers, Clinics, Schools, Brokers etc
» Problem: They need to come into work to access their information. • Employees drive to work in the weekends and holidays (can’t telecommute)• Current IPSEC VPN Solutions too complex and expensive
» Integration with existing network infrastructure not seamless» Costly to setup, deploy and maintain
» Solution:• Providing cost effective, easy to use and deploy solution that will allow
employees to access their information remotely from anywhere, anytime.» Benefits:
• Increases Productivity & Reduces Total Cost of Ownership» Enables telecommuting without any extra hardware or software at home.» Work in more locations » More flexible work schedule» Plug and Play setup» Easy to deploy and maintain
• Reduce Office Space • Minimal training required
14.© 1996-2004 NETGEAR® . All rights reserved
How does SSL Work – In a simplistic Manner
Client Server
client connects
server sends certificate
client sends encrypted pre-master
create session key for further
communication using pre-master key
15.© 1996-2004 NETGEAR® . All rights reserved
SSL architecture
SSL Record Protocol
SSLHandshake Protocol
SSL ChangeCipher Spec
Protocol
SSLAlert
Protocol
applications(e.g., HTTP)
TCP
IP
16.© 1996-2004 NETGEAR® . All rights reserved
SSL components» SSL Record Protocol
• fragmentation• compression• message authentication and integrity protection• encryption
» SSL Handshake Protocol• negotiation of security algorithms and parameters• key exchange• server authentication and optionally client authentication
» SSL Change Cipher Spec Protocol• a single message that indicates the end of the SSL handshake
» SSL Alert Protocol• error messages (fatal alerts and warnings)
17.© 1996-2004 NETGEAR® . All rights reserved
SSL Handshake Protocol – overview client server
client_hello
server_hello
certificate
server_key_exchange
certificate_request
server_hello_done
certificate
client_key_exchange
certificate_verify
change_cipher_spec
finished
change_cipher_spec
finished
Phase 1: Negotiation of the session ID, key exchangealgorithm, MAC algorithm, encryption algorithm, and exchange of initial random numbers
Phase 2: Server may send its certificate and keyexchange message, and it may request the clientto send a certificate. Server signals end of hellophase.
Phase 3: Client sends certificate if requested and maysend an explicit certificate verification message. Client always sends its key exchange message.
Phase 4: Change cipher spec and finish handshake
SS
L H
ands
hake
Pro
toco
l
18.© 1996-2004 NETGEAR® . All rights reserved
Hello messages » client_hello
• client_version» the highest version supported by the client
• client_random» current time (4 bytes) + pseudo random bytes (28 bytes)
• session_id» empty if the client wants to create a new session, or» the session ID of an old session within which the client wants to create the
new connection• cipher_suites
» list of cryptographic options supported by the client ordered by preference» a cipher suite contains the specification of the
• key exchange method, the encryption and the MAC algorithm• the algorithms implicitly specify the hash_size, IV_size, and key_material
parameters (part of the Cipher Spec of the session state)» exmaple: SSL_RSA_with_3DES_EDE_CBC_SHA
• compression_methods» list of compression methods supported by the client
SS
L H
ands
hake
Pro
toco
l / P
hase
1
19.© 1996-2004 NETGEAR® . All rights reserved
Hello messages cont’d» server_hello
• server_version» min( highest version supported by client, highest version supported by server )
• server_random» current time + random bytes» random bytes must be independent of the client random
• session_id» session ID chosen by the server» if the client wanted to resume an old session:
• server checks if the session is resumable• if so, it responds with the session ID and the parties proceed to the finished
messages» if the client wanted a new session
• server generates a new session ID
• cipher_suite» single cipher suite selected by the server from the list given by the client
• compression_method» single compression method selected by the server
SS
L H
ands
hake
Pro
toco
l / P
hase
1
20.© 1996-2004 NETGEAR® . All rights reserved
Supported key exchange methods
» RSA based (SSL_RSA_with...)• the secret key (pre-master secret) is encrypted with the server’s public
RSA key• the server’s public key is made available to the client during the exchange
» fixed Diffie-Hellman (SSL_DH_RSA_with… or SSL_DH_DSS_with…)• the server has fix DH parameters contained in a certificate signed by a CA• the client may have fix DH parameters certified by a CA or it may send an
unauthenticated one-time DH public value in the client_key_exchange message
» ephemeral Diffie-Hellman (SSL_DHE_RSA_with… or SSL_DHE_DSS_with…)• both the server and the client generate one-time DH parameters • the server signs its DH parameters with its private RSA or DSS key• the client may authenticate itself (if requested by the server) by signing the
