4500 Great America Parkway
Santa Clara, CA 95054 USA
202-10208-01
August 2006
Technical Support
Please register to obtain technical support. Please retain your proof of purchase and warranty information.
To register your product, get product support or obtain product information and product documentation, go to
http://www.NETGEAR.com. If you do not have access to the World Wide Web, you may register your product by filling
out the registration card and mailing it to NETGEAR customer service.
You will find technical support information at: http://www.NETGEAR.com/ through the customer service area. If you
want to contact technical support by telephone, see the support information card for the correct telephone number for
your country.
NETGEAR, the NETGEAR logo, ProSafe and Auto Uplink are trademarks or registered trademarks of NETGEAR, Inc.
Microsoft, Windows, and Wi ndow s NT are registered trademar ks of Microsoft Corporation.
Other brand and product names are registered trademarks or trademarks of their respective holders. Portions of this
document are copyright Intoto, Inc.
Statement of Conditions
In the interest of improving internal design, operational function, and/or reliability, NETGEAR reserves the right to
make changes to the products described in this document without notice.
NETGEAR does not assume any liability that may occur due to the use or application of the product(s) or circuit
layout(s) described herein.
FCC Statement
This device complies with part 15 of the FCC Rules. Operation is subject to the following two conditions:
•This device may not cause harmful interference.
•This device must accept any interference received, including interference that may cause undesired operation.
FCC Requirements for Operation in the United States
Radio Frequency Interference Warnings & Instructions This equipment has been tested and found to comply
with the limits for a Class B digital device, pursuant to part 15 of the FCC Rules. These limits are designed to provide
reasonable protection against harmful interference in a residential installation. This equipm ent generates, uses, and can
radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful
interference to radio communications. However, there is no guarantee that interference will not occur in a particular
installation. If this equipment does cause harmful interference to radio or television reception, which can be determined
by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the
following measures:
•Reorient or relocate the receiving antenna
•Increase the separation between the equipment and receiver
•Connect the equipment into an outlet on a circuit different from that to which the receiver is connected
•Consult the dealer or an experienced radio/TV technician for help.
ii
v1.0, August 2006
RF Exposure Warning for North America, and Australia
Warning! To ensure compliance with FCC RF exposure require ments, the antenna used for thi s device must be install ed
to provide a separation distance of at least 20 cm (8 in) from all persons and must not be co-located or operating in
conjunction with any other antenna or radio transmitter. Installers and end-users must follow the installa tion instructi ons
provided in this user guide.
EU Regulatory Compliance Statement
ProSafe SSL VPN Concentrator 25 is compliant with the following EU Council Directives: 89/336/EEC and
LVD 73/23/EEC. Compliance is verified by testing to the following standards: EN55022 Class B, EN55024 and
EN60950.
Certificate of the Manufacturer/Importer
It is hereby certified that the ProSafe SSL VPN Concentrator 25 has been suppressed in accordance with the conditions
set out in the BMPT-AmtsblVfg 243/1991 and Vfg 46/1992. The operation of some equipment (for example, test
transmitters) in accordance with the regulations may, however, be subject to certain restrictions. Please refer to the notes
in the operating instructions.
The Federal Office for Telecommunications Approvals has been notified of the placing of this equipment on the market
and
has been granted the right to test the series for compliance with the regulations.
Bestätigung des Herstellers/Importeurs
Es wird hiermit bestätigt, daß dasProSafe SSL VPN Concentrator 25 gemäß der im BMPT-AmtsblVfg 243/1991 und
Vfg 46/1992 aufgeführten Bestimmungen entstört ist. Das vorschriftsmäßige Betreiben einiger Geräte (z.B. T e stsender)
kann jedoch gewissen Beschränkungen unterliegen. Lesen Sie dazu bitte die Anmerkungen in der Betriebsanleitung.
