SSL312 VPN Concentrator 25 Training

SSL312 VPN Concentrator 25 Training

Presented by:Vivek Chugh – Product Line ManagerHien Ly – L3 Support EngineerSatish Nandi – Product/Engineering Manager

2.© 1996-2004 NETGEAR® . All rights reserved

Agenda• What is SSL ?• What is SSL VPN?• Why SSL?• What is the NETGEAR SSL312 SSL VPN Concentrator?

» Deployment Scenario» Product Description

• NETGEAR SSL VPN Benefits» Features and Benefits» NETGEAR SSL312 Unique Features» Feature comparisons» ProSafe SSL VPN Value Proposition

• SSL Technology Overview» SSL Architecture» SSL Protocols» SSL Handshake» SSL Key Exchange Methods

• Demo


What is SSL?

• SSL stands for secure sockets layer• Provides protection of data • Data sent over the wire is encrypted using SSL thus providing

data confidentiality.


What is SSL VPN?» Extends Virtual Private Network (VPN) over the Internet and enables remote

users to connect securely.» Uses SSL to provide remote access

• SSL is now called TLS by the IETF• Refer to RFC 2246: http://www.ietf.org/rfc/rfc2246.txt

» Uses same kind of encryption and authentication protocols as IPSEC• DES, 3DES, AES, supports assymetric or public key cryptography

» SSL is an application level protocol• Transmits data over SSL (port 443)• IPSEC is layer 3 protocol, encrypts packets over IP

» SSL VPN an deliver remote access from web browsers• No client required (Client-less VPN)• Less skilled internet users don’t require to remember IP addresses, use VNC,

pcAnywhere. • All resources are available as bookmarks.

» Users are not confined from accessing their remote network from a dedicated PC» Access data anytime and anywhere.

http://www.ietf.org/rfc/rfc2246.txt


Why SSL?• Confidentiality (Data is encrypted)• Data Integrity (Tamper Proof)

» No “Man in the Middle” attacks• Server Authentication (Prove who you are)

» Windows Active Directory/Domain Controller» RADIUS» LDAP

• Optional client authentication • Dominant Security Technology on the web• Runs over TCP

» Transport Layer Security» HTTPS is HTTP over SSL (port 443)

• Worldwide e-commerce transactions occur over SSL• Well Tested (Several years of public scrutiny)• Supported in commercially available browsers today

» Lock icon at the bottom right of web browser


What is the NETGEAR SSL312 SSL VPN Concentrator?» State of the art remote access SSL VPN solution tailored for the SMB market» Supports up to 25 concurrent sessions» Industry’s most cost effective twenty five tunnel SSL VPN solution.» Unrestricted User License» Allows anywhere, anytime access to your corporate resources, without

requiring a VPN client» Browser based access (Internet Explorer, Macintosh Safari)» Provides Seamless “LAN-like” user experience» Customizable user portal for ease of use and enhanced user experience» Offers automatic session and software clean-up mode for kiosk based

access» Provides granular access control to your network resources» Wide variety of user authentication methods including Active Directory,

LDAP and RADIUS


NETGEAR SSL VPN for Any Deployment Scenario

InternetFirewall

ProSafe SSL VPN Concentrator

Internal Network

Corporate Business Network

Email

Web Database

File Shares

Access Your network at the airport, using a kiosk or your laptop

Access your network while you are at a partner site.

Access your network while you are a coffee shop

Access your network while working at home

IT Administrators can decide whether you have full access to the corporate network based upon user credentials

IT Administrators can decide whether you have limited access to the corporate network, based upon user credentials

Access Your network using a PDA

Denotes Limited Access to the Corporate Network

Denotes Full Access to the Network


SSL 312 Product Description

3 series blue metal case 2 10/100 Ethernet LAN Ports, 1 console port 16M Flash/128M SDRAM Internal Power Supply High Performance SSL VPN using the Cavium NITROX Soho CN220

200MHz Unlimited user license – other vendors restrict access

Total Number of SSL VPN Tunnels Supported = 25 Customized User Experience List Price of $545.00 Industry’s most cost effective 25 Tunnel SSL VPN Solution !


NETGEAR SSL VPN Benefits» Easy to use:

• Browser Based (https://) network connection• Simple login (user name / password) • One time set-up• Simple un-install procedure for kiosks

» Access from any computer any where:• User laptops, home PCs or remote kiosks can all securely connect • Packets Look like Standard IP Packets• VPN Tunnel provides Firewall/NAT Traversal• Cache Clean Up after Session Termination• Unlimited User Access

» Zero Cost Access Client Software: • No Expensive VPN client software or IT support required.• Active-X client for full “IPsec-like” connectivity (<64K in size)

» Superior Remote Access Solution:• Remote Employee Access for Small Business• Secure Consumer/Retail Access for home users• Protocol Independent Full LAN Access


NETGEAR SSL VPN Features & BenefitsFeatures Benefit

Ease of Use

Easy one-time installation of full package ActiveX / Java No IT staff support required – small client automatically loaded

Complete Application support ALL desktop, Microsoft or network applications available

Simple System Tray Icon for connect / disconnect / clean-up Easy client application and session management – automatic uninstall option

Access & Performance

Hardware based SSL Acceleration Unmatched SSL gateway processing throughput

Remote Desktop Access, Application Access and File Sharing Windows Terminal Services, VNC, Telnet support for access Windows CIFS and FTP for file sharing

Full Network Resource Access, any protocol, tunneling through Firewall / NAT limitations with SSL over VPN.