hash of the handshake messages with its private RSA or DSS keySS
L H
ands
hake
Pro
toco
l / P
hase
1
21.© 1996-2004 NETGEAR® . All rights reserved
Server certificate and key exchange messages» certificate
• required for every key exchange method except for anonymous DH• contains one or a chain of X.509 certificates (up to a known root CA)• may contain
» public RSA key suitable for encryption, or» public RSA or DSS key suitable for signing only, or» fix DH parameters
» server_key_exchange• sent only if the certificate does not contain enough information to complete
the key exchange (e.g., the certificate contains an RSA signing key only)• may contain
» public RSA key (exponent and modulus), or» DH parameters (p, g, public DH value), or» Fortezza parameters
• digitally signed» if DSS: SHA-1 hash of (client_random | server_random | server_params) is
signed» if RSA: MD5 hash and SHA-1 hash of (client_random | server_random |
server_params) are concatenated and encrypted with the private RSA key
SS
L H
ands
hake
Pro
toco
l / P
hase
2
22.© 1996-2004 NETGEAR® . All rights reserved
Certificate request and server hello done msgs
» certificate_request• sent if the client needs to authenticate itself• specifies which type of certificate is requested (rsa_sign, dss_sign,
rsa_fixed_dh, dss_fixed_dh, …)» server_hello_done
• sent to indicate that the server is finished its part of the key exchange
• after sending this message the server waits for client response• the client should verify that the server provided a valid certificate
and the server parameters are acceptable
SSL
Han
dsha
ke P
roto
col /
Pha
se 2
23.© 1996-2004 NETGEAR® . All rights reserved
Client authentication and key exchange» certificate
• sent only if requested by the server• may contain
» public RSA or DSS key suitable for signing only, or» fix DH parameters
» client_key_exchange• always sent (but it is empty if the key exchange method is fix DH)• may contain
» RSA encrypted pre-master secret, or» client one-time public DH value, or» Fortezza key exchange parameters
» certificate_verify• sent only if the client sent a certificate• provides client authentication• contains signed hash of all the previous handshake messages
» if DSS: SHA-1 hash is signed» if RSA: MD5 and SHA-1 hash is concatenated and encrypted with the private key
MD5( master_secret | pad_2 | MD5( handshake_messages | master_secret | pad_1 ) )SHA( master_secret | pad_2 | SHA( handshake_messages | master_secret | pad_1 ) )
SSL
Han
dsha
ke P
roto
col /
Pha
se 3
24.© 1996-2004 NETGEAR® . All rights reserved
Finished messages» finished
• sent immediately after the change_cipher_spec message• first message that uses the newly negotiated algorithms, keys, IVs,
etc.• used to verify that the key exchange and authentication was
successful• contains the MD5 and SHA-1 hash of all the previous handshake
messages:MD5( master_secret | pad_2 | MD5( handshake_messages | sender | master_secret | pad_1 ) ) |SHA( master_secret | pad_2 | SHA( handshake_messages | sender | master_secret | pad_1 ) )
where “sender” is a code that identifies that the sender is the client or the server (client: 0x434C4E54; server: 0x53525652)
SSL
Han
dsha
ke P
roto
col /
Pha
se 4
25.© 1996-2004 NETGEAR® . All rights reserved
Sessions and connections» an SSL session is an association between a client and a server» sessions are stateful; the session state includes security
algorithms and parameters » a session may include multiple secure connections between the
same client and server» connections of the same session share the session state» sessions are used to avoid expensive negotiation of new security
parameters for each connection» there may be multiple simultaneous sessions between the same
two parties, but this feature is not used in practice
26.© 1996-2004 NETGEAR® . All rights reserved
SSL Key Exchange Steps - Summary
• Client (SSL) connects to the server• Server sends it’s own certificate that contains the public key• Client then creates a random key (premaster key) and uses
servers public key to encrypt it• Client then sends encrypted premaster key to the server• Server then decrypts the key and uses decrypted premaster key to
create secret session key• Client and Server uses secret session key for further
communication
27.© 1996-2004 NETGEAR® . All rights reserved
SSL and Encryption - Summary
• Not all clients use same encryption and authentication algorithms• Client and Server negotiate encryption and decryption algorithms
(cipher suits) during initial handshake» Connection will fail if they don’t have common algorithms
• Uses Public/Private key (assymetric) scheme to create secret key (symmetric)
• Secret Key is required to encrypt data » Provides High Performance» Secret Session Key
• You only require the server’s certificates in order to have encrypted data transfer
» This is the reason why you don’t need to install client certificate on the browser.
