Академический Документы
Профессиональный Документы
Культура Документы
com
Copyright 2008 ZyXEL Communications. ZyXEL is a trademark of ZyXEL Communications, Co. Reproduction in whole or part without permission is prohibited. All other trademarks are the property of their respective owners.
0812v100PSG-SSL-VPN
Contents
What is a SSL VPN? Why use SSL over a traditional VPN technology? Typical SSL Users Drawbacks of SSL VPNs Introducing SecuExtender Typical Scenarios Example: ZyWALL Gateway Configuration Example: Existing Gateway Configuration of ZyWALL SSL 10 4 4 5 5 6 7 9 9 15 15
-2-
encryption itself is very safe; this is the same technology that is used to protect millions of online credit card transactions every day. Unlike traditional IPSec (and similar) VPNs, there is no special software required. Any web capable device can access the Intranet, lowering the barriers for those looking to hack into the network.
Introducing SecuExtender
Typical Scenarios
> Jan goes home after work, and that night while watching TV she gets inspired for a new marketing promotion. She rushes to her personal computer, logs into the company network, and types up a short treatment and saves it to the shared drive at work. > Steve is on vacation in Hawaii and gets an urgent call from the office. They are about to close a very big deal and need Steve to review the contract before they sign it. Steve left his laptop > Mike is an outside sales rep. He spends his time on the road, but needs access to the companys web based inventory and order system, as well as access to .pdf copies of promotional material that he can have printed out at Kinkos. at home to help for him to relax, but this is important. No problem, Steve is able to go to the nearby Internet Caf and pull up the document over the SSL VPN connection.
ZyWALL OTP
(One-Time Password)
L SSL 10
RESET
CONSOLE
SYS CARD
Remote Users
External Database Active Directory
130201
RADIUS
justin zyxel 130201 justin zyxel 130201
LDAP
Application Diagrams
LAN Zone Firewall DMZ Zone
Employee on Home Computer Employee on Home Computer
BI System
ZyWAL
ACT
L 5
RESET
SYS CARD
PWR
ZyWAL
ACT
L 5
RESET
SYS CARD
Internet
LAN File Share OA, ERP System CRM System
Internet
Employee Laptop In Airport Kiosk or In Hotel Encrypted
DMZ
Decrypted
WAN
File Share
Encrypted
Decrypted
Web-based Application
ZyWAL
PWR ACT
L SSL 10
RESET
CONSOLE
SYS CARD
Web-based Application
ZyWALL SSL 10
Authorized Partner Authorized Customer
Remote Desktop
Network Extend
-8-
Configuration:
1. Create a user that can access the SSL VPN. Go to Object User / Group.
b. Create a Fileshare. Go to Object SSL Application and add a new SSL Application. Point the ZyWALL to a shared folder on the network. 2. Create an IP Address pool that will be handed out to the SSL VPN User. Go to Object Address.
-10-
4. Create the SSL VPN Connection. Go to VPN SSL VPN. a. Add the user that was created for the VPN Connection.
d. Select the networks that the SSL VPN will have access to.
5. Allow the clients to be able to reach port 443 of the ZyWALL. Go to Firewall and add a new rule for HTTPS from WAN to ZyWALL.
c. Enable Network Extension and select the IP Pool that was created for the VPN.
-12-
6. To log into the SSL VPN, the client needs to point their web browser to HTTPS://<WAN IP> and enter their username and password, check on Log into SSL and click Login.
Topology
Internet
Switch
Computer A
Computer B
Configuration
-14-
-16-
4. Setup the VPN network the clients are to have access too. Go to Object VPN Network and enter in the subnet of the LAN network of the NAT Firewall..
6. If NAT and SPI firewall is enabled (System WAN) you must create an access policy for the user. Go to SSL Access Control and setup when the client can have access to the VPN Network.
5. Setup a policy to enable the authenticated users to have access to the VPN network. Go to SSL. a. Select which user accounts to have access.
b. Select which VPN network the authenticated user to have access too and which IP address pool the user is going to use.
-18-