Access full remote network, printers, servers and tunnel through Airport and other NAT/FW barriers.

HTTP & HTTPS Proxy and reverse proxy Support for corporate intranet and Outlook Web Access

Security & Control

Full AAA (Authentication, Authorization & Accounting) Strongest AAA based on RADIUS, LDAP, MS Active Directory, NT Domain and local database

Comprehensive, Granular User Policy Control – individual and group access and application profiles

Tight administrative control over end user security policies & access

Strongest Encryption - Support of SSLv3 and TLSv1.0 coupled with AES-256

Peace of mind – all SSL VPN will be just as secure as IPsec VPN solutions

Client platforms supported: Windows 2000, 2003 & XP. MacOS, IE, Safari browsers

Broadest end user platform support. Access Anywhere Any Time !


NETGEAR SSL VPN Unique Features» Access Modes Supported.

• “IPSec-like” Remote Access full LAN Level view – VPN over SSL • High performance TCP application access with LSP/NSP – Remote Control • Desktop & Application Level Remote Access – VNC, RDP• OWA & Intranet access – HttpRP• Other access: WebCIFS, Telnet/SSH, FTP & WebFTP

» Broadest client/browser support:• VPN Tunnel and Port Forwarding – through Windows & MAC OS clients

» Broadest support for authentication methods.• Local Database, Radius, NT Domain, LDAP, Active Directory

» Widest range of applications supported for application proxies.• Support for MSFT: IE, Outlook, Word, Excel, PowerPoint, Access & FrontPage

» Excellent Administrative Options• Book marking of Individual user & group configurations, Logging & Monitoring

» Highest performance in class


SSL 312 Enterprise Class FeaturesSSL VPN Features

NETGEAR SSL 312

F5 FirePass Appliance

Juniper SA Series

Aventail EX-Series

Cisco VPN Concentrator

Web/Java Based Application AccessHTTP/HTTPS Proxy Yes Yes Yes Yes YesTerminal Services Adapter Yes Citrix Yes No NoFTP Client Yes No No No NoTerminal Access VT100,320 VT320 VT100,320 No NoWindows File Sharing Yes Yes Yes Yes No - Windows Workgroups Yes Yes Yes Yes No - NT4, Windows 2000 Domains Yes Yes Yes Yes No - SMB Shares Yes Yes Yes - NoWeb Based Email (OWA, etc) Yes Yes Yes Yes YesSSL VPN ClientClient for complete network access to remote users Yes Yes Yes Yes YesAuthentication ServersInternal Yes Yes Yes Yes YesActive Directory LDAP Yes Yes Yes Yes YesLDAP Directory Yes Yes Yes Yes YesRADIUS Yes Yes Yes Yes YesKerberose Yes - Yes Yes YesInactivity TimeoutsSession Inactivity Reports Yes Yes Yes Yes -Logging and ReportingEvent Logging Yes Yes Yes Yes YesSyslog Support Yes Yes Yes Yes YesEmail Logs/alerts Yes Yes Yes YesPolicy ManagementUser, Group and Global access policies Yes Yes Yes Yes YesWeb Cache CleanerHTTP "no cache" directives Yes Yes Yes Yes YesWeb Cache Active X Control Yes Yes Yes NoHTTP to HTTPS redirect Yes Yes Yes -UI CustomizationCustomized Look and Feel Yes Yes Yes Yes Yes


ProSafe SSL VPN Value Proposition» For Small and Mid-Sized Businesses (up to 100 person company) who need to

be in the office to get access to their information and applications• Examples: Real Estate Agents, Lawyers, Clinics, Schools, Brokers etc

» Problem: They need to come into work to access their information. • Employees drive to work in the weekends and holidays (can’t telecommute)• Current IPSEC VPN Solutions too complex and expensive

» Integration with existing network infrastructure not seamless» Costly to setup, deploy and maintain

» Solution:• Providing cost effective, easy to use and deploy solution that will allow

employees to access their information remotely from anywhere, anytime.» Benefits:

• Increases Productivity & Reduces Total Cost of Ownership» Enables telecommuting without any extra hardware or software at home.» Work in more locations » More flexible work schedule» Plug and Play setup» Easy to deploy and maintain