ProSafe SSL VPN Concentrator 25
SSL312 Hands-On Demo Training
29.© 1996-2004 NETGEAR® . All rights reserved
Overview
» Hardware features• 2 10/100 ethernet ports• Hardware SSL acceleration (Cavium accelerator)• setfactorydefaults button• Console port
» Key Software features• 25 concurrent sessions/tunnels• VPN over SSL (IPSEC like) • Port forwarding for limited access• Application & Terminal services• Utilities : telnet, ftp & SSH • Local & external user authentication services• Customizable user Portal• Granular access control• Browsers : IE & Safari
30.© 1996-2004 NETGEAR® . All rights reserved
Deployment
• SSL VPN in DMZ or Bridge to special network• SSL VPN in Intranet • SSL VPN outside Firewall
31.© 1996-2004 NETGEAR® . All rights reserved
SSL VPN in Intranet (Single Arm)» Commonly used as typical deployment» SSL traffic forwarded to SSL312
SSL312
Internet
32.© 1996-2004 NETGEAR® . All rights reserved
SSL VPN in DMZ or Bridge to Special Network» SSL traffic forwarded to SSL312
SSL312
Special Network
Internet
33.© 1996-2004 NETGEAR® . All rights reserved
SSL VPN on the Internet (Router Mode)
SSL312
Internet
» Least likely to be used since SSL312 does not provide firewall and security protection for non-VPN traffic» Both Ethernet Ports will be used:
» 1 port will directly connected to Internet»1 port will be connected to Local Area network with routing capability
34.© 1996-2004 NETGEAR® . All rights reserved
Hierarchy of organizationPortals : SSL-VPN
Domains : geardomainGroups : geardomainUsers :admin
Domains – Authentication Local NT Domain Active Directory LDAP Radius PAP/CHAP /
MS-CHAP
Portals
Domains
Groups
Users Users
Groups
Admin
Domains
NOTE: Hierarchy does not take effect when Local domains are used.
