Академический Документы
Профессиональный Документы
Культура Документы
Version 7
Document Version 10.04.5.0007 - 30/11/2013
Version 7
Cyberoam SSL VPN User Guide
Important Notice
Cyberoam Technologies Pvt. Ltd. has supplied this Information believing it to be accurate and reliable at the time of printing, but
is presented without warranty of any kind, expressed or implied. Users must take full responsibility for their application of any
products. Cyberoam Technologies Pvt. Ltd. assumes no responsibility for any errors that may appear in this document.
Cyberoam Technologies Pvt. Ltd. reserves the right, without notice to make changes in product design or specifications.
Information is subject to change without notice.
USER’S LICENSE
Use of this product and document is subject to acceptance of the terms and conditions of Cyberoam End User License
Agreement (EULA) and Warranty Policy for Cyberoam UTM Appliances.
You will find the copy of the EULA at http://www.cyberoam.com/documents/EULA.html and the Warranty Policy for Cyberoam
UTM Appliances at http://kb.cyberoam.com.
RESTRICTED RIGHTS
Copyright 1999 - 2013 Cyberoam Technologies Pvt. Ltd. All rights reserved. Cyberoam, Cyberoam logo are trademark of
Cyberoam Technologies Pvt. Ltd.
Corporate Headquarters
Cyberoam Technologies Pvt. Ltd.
901, Silicon Tower, Off. C.G. Road,
Ahmedabad – 380006, INDIA
Phone: +91-79-66065606
Fax: +91-79-26407640
Web site: www.cyberoam.com
2
Cyberoam SSL VPN User Guide
Contents
Introduction ......................................................................................................................... 7
Concepts ............................................................................................................................. 8
SSL VPN Access Modes ................................................................................................................ 8
Portal ............................................................................................................................................ 10
3
Cyberoam SSL VPN User Guide
Preface
Welcome to Cyberoam‟s - User guide.
Cyberoam integrates features like stateful inspection firewall, VPN, Gateway Anti-Virus and Anti-
Spyware, Gateway Anti-Spam, Intrusion Prevention System, Content & Application Filtering, Data
Leakage Prevention, IM Management and Control, Layer 7 visibility, Bandwidth Management,
Multiple Link Management, Comprehensive Reporting over a single platform.
Cyberoam has enhanced security by adding an 8th layer (User Identity) to the protocol stack.
Advanced inspection provides L8 user-identity and L7 application detail in classifying traffic,
enabling Administrators to apply access and bandwidth policies far beyond the controls that
traditional UTMs support. It thus offers security to organizations across layer 2 - layer 8, without
compromising productivity and connectivity.
Cyberoam UTM appliances accelerate unified security by enabling single-point control of all its
security features through a Web 2.0-based GUI. An extensible architecture and an „IPv6 Ready‟
Gold logo provide Cyberoam the readiness to deliver on future security requirements.
Cyberoam provides increased LAN security by providing separate port for connecting to the
publicly accessible servers like Web server, Mail server, FTP server etc. hosted in DMZ which are
visible the external world and still have firewall protection.
Note
4
Cyberoam SSL VPN User Guide
Typographic Conventions
Material in this manual is presented in text, screen displays, or command-line notation.
Introduction
font
typefaces
Name of a Lowercase Enter policy name, replace policy name with the specific
particular italic type name of a policy
parameter / Or
field / Click Name to select where Name denotes command button
command text which is to be clicked
button text
Cross Hyperlink in Refer to Customizing User database Clicking on the link
references different will open the particular topic
color
Notes & Bold
points to typeface
remember between Note
the black
borders
Prerequisite Bold
s typefaces
between Prerequisite
the black Prerequisite details
borders
5
Cyberoam SSL VPN User Guide
Technical Support
You may direct all questions, comments, or requests concerning the software you purchased, your
registration status, or similar issues to Customer care/service department at the following address:
Corporate Office
Cyberoam Technologies Pvt. Ltd.
901, Silicon Tower
Off C.G. Road
Ahmedabad 380006
Gujarat, India.
Phone: +91-79-66065606
Fax: +91-79-26407640
Web site: www.cyberoam.com
Cyberoam contact:
Technical support (Corporate Office): +91-79-26400707
Email: support@cyberoam.com
Web site: www.cyberoam.com
6
Cyberoam SSL VPN User Guide
Introduction
A Virtual Private Network (VPN) is a network that uses public telecommunication infrastructure,
such as the Internet, to provide remote offices or traveling users with access to a central
organizational network. A secure tunnel is formed across the public network which carries private
network traffic between distant offices. This traffic is usually encrypted and compressed for
enhanced performance and security. VPN technology has replaced the need to acquire and
maintain expensive dedicated leased-line telecommunication circuits once typical in wide-area
network installations.