• Reduce Office Space • Minimal training required


How does SSL Work – In a simplistic Manner

Client Server

client connects

server sends certificate

client sends encrypted pre-master

create session key for further

communication using pre-master key


SSL architecture

SSL Record Protocol

SSLHandshake Protocol

SSL ChangeCipher Spec

Protocol

SSLAlert

Protocol

applications(e.g., HTTP)

TCP

IP


SSL components» SSL Record Protocol

• fragmentation• compression• message authentication and integrity protection• encryption

» SSL Handshake Protocol• negotiation of security algorithms and parameters• key exchange• server authentication and optionally client authentication

» SSL Change Cipher Spec Protocol• a single message that indicates the end of the SSL handshake

» SSL Alert Protocol• error messages (fatal alerts and warnings)


SSL Handshake Protocol – overview client server

client_hello

server_hello

certificate

server_key_exchange

certificate_request

server_hello_done

certificate

client_key_exchange

certificate_verify

change_cipher_spec

finished

change_cipher_spec

finished

Phase 1: Negotiation of the session ID, key exchangealgorithm, MAC algorithm, encryption algorithm, and exchange of initial random numbers

Phase 2: Server may send its certificate and keyexchange message, and it may request the clientto send a certificate. Server signals end of hellophase.

Phase 3: Client sends certificate if requested and maysend an explicit certificate verification message. Client always sends its key exchange message.

Phase 4: Change cipher spec and finish handshake

SS

L H

ands

hake

Pro

toco

l


Hello messages » client_hello

• client_version» the highest version supported by the client

• client_random» current time (4 bytes) + pseudo random bytes (28 bytes)

• session_id» empty if the client wants to create a new session, or» the session ID of an old session within which the client wants to create the

new connection• cipher_suites

» list of cryptographic options supported by the client ordered by preference» a cipher suite contains the specification of the

• key exchange method, the encryption and the MAC algorithm• the algorithms implicitly specify the hash_size, IV_size, and key_material

parameters (part of the Cipher Spec of the session state)» exmaple: SSL_RSA_with_3DES_EDE_CBC_SHA

• compression_methods» list of compression methods supported by the client

SS

L H

ands

hake

Pro

toco

l / P

hase

1


Hello messages cont’d» server_hello

• server_version» min( highest version supported by client, highest version supported by server )

• server_random» current time + random bytes» random bytes must be independent of the client random

• session_id» session ID chosen by the server» if the client wanted to resume an old session:

• server checks if the session is resumable• if so, it responds with the session ID and the parties proceed to the finished

messages» if the client wanted a new session

• server generates a new session ID

• cipher_suite» single cipher suite selected by the server from the list given by the client

• compression_method» single compression method selected by the server

SS

L H

ands

hake

Pro

toco

l / P

hase

1


Supported key exchange methods

» RSA based (SSL_RSA_with...)• the secret key (pre-master secret) is encrypted with the server’s public

RSA key• the server’s public key is made available to the client during the exchange

» fixed Diffie-Hellman (SSL_DH_RSA_with… or SSL_DH_DSS_with…)• the server has fix DH parameters contained in a certificate signed by a CA• the client may have fix DH parameters certified by a CA or it may send an

unauthenticated one-time DH public value in the client_key_exchange message

» ephemeral Diffie-Hellman (SSL_DHE_RSA_with… or SSL_DHE_DSS_with…)• both the server and the client generate one-time DH parameters • the server signs its DH parameters with its private RSA or DSS key• the client may authenticate itself (if requested by the server) by signing the

hash of the handshake messages with its private RSA or DSS keySS

L H

ands

hake

Pro

toco

l / P

hase

1


Server certificate and key exchange messages» certificate

• required for every key exchange method except for anonymous DH• contains one or a chain of X.509 certificates (up to a known root CA)• may contain

» public RSA key suitable for encryption, or» public RSA or DSS key suitable for signing only, or» fix DH parameters

» server_key_exchange• sent only if the certificate does not contain enough information to complete

the key exchange (e.g., the certificate contains an RSA signing key only)• may contain

» public RSA key (exponent and modulus), or» DH parameters (p, g, public DH value), or» Fortezza parameters

• digitally signed» if DSS: SHA-1 hash of (client_random | server_random | server_params) is

signed» if RSA: MD5 hash and SHA-1 hash of (client_random | server_random |

server_params) are concatenated and encrypted with the private RSA key

SS

L H

ands

hake

Pro

toco

l / P

hase

2


Certificate request and server hello done msgs

» certificate_request• sent if the client needs to authenticate itself• specifies which type of certificate is requested (rsa_sign, dss_sign,

rsa_fixed_dh, dss_fixed_dh, …)» server_hello_done

• sent to indicate that the server is finished its part of the key exchange

• after sending this message the server waits for client response• the client should verify that the server provided a valid certificate

and the server parameters are acceptable

SSL

Han

dsha

ke P

roto

col /

Pha

se 2


Client authentication and key exchange» certificate

• sent only if requested by the server• may contain

» public RSA or DSS key suitable for signing only, or» fix DH parameters

» client_key_exchange• always sent (but it is empty if the key exchange method is fix DH)• may contain