35.© 1996-2004 NETGEAR® . All rights reserved
Components» System Configuration
• Network• Certificate• Date & Time• Utilities
» Access Administration• Users & Groups• Domains• Network Resources• VPN Tunnel• Port Forwarding
» Monitoring» SSL VPN Portal
• Portal Layout• User Portal
36.© 1996-2004 NETGEAR® . All rights reserved
Network» Interfaces
• Ethernet-1• Ethernet-2 , Optional
» Static Routes• Default Route• Static Route
» Host Table» DNS Settings (required if you want the NTP to work correctly)
37.© 1996-2004 NETGEAR® . All rights reserved
Certificates» Generating CSR
• Generate the CSR• Submit to CA Authority• Upload the Cert
» Generating Self Signed Cert/CRT• Generates a CRT• Upload the Cert
» Activating the Certificate• Certificate’s State
» Active » Expired
• Certificate currently active in SSL312» Enable Option – Will be prompted for password
38.© 1996-2004 NETGEAR® . All rights reserved
Date & Time» Build-in RTC » Manual Mode or NTP mode» Supports NTP
• Defaults – Netgear servers• Custom servers
» Day light savings• Automatic, No option to disable DST
Make sure DNS configurations are filled if using NTP
39.© 1996-2004 NETGEAR® . All rights reserved
Logging» Syslog & Email Alert» Reporting option
• Daily - Sent at 5:00 AM daily • Weekly - Sent on Monday at 5:00 AM• Full – When full (About 200 Messages)
» If log fills up & reporting mode was either “Daily” or “Weekly”• All logs are cleared & logging continues
» Log & Alert levels/Categories• Emergency• Alert• Critical• Error• Warning• Notice• Information• Debug
40.© 1996-2004 NETGEAR® . All rights reserved
Portal» Web layout, the user will see on login » Portal layout is customizable » Factory defaults
• Portal : SSL-VPN • Domain : geardomain with local authentication • Group : geardomain • User : Administrator role user “admin”
» Default portal URL • https://ip_address_of_ssl312_port1 (i.e.: https://65.123.48.240)
» URL for additional portals • https://ip_address_of_ssl312_port1/portals/portal_name• portal_name is case sensitive• i.e.: https://65.123.48.240/portals/ProSupport
» Multiple domains can belong to a portal» Login page of a portal only offers the domains belonging to that portal
Note : Default portal, domain or group cannot be delete
41.© 1996-2004 NETGEAR® . All rights reserved
Domain» Domain defines the authentication method» Attached to Portal (only one)» Will always have at least 1 group » When a domain is created
» Default group with “domain-name” is also created for the domain» Domain offer following authentication methods
• Local• Radius (PAP, CHAP, MSCHAP)• Active Directory• LDAP• NT domain
42.© 1996-2004 NETGEAR® . All rights reserved
Groups» Users can be grouped into GROUPs» Attached to Domains (only one)» When a domain is created
» Default group with “domain-name” is also created for the domain
43.© 1996-2004 NETGEAR® . All rights reserved
Users» Two class of users
• Administrators• User
» User are created under Groups» Each user belong to a single group» Users with Administrative privilege – Administrator GUI» Normal users – User Portal
44.© 1996-2004 NETGEAR® . All rights reserved
Policies
» Policy administration • Global• Group• User
» User policies take precedence over Group policies» Group polices take precedence over Global policies» Policies can be applied
• IP address/range/Network Resource• Service type (Terminal Services, VNC, VPN Tunnel etc)• PERMIT or DENY
» Login policies• Allow/Deny - IP address/Network/WAN• Allow/Deny - Browser list
45.© 1996-2004 NETGEAR® . All rights reserved
VPN Tunnel & Port forwarding
» VPN Tunnel• Provide full access to network like IPSec• ActiveX client gets installed on the client machine
» Loops all the local traffic over to SSL tunnel
» Port Forwarding• Scaled down version of VPN tunnel• Forwards the confirmed IP Address/Port on to SSL tunnel.• Only TCP traffic.
46.© 1996-2004 NETGEAR® . All rights reserved
User Portal
47.© 1996-2004 NETGEAR® . All rights reserved
Fully populated User Portal
» VPN Tunnel» Applications» Remote Access
• Terminal Services• VNC
» Network Places» Port Forwarding» Utilities
• Telnet• Ftp• SSH
48.© 1996-2004 NETGEAR® . All rights reserved
FAQ-1» How do I change my system password?
An administrator may change the system password by logging in via the system console or via SSH and typing passwd root. Then enter the password, click Enter, type the confirmation password and click Enter again.
NOTE: The system password is different from the Administrative web management interface password, which is configured through the web management interface.
» How can I customize the portal layout?
The portal layout may be customized on the SSL VPN Portal » Portal Layout page in the web management interface. From the portal layout page, you can define what pages, icons and options to display to users. You can create multiple layouts and apply them to different authentication domains.
» When I create a new domain, I can't see the new domain on the login page
If you created a new domain and you cannot select the domain from the Domain drop down list on the login page, then most you are probably not logging in from the correct portal layout URL.
For example, let's say you created a layout named "mylayout" with the virtual host name "mylayout.netgear.com". Then you configured a an authentication domain called "myRadius" and selected the new layout "mylayout" for the authentication domain. Now, if you go to the default Portal layout, you will not see the "myRadius" in the Domain Name drop down menu. To login using "myRadius", either go to https://[IP_Address_or_domain_name]/portal/mylayout. Then you will be able to see the "myRadius" authentication domain.
49.© 1996-2004 NETGEAR® . All rights reserved
FAQ-2» I want my domain to be selected by default on the login page
The list of domains are shown in alphabetical order. If you would like your authentication domain to be selected by default, then create a new portal layout, configure virtual hosting, and login using the new virtual hostname. Your new authentication domain will be selected by default.
» How do I create a virtual hostname on the portal layout page?
To create a virtual hostname, enter the full URL of the virtual host--for example, "partners.netgear.com". Because the web server needs to learn the new configuration, restart the SSL312 software on the Monitoring » Diagnostics » Reboot.
Then make sure that the new domain name resolves to the IP address of the SSL312. Login to your organization's external DNS manager and add a new DNS name or a new alias and configure it to resolve to the SSL312 IP address.
» Active Directory configuration isn't working, what is wrong?
Confirm that the time is synchronized between your Active Directory server and SSL312 by configuring NTP on the System Configuration » Date and Time page. If you have added users into custom groups that you have defined on the Active Directory server, then you may need to use NT Domain or LDAP authentication in order to authenticate to your Windows authentication server.
» Can I only allow certain Active Directory groups to log in?
You can create specific rules for Active Directory users and groups by defining the users and groups in SSL312 and the configuring access policies for these different users and groups. However, you cannot prevent the users from logging in altogether. The only way to do this is to authenticate users based on Active Directory's LDAP directory services. Instead of defining an authentication domain on the Active Directory page, instead define the domain as an LDAP authentication domain. Then you can enter the specific LDAP organizational unit information.
50.© 1996-2004 NETGEAR® . All rights reserved
FAQ-3» How do I create policies or bookmarks for Active Directory, LDAP or RADIUS users?
If you are using authentication by an external AAA server (LDAP, Active Directory, etc), then you do not need to define users in the SSL312. However, you are also unable to create bookmarks or policies by users.
To create individual bookmarks by user or group, you must define the users in the SSL312. Because the users are authenticating to a AAA server, the users do not require passwords. Once defined, you can add bookmarks or policies per user or per group to which the user belongs.
Because the SSL312 can query Active Directory to find out which group a user belongs to, you can create bookmarks and policies for Active Directory groups without defining every Active Directory user name. The way this works is that the SSL312 first verifies with the Active Directory server that the user is authorized to login. Then the SSL312 checks to see if the user is defined (in any Active Directory group) in the SSL312. If the user is defined, then the user and group policies and bookmarks will apply to that user. If no matching user is defined, The SSL312 will see if the Active Directory group to which the user belongs is defined in the SSL312. If so, then the group's bookmarks and policies will apply to the user.
» Can I change the logo?
Yes, you may upload new logos on the Portal Layouts » Custom Banner page in the web management interface. There are 3 logos to upload. The logos are displayed on the login page, the upper left corner of the portal page and also the upper left corner of the portal page when the portal is configured in the top menu navigation layout. The sizes of the 3 logos are indicated on the Company Log page. The logos must be in GIF format.
Once the logos are uploaded, be sure to select Use Company Logo from the drop down menu and click Submit for the change to take effect. Be sure to refresh your browser window, in case the Cavium Networks logo is cached.
51.© 1996-2004 NETGEAR® . All rights reserved
FAQ-4» What network information do I need to configure?
The required network information includes the SSL312 IP address, gateway address and DNS settings. The IP address is configured when you first install the SSL312, but may be modified on the Network » Interfaces page. The DNS server addresses are configured on the Network » DNS Settings page and the default gateway (route) address is configured on the Network » Routes page. Until these parameters are configured, the portal will not function properly!
» What is host resolution?
Host resolution is similar to the LMHOST file in Windows machines or the /etc/hosts file in Linux and UNIX machines. Host resolution can be used to map names to IP addresses. This can be helpful for a myriad of reasons. For example, you can partially obscure your network's IP address scheme from SSL VPN users by creating hostnames for local servers. Then when you create bookmarks, you can use the hostnames you have created rather than IP addresses.
52.© 1996-2004 NETGEAR® . All rights reserved
FAQ-5» I have a valid certificate from a CA. How do I import it?
You do not need your own SSL certificate to set up and test the SSL312 software. However, NETGEAR strongly recommends that you install a valid certificate from a recognized Certificate Authority (CA) before deploying SSL VPN in production.
To upload the SSL Certificate and Key, create a zipped file containing the two files. Name the certificate file "server.crt" and the certificate key "server.key". Then upload the files on the System Configuration » Certificates page. Once uploaded, you should see the new certificate in the list of available certificates. Click View, and then enter the SSL Certificate password and click Submit. Then return to the SSL Certificate page, select the radio button to the left of the new certificate, and click Enable Cert. The SSL312 software will restart, using the new, valid SSL certificate.
» How does VPN Tunnel work?
VPN Tunnel creates a full network connection between the SSL VPN user's machine and the SSL312 server. So remote users become a virtual member of the local area network and can access resources as if they were located on the LAN. VPN Tunnel consists of two ActiveX components: an installer and a connector program. The installer creates a network driver on the client machine and the connector initiates the VPN Tunnel connection. When the VPN Tunnel is established, a VPN Tunnel PPP interface will be activated. All VPN traffic will be sent through the PPP interface, encrypted using SSL and sent across the Internet to the SSL312 server.
VPN Tunnel is supported on Microsoft Windows 2000, Windows XP (Professional and Home Edition), Windows 2000 Server, Windows 2003 Server and MacOS X. Windows users must use Internet Explorer with ActiveX enabled. Both Windows and Mac users must have administrative privileges to install VPN Tunnel, although standard users can launch VPN Tunnel once it has been installed.
53.© 1996-2004 NETGEAR® . All rights reserved
FAQ-7» How do I configure VPN Tunnel?
As an administrator, you can configure the VPN Tunnel settings on the Access Administration » VPN Tunnel. You can either configure an address range in the same subnet as your local area network or you can configure a range in a different subnet and then use client routes. If you use addresses in the same subnet, be sure that the range does not conflict with addresses on your local network. Be sure to allocate enough IP addresses in the client address range for all of your remote users. Each remote user will require two addresses: the VPN Tunnel PPP address and the corresponding SSL312 server PPP address.
If you configure client routes, you must also be sure that you configure a static route in your corporate network router or firewall that directs traffic from the VPN Tunnel clients to the SSL312 server. This is defined in more detail in the below.
Also note that the class of the subnet is based on the PPP address. For the 3 private address ranges, 10.0.0.0 - 10.255.255.255 is a Class A subnet, 172.16.0.0 - 172.16.255.255 is a Class B subnet and 192.168.0.0 - 192.168.255.255 is a Class C subnet. What this means is that if you configure the Virtual client address range 10.1.0.1 - 10.1.0.254, then the VPN Tunnel client will the VPN Tunnel client will assume that all IP addresses from 10.0.0.0 - 10.255.255.255 are located across the SSL VPN tunnel.
54.© 1996-2004 NETGEAR® . All rights reserved
FAQ-8» I created client routes, but my VPN Tunnel clients cannot connect to network machines
If a VPN Tunnel client can connect and receive a VPN Tunnel PPP address, but cannot access network resources, then you may need to check your network and client settings. The most likely problem is that you need to add a static route on you local network.
If your client address range is in a different subnet then your local area network, you need to configure client routes to inform your VPN Tunnel clients that they need to go through the VPN Tunnel in order to access your local network. If you have done this correctly and you can see the client routes on the client machines (you can verify client routes by typing route print from a MSDOS prompt) then your clients can probably connect to machines on your local network. However, machines on your local network will see the VPN Tunnel client addresses as being on a different subnet, and will send data out to the Internet rather than back to the SSL312 server. For example, if a VPN Tunnel client with PPP address 192.168.1.1 pings a local mail server at 10.0.0.10, the server may receive the ping and send the ping echo out to the Internet, rather than back to the SSL312 server, where the ping response can be forwarded on to the VPN Tunnel client.