Das Bundesamt für Zulassungen in der Telekommunikation wurde davon unterrichtet, daß dieses Gerät auf den Markt
gebracht wurde und es ist berechtigt, die Serie auf die Erfüllung der Vorschriften hin zu überprüfen.
Product and Publication Details
Model Number:SSL312
Publication Date:August 2006
Product Family:Concentrator
Product Name:ProSafe SSL VPN Concentrator 25
Home or Business Product:Business
Language:English
Publication Part Number:202-10208-01
Publication Version Number:1.0
v1.0, August 2006
iii
iv
v1.0, August 2006
Contents
About This Manual
Conventions, Formats and Scope .................................................................................... ix
How to Use This Manual ................................................................................................... x
How to Print this Manual ....................................................................................................x
Chapter 1
Introduction
About the ProSafe SSL VPN Concentrator 25 ...............................................................1-1
Key Features ..................................................................................................................1-1
Web Browser Requirements ...........................................................................................1-2
What’s in the Box ............................................................................................................1-3
The NETGEAR® Prosafe™ SSL VPN Concentrator 25 SSL312 Reference Manual describes how
to install, configure and troubleshoot the ProSafe SSL VPN Concentrator 25. The information in
this manual is intended for readers with intermediate computer and Internet skills.
Conventions, Formats and Scope
The conventions, formats, and scope of this manual are described in the following paragraphs:
•Typographical Conventions. This manual uses the following typographical conventions:
ItalicsEmphasis, books, CDs, URL names
BoldUser input
FixedScreen text, file and server names, extensions, commands, IP addresses
•Formats. This manual uses the following formats to highlight special messages:
Note: This format is used to highlight information of importance or special interest.
Tip: This format is used to highlight a procedure that will save time or resources.
Warning: Ignoring this type of note may result in a malfunction or damage to the
For more information about network, Internet, firewall, and VPN technologies, see the links to the
NETGEAR website in
Note: Product updates are available on the NETGEAR, Inc. website at
http://kbserver.netgear.com/products/SSL312.asp.
Appendix B, “Related Documents”.
How to Use This Manual
The HTML version of this manual includes the following:
•Buttons, and , for browsing forwards or backwards through the manual one page
at a time
•A button that displays the table of contents and an button. Double-click on a
link in the table of contents or index to navigate directly to where the topic is described in the
manual.
•A button to access the full NETGEAR, Inc. online knowledge base for the product
model.
•Links to PDF versions of the full manual and individual chapters.
How to Print this Manual
To print this manual you can choose one of the following several options, according to your needs.
Each page in the HTML version of the manual is dedicated to a major topic. Use the Print
button on the browser toolbar to print the page contents.
•Printing a Chapter.
Use the PDF of This Chapter link at the top left of any page.
–Click the PDF of This Chapter link at the top right of any page in the chapter you want to
print. The PDF version of the chapter you were viewing opens in a browser window.
–Your computer must have the free Adobe Acrobat reader installed in order to view and
print PDF files. The Acrobat reader is available on the Adobe Web site at
http://www.adobe.com.
–Click the print icon in the upper left of the window.
Tip: If your printer supports printing two pages on a single sheet of paper, you can
save paper and printer ink by selecting this feature.
•Printing the Full Manual.
Use the Complete PDF Manua l link at the top left of any page.
–Click the Complete PDF Manual link at the top left of any page in the manual. The PDF
version of the complete manual opens in a browser window.
–Click the print icon in the upper left of the window.
Tip: If your printer supports printing two pages on a single sheet of paper, you can
save paper and printer ink by selecting this feature.
This chapter describes some of the key features of the NETGEAR® ProSafe™ SSL VPN
Concentrator 25 SSL312. It also includes the minimum prerequisites for installation and (
Browser Requirements” on page 1-2.), package contents (“What’s in the Box” on page 1-3), and a
description of the front and back panels of the SSL312 (“Hardware Description” on page 1-3). The
default SSL VPN Concentrator address is http://192.168.1.1.