Note
All the screen shots in the Cyberoam User Guides have been taken from NG series of appliances. The
feature and functionalities however remains unchanged across all Cyberoam appliances.
A VPN user can access the central network in a manner that is identical to being connected
directly to the central network. Hence, it is ideal for business telecommuters or employees working
from home. It is essential that the connection between the central network and remote location
meets certain requirements like:
Flexible Access: The remote users must be able to access the organization‟s network from
various locations, like Internet cafes, hotels, airport etc. The range of applications available
must include web applications, mail, file shares, and other more specialized applications
required to meet corporate needs.
Secure connectivity: Guaranteed by the combination of authentication, confidentiality and
data integrity for every connection.
Usability: Installation must be easy. No configuration should be required as a result of
network modification at the remote user end. The given solution should be seamless for the
connecting user.
SSL (Secure Socket Layer) VPN fulfills the above requirements by providing simple-to-use and
secure access to remote users. It allows access to the corporate network and provides the ability
to create point-to-point encrypted tunnels between remote user and the company‟s internal
network. It requires a combination of SSL certificates and username/password for authentication to
enable access to the internal resources.
Cyberoam extends its VPN feature to include SSL VPN functionality to provide secure access of a
company‟s central network to remote users. It delivers a set of features and benefits which are
easy to use and control and which allow access to the corporate network from anywhere, anytime.
Depending upon requirement, remote users can access through SSL VPN Client or End user Web
Portal (clientless access). It offers a secure web portal which can be accessed by each authorized
user to download a free SSL VPN Client, SSL certificates and a client configuration. In addition, it
offers granular access policies, bookmarks to designated network resources and portal
customization.
Note
7
Cyberoam SSL VPN User Guide
Concepts
SSL VPN Access Modes
Cyberoam appliance authenticates any remote user based on user name and password. A
successful login determines the access rights of remote users according to user, group and the
SSL VPN policy. The SSL VPN policy specifies whether the connection will operate in Tunnel
Access Mode, Web Access Mode or Application Access Mode.
Split Tunnel: This ensures that only traffic for the private network is encrypted and tunneled
while Internet traffic is sent through the usual unencrypted route. This is configured by default
and is used to avoid bandwidth choking.
Full Tunnel: This ensures that not only private network traffic but other Internet traffic is also
tunneled and encrypted.
In this mode, appliance acts as a secure gateway and authenticates the remote users. On
successful authentication, appliance redirects the web browser to the Web portal from where
remote users can access the applications behind the appliance. Configuring Application Access
mode is a two-step process:
1. Select Application Access mode in SSL VPN policy
2. Assign policy to the User or Group
For administrators, Web Admin Console provides SSL VPN management. Administrator can
configure SSL VPN users, access methods and policies, user bookmarks for network resources,
and system and portal settings.
8
Cyberoam SSL VPN User Guide
For remote users, customizable End user Web Portal enables access to resources as per the
configured SSL VPN policy.
Prerequisite
The following requirements should be fulfilled for the remote user to access SSL VPN in Application
Access Mode:
OS should be Windows 2000, Windows XP, Windows 7, Windows Vista or Windows Server 2003.
Remote user should have Administrator privileges.
Java Runtime Environment V 1.6 or above should be installed.
Cyberoam scans VPN Tunnel Traffic (incoming and outgoing) for malware, spam, inappropriate
content and intrusion attempts, ensuring Threat-free Tunneling. Furthermore, VPN traffic is
subjected to DoS inspection, although Cyberoam does provide the option of bypassing DoS
inspection for specific traffic.
Cyberoam does not have an exclusive port assigned for the VPN Zone like the LAN, WAN and
DMZ ports. As soon as a VPN connection is established, the port/interface used by the connection
is automatically added to the VPN zone, and on disconnection, the port is removed by itself. VPN
zone is used by both IPSec and SSL VPN traffic.
Note
Threat Free Tunneling is applicable only when SSL VPN tunnel is established through Tunnel Access
Mode.
Network Resources
Network Resources are the components that can be accessed using SSL VPN. SSL VPN provides
access to HTTP or HTTPS servers in the internal network, Internet, or any other network segment
that can be reached by Cyberoam. The Administrator can configure Web (HTTP), Secure Web
(HTTPS), RDP, Telnet, SSH or FTP bookmarks and internal network resources to allow access to
web-based resources and applications. If required, custom URL access can also be provided.
Network resources:
9
Cyberoam SSL VPN User Guide
Portal
Cyberoam‟s SSL VPN Portal is the entry point for any remote user to the corporate network. It
provides easy access to network resources through a secure tunnel. It is possible to customize the
portal interface by including company logo and a customized message to be displayed to users
when they log into the portal. The Portal displays only those network resources that are assigned
to the logged in user through SSL VPN Policy and Access Mode.
10
Cyberoam SSL VPN User Guide
This menu covers configuring global settings for Tunnel Access and Web Access, defining
Policies, creating Bookmarks and Bookmark Groups and customizing the SSL VPN Portal.
Detailed explanations for each of these tasks are given below.
Tunnel Access
Configure Tunnel Access Mode for the remote users who are to be provided with the corporate
network access from laptops, Internet cafes, hotels etc. It requires an SSL VPN Client at the
remote end. Remote users can download and install SSL VPN Client from the End-user Web
Portal.
To configure and update certain parameters globally for Tunnel Access Mode, go to VPN SSL
Tunnel Access.
11
Cyberoam SSL VPN User Guide
One can use a common certificate for all the users or create
individual certificate for each user. Cyberoam automatically
generates certificate valid up to 31st December, 2036 for all
the users added in Cyberoam.
Note
Do not assign the private IP Address space that is already
configured for any ports via Network Configuration.
12
Cyberoam SSL VPN User Guide
Web Access
Configure Web Access Mode for the remote users who are equipped with the web browser only
and when access is to be provided to the certain Enterprise Web applications/servers through web
browser only. In other words, it is a clientless access.
13
Cyberoam SSL VPN User Guide
Policy
SSL VPN Policies determine the Access Mode assigned to the remote users and the network
resources available to users and also controls the access to the private network (corporate
network) in the form of bookmarks.
14
Cyberoam SSL VPN User Guide
To add or edit SSL VPN Policies, go to VPN SSL Policy. Click Add Button to add a new
policy or Edit Icon to modify the details of the policy.
15
Cyberoam SSL VPN User Guide
Available Options:
Tunnel Access Mode – For the remote users who are to be
provided with the Corporate network access from laptops,
Internet cafes, hotels etc. It requires an SSL VPN Client at
the remote end. Remote users can download and install
SSL VPN Client from the SSL VPN Portal.
Available Options:
Split Tunnel - ensures that only the traffic for the private
network is tunneled and encrypted.
Full Tunnel - ensures not only private network traffic but other
Internet traffic is tunneled and encrypted.
16
Cyberoam SSL VPN User Guide
Specify time after which the peer must be checked for its
status.
Time Range (in seconds): 60 - 3600.
By default, the duration is 60 seconds.
One can use the global settings or customize the idle timeout.
17
Cyberoam SSL VPN User Guide
Accessible Resources Accessible Resources also allows restricting the access to the
bookmarks.
Idle Timeout Connection will be dropped after the configured inactivity time
and user will be forced to re-login. One can use the global
settings or customize the idle timeout.
18
Cyberoam SSL VPN User Guide
Click “Add Policy Member(s)” button to add user or user groups to SSL VPN Policy members list.
A pop-up window is displayed to select the users. Multiple users or user groups can be also
selected.
Select Users or user groups who are to be allowed access through SSL VPN connection. Click
“Apply” button to add these users and user groups to the SSL VPN Policy members list.
Users or user groups to be added can also be searched in the Members list.
Click “Manage Policy Member(s)” button to view user or user groups that are in SSL VPN Policy
members list. A pop-up window is displayed to view the users. Multiple users or user groups can
be selected and deleted.
The page displays the list of SSL VPN Policy members who are allowed access through SSL
connection. To delete users, select the users to be deleted and click “Delete” button.
Users or user groups to be deleted can be searched from the Members list.
19
Cyberoam SSL VPN User Guide
Bookmark
Bookmarks are the resources whose access will be available through SSL VPN Portal. You can
also create a group of bookmarks that can be configured in SSL VPN Policy.
These resources will be available in Web Access and Application Access modes and is to be
configured in SSL VPN Policy.
Add
View
Edit - Click the Edit icon in the Manage column against the Bookmark to be modified. Edit
Bookmark pop-up window is displayed which has the same parameters as the Add Bookmark
window.
Delete - Click the Delete icon in the Manage column against a Bookmark to be deleted. A
dialog box is displayed asking you to confirm the deletion. Click OK to delete the Bookmark.
To delete multiple Bookmarks, select them and click the Delete button.
Manage Bookmarks
20
Cyberoam SSL VPN User Guide
Bookmark Parameters
To add or edit Bookmarks, go to VPN SSL Bookmark. Click Add Button to add a new
bookmark or Edit Icon to modify the details of the bookmark.