The easiest way to solve this issue is to add a static route on the local network firewall or router that forwards all data sent to the VPN Tunnel address range to the SSL312 server. In our example, the network administrator could create a static route on the corporate firewall for the network 192.168.1.0 and mask 255.255.255.0 to the SSL312 server address, 10.0.0.25.
» Remote users are not able to connect to servers by host or domain name
If remote users are not able to access local resources by domain name or host name, then check the DNS settings and WINS settings in the SSL312 web management interface. WINS and DNS settings are sent down to the VPN Tunnel clients. So, make sure that you add the IP addresses of your local WINS and DNS servers in the SSL312 Network » DNS Settings page. Then the VPN Tunnel will query your local WINS and DNS servers to resolve host names and domain names.
55.© 1996-2004 NETGEAR® . All rights reserved
FAQ-9» The VPN Tunnel page takes a long time to load
Many pages, including the VPN Tunnel page, require that the SSL312 server can resolve the URL that is used to access the SSL VPN portal. Because of NAT, the public address that is seen by remote users may be different from the actual IP address of the SSL312 server. To resolve the issue, add a new host resolution entry resolving the SSL VPN server domain name to the private IP address SSL312 server. The host entry can be added on the Network » Host Table page.
» I can't add bookmarks on the bookmark page
If you see the Add Bookmark button on the Desktop or Services page in the SSL VPN portal but you are unable to create bookmarks, then you may be logged in as an Active Directory, LDAP, NT or RADIUS user and a corresponding user may not be defined in the SSL312.
It is recommended that the SSL312 administrator either define the Active Directory, LDAP, NT or RADIUS user names on the Access Administration » Users and Groups page or that the administrator hides the Add Bookmark buttons in the SSL VPN portal. The Add Bookmark buttons may be configured on the SSL VPN Portal » Portal Layouts page.
» I don't want users to see the bookmark IP address in the bookmark table
To hide bookmark names or IP addresses from users, you can hide the Services and Desktop pages from users and only allow them to access the Home page, which doe not show the bookmark IP address.
Or you can add host entries on the Network » Host Resolution page that resolve names to local IP addresses. Then, when you create bookmarks, add the new host name rather than the IP address. SSL VPN users will only see the host name, not the IP address, in the Bookmarks table.
56.© 1996-2004 NETGEAR® . All rights reserved
FAQ-10» When I connect to Telnet or SSH, I am not able to type anything
If you are using the Microsoft Java plug-in, then you will need to click on the Telnet or SSH window near the cursor prompt before you can begin typing data.
» I cannot connect to Intranet web sites; I see the message "Host cannot be resolved".
If you cannot connect to Intranet web sites, then either DNS is not properly configured on the SSL312 server or the user is not entering the web site host name properly. Note: do not add the http:// or https:// prefix when accessing an Intranet web site.
» Terminal Services 5.0 ActiveX does not work in Windows XP SP2
With Windows XP SP2, Microsoft disabled the 127.0.0.2 loopback address used by the SSL312 Terminal Services client. So users will need to install the Windows XP SP2 loopback update (KB884020). Instructions to download and install the update are provided below. This only affects the ActiveX Terminal Services client. The Java Terminal Services client does not require the SP2 update (KB884020).
If you try to connect to a Terminal Server from Windows XP SP2 and you see an error stating that the server cannot connect, but the Java-based Terminal Services client works fine, then you need to install the Windows update patch. Download the patch at:
http://www.microsoft.com/downloads/details.aspx?FamilyID=17d997d2-5034-4bbb-b74d-ad8430a1f7c8&DisplayLang=en
»After you download and install the patch, you may need to restart Internet Explorer or reboot your machine before you can access the application.
57.© 1996-2004 NETGEAR® . All rights reserved
FAQ-11» How do I set up applications for the Applications page?
Applications displayed on the portal Applications page are Terminal Services applications and are hosted on a Windows Terminal Server. You can define the applications on the SSL VPN Portal » Portal Layouts page in the web management GUI. You must define a path where the Terminal Services application is hosted. You can optionally define the Terminal Server IP address or name. If no IP address is defined, then the users can enter the Terminal Server address after clicking the application icon on the Applications page.
» How do I set up VNC? What is VNC?
VNC, or Virtual Network Computing, provides remote access to desktop computers by exporting the monitor, keyboard, and mouse data over a network or the Internet. VNC is the underlying technology used in many commercial remote desktop computing applications.
To use VNC, you must install VNC server software on a local server or desktop on your corporate network. There are several free VNC server applications available, including RealVNC and TightVNC. You can download and install the server software on Windows, Linux, and UNIX servers or desktops. Be sure to run the software in server mode--you should see the VNC icon in your Windows taskbar. Run the VNC server on the default 5900 port. Also, configure a VNC server password for enhanced security.
» Passive FTP over Virtual Transport: For FTP to work in Virtual Transport mode, Passive FTP option must be turned on in IE. Go to IE/Internet Options/Advanced and enable “Use Passive FTP (for firewall and DSL modem compatibility)” box, marked with red in the graphic below.
58.© 1996-2004 NETGEAR® . All rights reserved
FAQ-12» Active Directory Configuration and NTP:
To properly set up Active Directory NTP (Network Time Protocol) must be configured in both the SSL312 and the Windows 2000 or Windows 2003 server. Active Directory uses Kerberos5 protocol for authentication. For Kerberos to work the clock skew between the server (Windows) and the client (SSL312) must be less than 60 minutes.
Example NTP servers are; http://tf.nist.gov/service/its.htm or http://ntp.isc.org/bin/view/Servers/NTPPoolServers
» Virtual Transport and CIFS (Common Internet File Sharing): Virtual Transport only supports WinSock2 clients. Virtual Transport is a "Layered Service Provider" function. Layered Service Providers sit on top WinSock2 layer of Windows TCP/IP Stack. If an application uses direct sockets to communicate with TCP/IP Stack or using Transport Redirect; Virtual Transport cannot be used.
Examples of WinSock applications: IE, Firefox, Outlook etc.
Examples of Non-WinSock applications are: Windows Network Neighborhood, command line FTP, Cygwin, command line Telnet.
» CIFS and IE 5.0 for FTP: Virtual Transport supports only outgoing TCP connections. By default all the FTP clients use Active Mode. In active mode data connections are initiated by the server. For FTP clients to work using Virtual Transport, they must support passive mode FTP. IE 5.0 does not support passive mode FTP. So IE 5.0 cannot be used as FTP client.
59.© 1996-2004 NETGEAR® . All rights reserved
FAQ 13» Can I install the SSL312 directly on the Internet?
• Yes, however we do not recommend that you install the SSL312 straight on the Internet because you will expose the SSL312 and your network resources to hackers on the Internet.
» I cannot use the SSL VPN Tunnel feature on the SSL312.• Please check to make sure that you are using the latest firmware on the
SSL312. Also check to see if you have any other IPSec VPN Client software installed on your PC, if you do, please be sure to disable the IPSec VPN Client so that the SSL VPN Tunnel would load correctly.
» I am using the latest version of Internet Explorer and I am using the correct IP address to connect to the SSL312, but I cannot establish my SSL VPN.• Make sure that you select “Enable/Accept Active-X” on your PC in order
for the VPN to load. If you do not enable Active-X , the VPN will not load.
» Why I cannot run the SSH Client on the SSL312?• Make sure that you have installed the latest version of the Run time
JAVA in order to use the SSH client on the SSL box.
60.© 1996-2004 NETGEAR® . All rights reserved
FAQ 14
» I received error messages when I try to log onto one of the domains from the drop down list.
• Make sure the time and date on the SSL312 is synchronized with your authentication servers (NT Domain, Active Directory, RADIUS, etc…)
» I received the IP conflict error message when I try to configure the virtual IP address for remote clients on the SSL312.
• When specifying the virtual IP under VPN Tunnel on the SSL box for incoming clients make sure that it does not conflict with your local IP scope.
» Why I cannot authenticate the users on the SSL312?• Make sure you create a Domain and users in this domain, so they can
authenticate thru the SSL312 Box.