About the ProSafe SSL VPN Concentrator 25
The ProSafe SSL VPN Concentrator 25 is an innovative hardware-based SSL VPN solution
designed specifically to provide remote access for mobile users to their corporate network, without
requiring a VPN client on their systems. The Secure Sockets Layer (SSL) protocol operates
between TCP/IP and application protocols such as HTTP and FTP allowing a secure server to
authenticate itself to an SSL-enabled client, such as a web browser. Once the authentication and
negotiation of encryption information is completed, the server and client can establish an
encrypted connection. With support for 25 concurrent sessions, users can easily access the remote
network and enjoy a customizable, secure, user portal experience from virtually any available
platform.
“Web
The ProSafe SSL VPN Concentrator 25 is an innovative hardware-based SSL VPN solution
designed to provide remote access to corporate resources. Supporting Secure Sockets Layer (SSL),
a protocol that operates at the application layer, the SSL VPN Concentrator allows users to access
corporate resources remotely without requiring a pre-installed client on their laptops.
Key Features
The ProSafe SSL VPN Concentrator 25 is easy to use and to administer, through a customizable
and intuitive interface. Other key features:
•Uses Secure Sockets Layer (SSL) protocol to transfer data. SSL is a protocol that is
extensively used in the world of electronic commerce and has gone through years of public
scrutiny.
•Connects to the SSL VPN Concentrator through a number of popular browsers, such as
Microsoft Internet Explorer or Apple Safari.
•Supports 25 concurrent sessions.
•Provides granular access to corporate resources based upon user type or group membership.
•Supports multiple user authentications, including local database, Microsoft Active Directory,
LDAP, NT Domain and RADIUS.
•Provides client-less access with customizable user portals and support for a wide variety of
user repositories. Access includes support for:
–Full network access
–HTTP and HTTPS proxy and reverse proxy
–Remote Desktop and Application Access including File Sharing
•Browser based, platform-independent, remote access using Microsoft Internet Explorer and
Apple Safari.
Web Browser Requirements
The following web browsers are supported for the SSL VPN Concentrator web management
interface and the SSL VPN portal. Note that Java is only required for the SSL VPN portal, not the
web management interface.
•Microsoft Windows:
–Browsers: Internet Explorer 6.5.1.or higher
Mozilla 1.x (administrator only)
–Java: Sun JRE 1.1 or higher
Microsoft JVM 5 or higher
•Apple MacOS X:
–Browser: Safari 1.2 or higher
–Java: Sun JRE 1.1 or higher
To configure the NETGEAR ProSafe SSL VPN Concentrator 25, an administrator must use an
Internet Explorer 6.5.1 or higher, Apple Safari 1.2 or higher, or Mozilla l.x web browser with
JavaScript, cookies, and SSL-enabled.
What’s in the Box
The product package should contain the following items:
•Loading Software – blinking while uploading software
•System fault – on (prolonged)
This LED may blink for a minute before going off.
3. Two 10/100M Ethernet ports:
•A solid green LED indicates a connectivity link has been established on either the 10M or
100M interface.
•A blinking green LED indicates activity on either the 10M or 100M interface.
4. Serial Console Port
Male DB-9 serial port for serial DTE connections.
5. Restore to Factory Defaults Button
Back Panel
The SSL VPN Concentrator back panel hardware is shown in Figure 1-2 below and consists of the
power On/Off switch and the 110-240V power cord connection.
Figure 1-2
Note: Never substitute a power cord. Only use the power cord provided with the SSL
VPN Concentrator.
1-4Introduction
v1.0, August 2006
Chapter 2
Basic Installation and Configuration
The initial administrative setup of the ProSafe SSL VPN Concentrator 25 must be performed using
an Internet Explorer Browser 6.5.1 or higher, Appl e Safari 1.2 or higher, or Mozilla 1.x. End Users
can use IE 6.5.1 or higher or Apple Safari 1.2 or higher. The browsers should also support
JavaScript, Java, cookies, SSL and ActiveX to take advantage of the full suite of applications.