Available Options:
HTTP
HTTPS
RDP
Telnet
SSH
FTP
IBM Server Terminal
URL Specify the URL of the website for which the bookmark is to
be created.
Referred Domains Provide a set of domain(s)/URL(s) required by Bookmarked
URL to render it appropriately.
Description Provide Bookmark Description.
Table - Add Bookmark screen elements
21
Cyberoam SSL VPN User Guide
Bookmark Group
To manage Bookmark Groups, go to VPN SSL Bookmark Group. You can:
Add
View
Edit - Click the Edit icon in the Manage column against the Bookmark Group to be
modified. Edit Bookmark Group pop-up window is displayed which has the same parameters
as the Add Bookmark Group window.
Delete - Click the Delete icon in the Manage column against a Bookmark Group to be
deleted. A dialog box is displayed asking you to confirm the deletion. Click OK to delete the
Bookmark Group. To delete multiple Bookmark Groups, select them and click the Delete
button.
22
Cyberoam SSL VPN User Guide
-
Screen - Add Bookmark Group
23
Cyberoam SSL VPN User Guide
Portal
SSL VPN Portal is an entry point to the corporate network. It can be accessed by browsing to
https://<WAN IP Address of Cyberoam:port> from the web browser. Use default port: 8443 unless
customized. Confirm port number from System Administration Settings.
For users having Tunnel Access, SSL VPN Client and Configuration file can be downloaded from
the portal. For users having Web and Application Access, a list of all the bookmarks will be
displayed. URL Address bar will also be displayed to the user, if allowed in the User SSL VPN
policy. User can type the URL in the address bar to access other URLs than bookmarks. All the
downloadable components will be displayed only if the remote user is allowed the “Full” access.
Cyberoam provides flexibility to customize the Portal page to offer consistent logon/log off page.
This page can be exclusive to your business including your business name and logo. To customize
the SSL VPN user portal, go to VPN SSL Portal.
24
Cyberoam SSL VPN User Guide
Page displays important parameters like Username, Source and leased IP Address, Access mode,
date and time when connection was established, tunnel type and data transferred. If the
connection is established through Web Access mode, only username, access mode and date and
time when connection was established will be displayed. Page allows disconnection of any live
user.
25
Cyberoam SSL VPN User Guide
Available Options:
Chinese-Simplified
Chinese-Traditional
English
French
Hindi
26
Cyberoam SSL VPN User Guide
Japanese
Download SSL VPN Click to download the SSL VPN Configurations for MAC
Client Configuration - Tunnelblick.
MAC Tunnelblick
Note
27
Cyberoam SSL VPN User Guide
Available Options:
Show - Select to Display the “Passphrase” on the
screen.
Note
Note
Download Client
For downloading the client for the first time, click “Download Client” and follow the on-screen
instructions:
28
Cyberoam SSL VPN User Guide
Note
Click “Save” to save a copy of CrSSL.exe on your local machine, else click “Run” to run the setup.
The following warning message appears.
29
Cyberoam SSL VPN User Guide
Click “Browse” to change the location of the Destination Folder where the client is to be installed.
Click “Install”. The following screen appears while installation is in progress.
30
Cyberoam SSL VPN User Guide
Once the installation is complete, the CrSSL Client icon appears in the system tray.
Note
If you are installing SSL VPN Client for the first time, skip this section.
You need to download the configuration file if you have already installed Client or if the server
configuration has changed. Click “Download SSL VPN Client Configuration - Windows” and follow
the on- screen instructions.
On clicking “Download SSL VPN Client Configuration - Windows”, the following message appears.
31
Cyberoam SSL VPN User Guide
Click the ellipses (…) to browse to the location at which the file clientbundle.tgz is saved. Click
“Import” to import the SSL VPN Configuration from clientbudle.tgz.
32
Cyberoam SSL VPN User Guide
Establish connection
Double click CrSSL Client icon and specify username and password and click “Login”
button.
User is prompted to provide an additional password as “Passphrase” when the selected SSL Client
Certificate under “Tunnel Access Settings” page contains an Encrypted Key.
33
Cyberoam SSL VPN User Guide
The icon turns yellow indicating that connection is in progress and turns green the moment
connection is established and IP Address is leased.
To disconnect the connection, right click the CrSSL Client icon and click “Logout”.
34
Cyberoam SSL VPN User Guide
Accessing Applications
User can access any of the Bookmarks listed on the Main Page which include certain Enterprise
Web Applications/Servers.
35
Cyberoam SSL VPN User Guide
Accessing Applications
User can access any of the Bookmarks listed on the Main Page which include certain Enterprise
Applications/Servers.
36