» RSA encrypted pre-master secret, or» client one-time public DH value, or» Fortezza key exchange parameters

» certificate_verify• sent only if the client sent a certificate• provides client authentication• contains signed hash of all the previous handshake messages

» if DSS: SHA-1 hash is signed» if RSA: MD5 and SHA-1 hash is concatenated and encrypted with the private key

MD5( master_secret | pad_2 | MD5( handshake_messages | master_secret | pad_1 ) )SHA( master_secret | pad_2 | SHA( handshake_messages | master_secret | pad_1 ) )

SSL

Han

dsha

ke P

roto

col /

Pha

se 3


Finished messages» finished

• sent immediately after the change_cipher_spec message• first message that uses the newly negotiated algorithms, keys, IVs,

etc.• used to verify that the key exchange and authentication was

successful• contains the MD5 and SHA-1 hash of all the previous handshake

messages:MD5( master_secret | pad_2 | MD5( handshake_messages | sender | master_secret | pad_1 ) ) |SHA( master_secret | pad_2 | SHA( handshake_messages | sender | master_secret | pad_1 ) )

where “sender” is a code that identifies that the sender is the client or the server (client: 0x434C4E54; server: 0x53525652)

SSL

Han

dsha

ke P

roto

col /

Pha

se 4


Sessions and connections» an SSL session is an association between a client and a server» sessions are stateful; the session state includes security

algorithms and parameters » a session may include multiple secure connections between the

same client and server» connections of the same session share the session state» sessions are used to avoid expensive negotiation of new security

parameters for each connection» there may be multiple simultaneous sessions between the same

two parties, but this feature is not used in practice


SSL Key Exchange Steps - Summary

• Client (SSL) connects to the server• Server sends it’s own certificate that contains the public key• Client then creates a random key (premaster key) and uses

servers public key to encrypt it• Client then sends encrypted premaster key to the server• Server then decrypts the key and uses decrypted premaster key to

create secret session key• Client and Server uses secret session key for further

communication


SSL and Encryption - Summary

• Not all clients use same encryption and authentication algorithms• Client and Server negotiate encryption and decryption algorithms

(cipher suits) during initial handshake» Connection will fail if they don’t have common algorithms

• Uses Public/Private key (assymetric) scheme to create secret key (symmetric)

• Secret Key is required to encrypt data » Provides High Performance» Secret Session Key

• You only require the server’s certificates in order to have encrypted data transfer

» This is the reason why you don’t need to install client certificate on the browser.

ProSafe SSL VPN Concentrator 25

SSL312 Hands-On Demo Training


Overview

» Hardware features• 2 10/100 ethernet ports• Hardware SSL acceleration (Cavium accelerator)• setfactorydefaults button• Console port

» Key Software features• 25 concurrent sessions/tunnels• VPN over SSL (IPSEC like) • Port forwarding for limited access• Application & Terminal services• Utilities : telnet, ftp & SSH • Local & external user authentication services• Customizable user Portal• Granular access control• Browsers : IE & Safari


Deployment

• SSL VPN in DMZ or Bridge to special network• SSL VPN in Intranet • SSL VPN outside Firewall


SSL VPN in Intranet (Single Arm)» Commonly used as typical deployment» SSL traffic forwarded to SSL312

SSL312

Internet


SSL VPN in DMZ or Bridge to Special Network» SSL traffic forwarded to SSL312

SSL312

Special Network

Internet


SSL VPN on the Internet (Router Mode)

SSL312

Internet

» Least likely to be used since SSL312 does not provide firewall and security protection for non-VPN traffic» Both Ethernet Ports will be used:

» 1 port will directly connected to Internet»1 port will be connected to Local Area network with routing capability


Hierarchy of organizationPortals : SSL-VPN

Domains : geardomainGroups : geardomainUsers :admin

Domains – Authentication Local NT Domain Active Directory LDAP Radius PAP/CHAP /

MS-CHAP

Portals

Domains

Groups

Users Users

Groups

Admin

Domains

NOTE: Hierarchy does not take effect when Local domains are used.


Components» System Configuration

• Network• Certificate• Date & Time• Utilities

» Access Administration• Users & Groups• Domains• Network Resources• VPN Tunnel• Port Forwarding

» Monitoring» SSL VPN Portal

• Portal Layout• User Portal


Network» Interfaces

• Ethernet-1• Ethernet-2 , Optional

» Static Routes• Default Route• Static Route

» Host Table» DNS Settings (required if you want the NTP to work correctly)


Certificates» Generating CSR

• Generate the CSR• Submit to CA Authority• Upload the Cert

» Generating Self Signed Cert/CRT• Generates a CRT• Upload the Cert

» Activating the Certificate• Certificate’s State

» Active » Expired

• Certificate currently active in SSL312» Enable Option – Will be prompted for password


Date & Time» Build-in RTC » Manual Mode or NTP mode» Supports NTP

• Defaults – Netgear servers• Custom servers

» Day light savings• Automatic, No option to disable DST

Make sure DNS configurations are filled if using NTP


Logging» Syslog & Email Alert» Reporting option

• Daily - Sent at 5:00 AM daily • Weekly - Sent on Monday at 5:00 AM• Full – When full (About 200 Messages)

» If log fills up & reporting mode was either “Daily” or “Weekly”• All logs are cleared & logging continues

» Log & Alert levels/Categories• Emergency• Alert• Critical• Error• Warning• Notice• Information• Debug


Portal» Web layout, the user will see on login » Portal layout is customizable » Factory defaults

• Portal : SSL-VPN • Domain : geardomain with local authentication • Group : geardomain • User : Administrator role user “admin”

» Default portal URL • https://ip_address_of_ssl312_port1 (i.e.: https://65.123.48.240)

» URL for additional portals • https://ip_address_of_ssl312_port1/portals/portal_name• portal_name is case sensitive• i.e.: https://65.123.48.240/portals/ProSupport

» Multiple domains can belong to a portal» Login page of a portal only offers the domains belonging to that portal

Note : Default portal, domain or group cannot be delete


Domain» Domain defines the authentication method» Attached to Portal (only one)» Will always have at least 1 group » When a domain is created

» Default group with “domain-name” is also created for the domain» Domain offer following authentication methods

• Local• Radius (PAP, CHAP, MSCHAP)• Active Directory• LDAP• NT domain


Groups» Users can be grouped into GROUPs» Attached to Domains (only one)» When a domain is created

» Default group with “domain-name” is also created for the domain


Users» Two class of users

• Administrators• User

» User are created under Groups» Each user belong to a single group» Users with Administrative privilege – Administrator GUI» Normal users – User Portal


Policies

» Policy administration • Global• Group• User

» User policies take precedence over Group policies» Group polices take precedence over Global policies» Policies can be applied

• IP address/range/Network Resource• Service type (Terminal Services, VNC, VPN Tunnel etc)• PERMIT or DENY

» Login policies• Allow/Deny - IP address/Network/WAN• Allow/Deny - Browser list


VPN Tunnel & Port forwarding

» VPN Tunnel• Provide full access to network like IPSec• ActiveX client gets installed on the client machine

» Loops all the local traffic over to SSL tunnel

» Port Forwarding• Scaled down version of VPN tunnel• Forwards the confirmed IP Address/Port on to SSL tunnel.• Only TCP traffic.


User Portal


Fully populated User Portal

» VPN Tunnel» Applications» Remote Access

• Terminal Services• VNC

» Network Places» Port Forwarding» Utilities

• Telnet• Ftp• SSH


FAQ-1» How do I change my system password?

An administrator may change the system password by logging in via the system console or via SSH and typing passwd root. Then enter the password, click Enter, type the confirmation password and click Enter again.

NOTE: The system password is different from the Administrative web management interface password, which is configured through the web management interface.

» How can I customize the portal layout?

The portal layout may be customized on the SSL VPN Portal » Portal Layout page in the web management interface. From the portal layout page, you can define what pages, icons and options to display to users. You can create multiple layouts and apply them to different authentication domains.

» When I create a new domain, I can't see the new domain on the login page

If you created a new domain and you cannot select the domain from the Domain drop down list on the login page, then most you are probably not logging in from the correct portal layout URL.

For example, let's say you created a layout named "mylayout" with the virtual host name "mylayout.netgear.com". Then you configured a an authentication domain called "myRadius" and selected the new layout "mylayout" for the authentication domain. Now, if you go to the default Portal layout, you will not see the "myRadius" in the Domain Name drop down menu. To login using "myRadius", either go to https://[IP_Address_or_domain_name]/portal/mylayout. Then you will be able to see the "myRadius" authentication domain.


FAQ-2» I want my domain to be selected by default on the login page

The list of domains are shown in alphabetical order. If you would like your authentication domain to be selected by default, then create a new portal layout, configure virtual hosting, and login using the new virtual hostname. Your new authentication domain will be selected by default.

» How do I create a virtual hostname on the portal layout page?

To create a virtual hostname, enter the full URL of the virtual host--for example, "partners.netgear.com". Because the web server needs to learn the new configuration, restart the SSL312 software on the Monitoring » Diagnostics » Reboot.

Then make sure that the new domain name resolves to the IP address of the SSL312. Login to your organization's external DNS manager and add a new DNS name or a new alias and configure it to resolve to the SSL312 IP address.

» Active Directory configuration isn't working, what is wrong?

Confirm that the time is synchronized between your Active Directory server and SSL312 by configuring NTP on the System Configuration » Date and Time page. If you have added users into custom groups that you have defined on the Active Directory server, then you may need to use NT Domain or LDAP authentication in order to authenticate to your Windows authentication server.

» Can I only allow certain Active Directory groups to log in?

You can create specific rules for Active Directory users and groups by defining the users and groups in SSL312 and the configuring access policies for these different users and groups. However, you cannot prevent the users from logging in altogether. The only way to do this is to authenticate users based on Active Directory's LDAP directory services. Instead of defining an authentication domain on the Active Directory page, instead define the domain as an LDAP authentication domain. Then you can enter the specific LDAP organizational unit information.


FAQ-3» How do I create policies or bookmarks for Active Directory, LDAP or RADIUS users?

If you are using authentication by an external AAA server (LDAP, Active Directory, etc), then you do not need to define users in the SSL312. However, you are also unable to create bookmarks or policies by users.

To create individual bookmarks by user or group, you must define the users in the SSL312. Because the users are authenticating to a AAA server, the users do not require passwords. Once defined, you can add bookmarks or policies per user or per group to which the user belongs.

Because the SSL312 can query Active Directory to find out which group a user belongs to, you can create bookmarks and policies for Active Directory groups without defining every Active Directory user name. The way this works is that the SSL312 first verifies with the Active Directory server that the user is authorized to login. Then the SSL312 checks to see if the user is defined (in any Active Directory group) in the SSL312. If the user is defined, then the user and group policies and bookmarks will apply to that user. If no matching user is defined, The SSL312 will see if the Active Directory group to which the user belongs is defined in the SSL312. If so, then the group's bookmarks and policies will apply to the user.

» Can I change the logo?

Yes, you may upload new logos on the Portal Layouts » Custom Banner page in the web management interface. There are 3 logos to upload. The logos are displayed on the login page, the upper left corner of the portal page and also the upper left corner of the portal page when the portal is configured in the top menu navigation layout. The sizes of the 3 logos are indicated on the Company Log page. The logos must be in GIF format.

Once the logos are uploaded, be sure to select Use Company Logo from the drop down menu and click Submit for the change to take effect. Be sure to refresh your browser window, in case the Cavium Networks logo is cached.


FAQ-4» What network information do I need to configure?

The required network information includes the SSL312 IP address, gateway address and DNS settings. The IP address is configured when you first install the SSL312, but may be modified on the Network » Interfaces page. The DNS server addresses are configured on the Network » DNS Settings page and the default gateway (route) address is configured on the Network » Routes page. Until these parameters are configured, the portal will not function properly!

» What is host resolution?

Host resolution is similar to the LMHOST file in Windows machines or the /etc/hosts file in Linux and UNIX machines. Host resolution can be used to map names to IP addresses. This can be helpful for a myriad of reasons. For example, you can partially obscure your network's IP address scheme from SSL VPN users by creating hostnames for local servers. Then when you create bookmarks, you can use the hostnames you have created rather than IP addresses.


FAQ-5» I have a valid certificate from a CA. How do I import it?

You do not need your own SSL certificate to set up and test the SSL312 software. However, NETGEAR strongly recommends that you install a valid certificate from a recognized Certificate Authority (CA) before deploying SSL VPN in production.

To upload the SSL Certificate and Key, create a zipped file containing the two files. Name the certificate file "server.crt" and the certificate key "server.key". Then upload the files on the System Configuration » Certificates page. Once uploaded, you should see the new certificate in the list of available certificates. Click View, and then enter the SSL Certificate password and click Submit. Then return to the SSL Certificate page, select the radio button to the left of the new certificate, and click Enable Cert. The SSL312 software will restart, using the new, valid SSL certificate.

» How does VPN Tunnel work?

VPN Tunnel creates a full network connection between the SSL VPN user's machine and the SSL312 server. So remote users become a virtual member of the local area network and can access resources as if they were located on the LAN. VPN Tunnel consists of two ActiveX components: an installer and a connector program. The installer creates a network driver on the client machine and the connector initiates the VPN Tunnel connection. When the VPN Tunnel is established, a VPN Tunnel PPP interface will be activated. All VPN traffic will be sent through the PPP interface, encrypted using SSL and sent across the Internet to the SSL312 server.

VPN Tunnel is supported on Microsoft Windows 2000, Windows XP (Professional and Home Edition), Windows 2000 Server, Windows 2003 Server and MacOS X. Windows users must use Internet Explorer with ActiveX enabled. Both Windows and Mac users must have administrative privileges to install VPN Tunnel, although standard users can launch VPN Tunnel once it has been installed.


FAQ-7» How do I configure VPN Tunnel?

As an administrator, you can configure the VPN Tunnel settings on the Access Administration » VPN Tunnel. You can either configure an address range in the same subnet as your local area network or you can configure a range in a different subnet and then use client routes. If you use addresses in the same subnet, be sure that the range does not conflict with addresses on your local network. Be sure to allocate enough IP addresses in the client address range for all of your remote users. Each remote user will require two addresses: the VPN Tunnel PPP address and the corresponding SSL312 server PPP address.

If you configure client routes, you must also be sure that you configure a static route in your corporate network router or firewall that directs traffic from the VPN Tunnel clients to the SSL312 server. This is defined in more detail in the below.

Also note that the class of the subnet is based on the PPP address. For the 3 private address ranges, 10.0.0.0 - 10.255.255.255 is a Class A subnet, 172.16.0.0 - 172.16.255.255 is a Class B subnet and 192.168.0.0 - 192.168.255.255 is a Class C subnet. What this means is that if you configure the Virtual client address range 10.1.0.1 - 10.1.0.254, then the VPN Tunnel client will the VPN Tunnel client will assume that all IP addresses from 10.0.0.0 - 10.255.255.255 are located across the SSL VPN tunnel.


FAQ-8» I created client routes, but my VPN Tunnel clients cannot connect to network machines

If a VPN Tunnel client can connect and receive a VPN Tunnel PPP address, but cannot access network resources, then you may need to check your network and client settings. The most likely problem is that you need to add a static route on you local network.

If your client address range is in a different subnet then your local area network, you need to configure client routes to inform your VPN Tunnel clients that they need to go through the VPN Tunnel in order to access your local network. If you have done this correctly and you can see the client routes on the client machines (you can verify client routes by typing route print from a MSDOS prompt) then your clients can probably connect to machines on your local network. However, machines on your local network will see the VPN Tunnel client addresses as being on a different subnet, and will send data out to the Internet rather than back to the SSL312 server. For example, if a VPN Tunnel client with PPP address 192.168.1.1 pings a local mail server at 10.0.0.10, the server may receive the ping and send the ping echo out to the Internet, rather than back to the SSL312 server, where the ping response can be forwarded on to the VPN Tunnel client.

The easiest way to solve this issue is to add a static route on the local network firewall or router that forwards all data sent to the VPN Tunnel address range to the SSL312 server. In our example, the network administrator could create a static route on the corporate firewall for the network 192.168.1.0 and mask 255.255.255.0 to the SSL312 server address, 10.0.0.25.

» Remote users are not able to connect to servers by host or domain name

If remote users are not able to access local resources by domain name or host name, then check the DNS settings and WINS settings in the SSL312 web management interface. WINS and DNS settings are sent down to the VPN Tunnel clients. So, make sure that you add the IP addresses of your local WINS and DNS servers in the SSL312 Network » DNS Settings page. Then the VPN Tunnel will query your local WINS and DNS servers to resolve host names and domain names.


FAQ-9» The VPN Tunnel page takes a long time to load

Many pages, including the VPN Tunnel page, require that the SSL312 server can resolve the URL that is used to access the SSL VPN portal. Because of NAT, the public address that is seen by remote users may be different from the actual IP address of the SSL312 server. To resolve the issue, add a new host resolution entry resolving the SSL VPN server domain name to the private IP address SSL312 server. The host entry can be added on the Network » Host Table page.

» I can't add bookmarks on the bookmark page

If you see the Add Bookmark button on the Desktop or Services page in the SSL VPN portal but you are unable to create bookmarks, then you may be logged in as an Active Directory, LDAP, NT or RADIUS user and a corresponding user may not be defined in the SSL312.

It is recommended that the SSL312 administrator either define the Active Directory, LDAP, NT or RADIUS user names on the Access Administration » Users and Groups page or that the administrator hides the Add Bookmark buttons in the SSL VPN portal. The Add Bookmark buttons may be configured on the SSL VPN Portal » Portal Layouts page.

» I don't want users to see the bookmark IP address in the bookmark table

To hide bookmark names or IP addresses from users, you can hide the Services and Desktop pages from users and only allow them to access the Home page, which doe not show the bookmark IP address.

Or you can add host entries on the Network » Host Resolution page that resolve names to local IP addresses. Then, when you create bookmarks, add the new host name rather than the IP address. SSL VPN users will only see the host name, not the IP address, in the Bookmarks table.


FAQ-10» When I connect to Telnet or SSH, I am not able to type anything

If you are using the Microsoft Java plug-in, then you will need to click on the Telnet or SSH window near the cursor prompt before you can begin typing data.

» I cannot connect to Intranet web sites; I see the message "Host cannot be resolved".

If you cannot connect to Intranet web sites, then either DNS is not properly configured on the SSL312 server or the user is not entering the web site host name properly. Note: do not add the http:// or https:// prefix when accessing an Intranet web site.

» Terminal Services 5.0 ActiveX does not work in Windows XP SP2

With Windows XP SP2, Microsoft disabled the 127.0.0.2 loopback address used by the SSL312 Terminal Services client. So users will need to install the Windows XP SP2 loopback update (KB884020). Instructions to download and install the update are provided below. This only affects the ActiveX Terminal Services client. The Java Terminal Services client does not require the SP2 update (KB884020).

If you try to connect to a Terminal Server from Windows XP SP2 and you see an error stating that the server cannot connect, but the Java-based Terminal Services client works fine, then you need to install the Windows update patch. Download the patch at:

http://www.microsoft.com/downloads/details.aspx?FamilyID=17d997d2-5034-4bbb-b74d-ad8430a1f7c8&DisplayLang=en

»After you download and install the patch, you may need to restart Internet Explorer or reboot your machine before you can access the application.


FAQ-11» How do I set up applications for the Applications page?

Applications displayed on the portal Applications page are Terminal Services applications and are hosted on a Windows Terminal Server. You can define the applications on the SSL VPN Portal » Portal Layouts page in the web management GUI. You must define a path where the Terminal Services application is hosted. You can optionally define the Terminal Server IP address or name. If no IP address is defined, then the users can enter the Terminal Server address after clicking the application icon on the Applications page.

» How do I set up VNC? What is VNC?

VNC, or Virtual Network Computing, provides remote access to desktop computers by exporting the monitor, keyboard, and mouse data over a network or the Internet. VNC is the underlying technology used in many commercial remote desktop computing applications.

To use VNC, you must install VNC server software on a local server or desktop on your corporate network. There are several free VNC server applications available, including RealVNC and TightVNC. You can download and install the server software on Windows, Linux, and UNIX servers or desktops. Be sure to run the software in server mode--you should see the VNC icon in your Windows taskbar. Run the VNC server on the default 5900 port. Also, configure a VNC server password for enhanced security.

» Passive FTP over Virtual Transport: For FTP to work in Virtual Transport mode, Passive FTP option must be turned on in IE. Go to IE/Internet Options/Advanced and enable “Use Passive FTP (for firewall and DSL modem compatibility)” box, marked with red in the graphic below.


FAQ-12» Active Directory Configuration and NTP:

To properly set up Active Directory NTP (Network Time Protocol) must be configured in both the SSL312 and the Windows 2000 or Windows 2003 server. Active Directory uses Kerberos5 protocol for authentication. For Kerberos to work the clock skew between the server (Windows) and the client (SSL312) must be less than 60 minutes.

Example NTP servers are; http://tf.nist.gov/service/its.htm or http://ntp.isc.org/bin/view/Servers/NTPPoolServers

» Virtual Transport and CIFS (Common Internet File Sharing): Virtual Transport only supports WinSock2 clients. Virtual Transport is a "Layered Service Provider" function. Layered Service Providers sit on top WinSock2 layer of Windows TCP/IP Stack. If an application uses direct sockets to communicate with TCP/IP Stack or using Transport Redirect; Virtual Transport cannot be used.

Examples of WinSock applications: IE, Firefox, Outlook etc.

Examples of Non-WinSock applications are: Windows Network Neighborhood, command line FTP, Cygwin, command line Telnet.

» CIFS and IE 5.0 for FTP: Virtual Transport supports only outgoing TCP connections. By default all the FTP clients use Active Mode. In active mode data connections are initiated by the server. For FTP clients to work using Virtual Transport, they must support passive mode FTP. IE 5.0 does not support passive mode FTP. So IE 5.0 cannot be used as FTP client.


FAQ 13» Can I install the SSL312 directly on the Internet?

• Yes, however we do not recommend that you install the SSL312 straight on the Internet because you will expose the SSL312 and your network resources to hackers on the Internet.

» I cannot use the SSL VPN Tunnel feature on the SSL312.• Please check to make sure that you are using the latest firmware on the

SSL312. Also check to see if you have any other IPSec VPN Client software installed on your PC, if you do, please be sure to disable the IPSec VPN Client so that the SSL VPN Tunnel would load correctly.

» I am using the latest version of Internet Explorer and I am using the correct IP address to connect to the SSL312, but I cannot establish my SSL VPN.• Make sure that you select “Enable/Accept Active-X” on your PC in order

for the VPN to load. If you do not enable Active-X , the VPN will not load.

» Why I cannot run the SSH Client on the SSL312?• Make sure that you have installed the latest version of the Run time

JAVA in order to use the SSH client on the SSL box.


FAQ 14

» I received error messages when I try to log onto one of the domains from the drop down list.

• Make sure the time and date on the SSL312 is synchronized with your authentication servers (NT Domain, Active Directory, RADIUS, etc…)

» I received the IP conflict error message when I try to configure the virtual IP address for remote clients on the SSL312.

• When specifying the virtual IP under VPN Tunnel on the SSL box for incoming clients make sure that it does not conflict with your local IP scope.

» Why I cannot authenticate the users on the SSL312?• Make sure you create a Domain and users in this domain, so they can

authenticate thru the SSL312 Box.

Documents

SSL312 VPN Concentrator 25 Training