Note: End Users can open and use a Mozilla 1.x browser after an initial connection has
been made using IE or Safari. If the IE or Safari browser is closed, the connection
will be lost.
Installing the SSL VPN Concentrator
Before installing the ProSafe SSL VPN Concentrator 25, make sure that your Ethernet network is
up and working. The ProSafe SSL VPN Concentrator 25 is a browser-based portal that connects to
your Ethernet network.
To set up the SSL VPN Concentrator:
1. Prepare a PC with an Ethernet adapter. If this PC is already part of your network, record its
TCP/IP configuration settings.
2. Configure your PC with a static IP address of 192.168.1.10 and 255.255.255.0 as the subnet
mask.
3. Connect an Ethernet cable from your computer to Ethernet Port 1 on the front of the SSL VPN
Concentrator.
4. Connect the power cord to the SSL312, turn on the concentrator and verify the following:
•The PWR power light goes on.
•The system has initialized and the TEST light has gone off.
•One of the LAN lights is lit: either the 10 Mbps or the 100 Mbps LED should light
showing that a connectivity link as been established
After the ProSafe SSL VPN Concentrator 25 software has been installed and the Static IP address
configured, you may log into the SSL VPN Concentrator web management interface from an IE
6.5.1 or higher, Safari 1.2 or Mozilla 1.x. The machine used for management is referred to as the
“Management Station”.
Note: You must have administrative access to your network’s concentrator device to
configure the Management Interface settings
To log into the management interface:
1. Connect to the SSL312 by opening your browser and entering https://192.168.1.1 (for the
Ethernet Port 1 IP) in the address field.
.
https://
Figure 2-1
192.168.1.1
If you are connected to Ethernet Port 2 IP, the default address is https://10.0.0.1.
2. A security warning may appear. Click Yes or OK to continue. A login screen with a User
Name and Password dialog boxes will display.
Figure 2-2
3. When prompted, enter admin for the User Name and password for the Password, both in
lower case letters.
4. Select geardomain from the Domain drop-down menu.
5. Click Login to log in the SSL VPN Concentrator Management Interface.
Once you have logged in, the following Status screen will display. The navigation links under
System Configuration, Access Administration, Monitoring, SSL VPN Portal and Web
Support menus on the left side of the browser window allow you to access and configure
administrative settings. When one of the navigation options is clicked, the corresponding
management configuration screen will display.
Figure 2-3
Click on the navigation links to view the corresponding management windows:
•The Launch Portal option under SSL VPN Portal in the navigation menu opens an SSL
VPN portal window for users.
•In addition to the online help provided with each menu, you can access Web Support by
clicking the KnowledgeBase link or the Documentation link under Web Support on the
navigation menu.
•A Logout option at the bottom of the navigation menu terminates the management session
and redisplays the Login window. If you click the Logout link, you must log in again in
order to manage SSL VPN Concentrator.
Until an SSL certificate is uploaded to the SSL VPN Concentrator web server, the web browser
may display a warning message. This message can be ignored during initial login. Please refer to
“Certificate Management” in Chapter 4 on page page 4-7 for SSL certificate management
instructions.
To set up the SSL VPN Concentrator you will need to:
•Configure the SSL VPN Concentrator Password, SSL certificate and general system settings
(described in
•Configure network and IP settings (Chapter 5, “Network Settings”).
•Define user and group settings (Chapter 6, “Group and User Access Policies”).
Chapter 4, “General Settings”).
•Create authentication domains and portal layouts (Chapter 7, “Domains and Layouts”).
•Configure an IP address range for the VPN Tunnel client (Chapter 9, “VPN Tunnel Client”).
The ProSafe SSL VPN Concentrator 25 management interface also includes System status, event
logging, and log settings configuration pages (described in
Once you have logged into the web user interface, an authenticated management session will be
established. If you close the browser window, you must re-authenticate in order to log in into the
web user interface. When you have completed the setup, you can reconfigure the computer you
used for this process back to its original TCP/IP settings, if needed.
Chapter 3, “Status and Logging”).
Logging in to the Management Interface
After the ProSafe SSL VPN Concentrator 25 software has been installed and the IP address
configured, you may log into the ProSafe SSL VPN Concentrator 25 user interface from the web
browsers listed in
configuring the ProSafe SSL VPN Concentrator 25 software, see “Configuring the ProSafe SSL
2-4Basic Installation and Configuration
“Web Browser Requirements” on page 1-2. For detailed instructions on
This chapter provides an overview of the SSL VPN Concentrator administrative interface and
describes the SSL VPN Concentrator status information, logging, alerting and reporting features.
These settings may be viewed in the Status and Logs section of the SSL VPN Concentrator
administrator interface.
It describes:
•SSL VPN Concentrator Status
•Event Log
•Active Users
•Log Settings
SSL VPN Concentrator Status
To view the SSL VPN Concentrator Status window:
1. log into SSL VPN Concentrator from a web browser using the default Ethernet Port1 IP Address, https://192.168.1.1.
2. Select Status from under the Monitoring menu options in the left navigation pane. The S tatus
screen similar to the one shown below will display.
Note: The status information will be unique depending upon the hardware and
software configuration of the SSL VPN Concentrator server.
The Status window shows important state and configuration information. Be sure to check the
Status window for error messages and confirm that SSL VPN Concentrator is configured
properly.
From the Status page, you may view:
•The SSL VPN Concentrator software version
•The processor (CPU) of the SSL VPN Concentrator
•The amount of RAM memory on the SSL VPN Concentrator in MegaBytes (MB)
•The available disk space of the SSL VPN Concentrator in MegaBytes (MB)
•The uptime, the length of time since the SSL VPN Concentrator has been rebooted
•The start time, the time and date since the ProSafe SSL VPN Concentrator 25 was last started
•The number of active users. The number of active users includes administrative users. Click
View current users or go to the Current Users page to view the list of current users.
•The Ethernet Port 1 and Ethernet Port 2 addresses of the SSL VPN Concentrator.
The SSL VPN Concentrator provides web based logging. It also provides the ability to send log
messages to an external syslog server using the syslog protocol and to E-mail log files and alert
messages to an E-mail address or pager. To configure syslog and event log settings, see
Settings” on page 3-6.
To view the SSL VPN Concentrator event log:
Click Event Log under the Mon itoring menu in the left navigatio n menu. The Event Log window
displays.
Figure 3-2
“Log
The Event Log window displays log messages in a sortable, searchable table. The SSL VPN
Concentrator stores 250Kb of log data or approximately one thousand log messages. Once the log
file reaches the log size limit, the log is cleared and, optionally, e-mailed to the SSL VPN
Concentrator administrator.
Each event log entry displays the following information (if applicable):
•Time and date of log event. The time stamp displays the date and time of log events. The
time and date is displayed as “Year-Month-Day Hour:Minute:Second”. Hours are displayed in
24-hour clock format, so 2:00 PM is displayed as hour 14 in the event log. The date and time
are based on the local time of the SSL VPN Concentrator, which is configured on the Date and Time screen under the System Configuration menu.
•Source address. The Source IP address shows the IP address of the user or administrator that
generated the log event. The source IP address may not be displayed for certain events, such as
system errors.
•Destination address. The destination IP address field shows the name or IP address that
received the event. For example, if a user accessed an Intranet web site through the SSL VPN
portal, the corresponding log entry would display the IP address or fully qualified domain
name of the web site accessed.
•User name. The User name field shows the authenticated name of the user or administrator
that generated the log event.
•Log message. The message field describes the event that occurred. Examples of log messages
include “Administrator login successful” and “SSL VPN Concentrator restarting”.
•Log priority. The priority of log messages are divided into seven categories:
By default, 50 messages are displayed per page. If more than 50 events have been logged, then a
Page number menu will be displayed at the top of the event log table. Select the desired page
number from the Page menu to see archived log messages.
On the Log Settings page, you can configure the type of messages, such as warning and alert
messages, that will be displayed in the event log. You can also configure log rotate features on the
Log Settings page which will determine when to clear the log files.
Active Users
The Active Users screen displays the active users and administrators logged into the SSL VPN
portal.
To view the Active Users log file, click Active Users under the Monitoring menu in the left
navigation pane.
Figure 3-3
The Active Users window displays the current users or administrators logged into the SSL VPN
Portal or the SSL VPN Concentrator administrative interface. Each entry displays the name of the
user, the group in which the user belongs, the IP address of the user and a time stamp indicating
when the user logged in.
A user will continue to appear in the Active Users table until the user manually logs out of the
SSL VPN Portal or until an inactivity timeout occurs. Consequently , some users may appear in the
Active Users table for several minutes after they have closed their browser windows.
An administrator may terminate a user session and log the user out by clicking the Delete link in
the Logout column adjacent to the user.
The SSL VPN Concentrator supports web-based logging, syslog logging and e-mail alert
messages. In addition, the SSL VPN Concentrator may be configured to e-mail the event log file to
the SSL VPN Concentrator administrator before the log file is cleared.
Syslog is an industry-standard logging protocol that records system and networking activity. The
SSL VPN Concentrator syslog messages are sent in WELF (WebTrends Enhanced Log Format),
so most standard firewall and networking reporting products can accept and interpret the SSL VPN
Concentrator log files. The SSL VPN Concentrator syslog service transmits syslog messages to
external syslog server(s) listening on UDP port 514.
T o configure Syslog Settings, E-mail Settings and Log and Alert Categories for syslog and alert
settings:
1. Click Log Settings under the System Configuration menu in the left navigation pane.
2. In the SysLog Settings section, enter the IP address or fully qualified domain name of your
syslog server in the Primary Syslog Server field. Leave this field blank if you do not require
syslog logging.
3. If you have a backup or second syslog server, enter the IP address or domain name of the
Secondary Syslog Server in the Secondary Syslog Server field.
4. In the E-mail Settings section:
a. Enter your full e-mail address (username@domain.com) in the E-mail Event Logs to
field to receive e-mail notification. The event log file will be e-mailed to the specified
e-mail address before the event log is cleared. If this field is left blank, log files will not be
e-mailed.
b. Enter your full e-mail address (username@domain.com) or an e-mail pager address in the
E-mail Alerts to field to receive alert messages via e-mail. An e-mail will be sent to the
e-mail address specified if an alert event occurs.
c. Enter the name or IP address of your mail server in the Mail Server field to e-mail log
files or alert messages. If this field is left blank, log files and alert messages will not be
e-mailed.
d. Enter the e-mail address that log and alert messages will be e-mailed from in the Mail
From Address field.
e. Configure how frequently log files will be e-mailed and cleared in the Send Event Logs
field. If the option “When Full” is selected, the event log will be e-mailed and then cleared
when the log file is full. If “Daily” or “Weekly” options are selected, then
•The log file will be e-mailed and deleted on a daily or weekly basis.
•The log file will still be cleared if the log file is full before the end of the period
f.From the Send Event Logs pull-down menu, select a schedule for sending Event Logs.
You can also manually clear the Event Logs by clicking Clea r Log.
5. In the Log and Alert Categories section, define the type of events that will generate Syslog
Messages, Event Logs and Alert messages from the Syslog Message s,Event Log and Alerts
pull-down menus.
Log categories are organized from most to least critical. Once a category is selected, then all
events equal to or more critical than the selected log category and will be logged. The default
Log and Alert categories are: