Netgear SSL312 Owner's Manual
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual
NETGEAR, Inc.
350 East Plumeria Drive
San Jose, California 95134 USA
202-10208-05
November 2008
v2.1
© 2008 by NETGEAR, Inc. All rights reserved.
Technical Support
Please register to obtain technical support. Please retain your proof of purchase and warranty information.
To register your product, get product support or obtain product information and product documentation, go to
http://www.NETGEAR.com
out the registration card and mailing it to NETGEAR customer service.
You will find technical support information at: http://www.NETGEAR.com/
want to contact technical support by telephone, see the support information card for the correct telephone number for
your country.
. If you do not have access to the World Wide Web, you may register your product by filling
through the customer service area. If you
Trademarks
NETGEAR, the NETGEAR logo, ProSafe and Auto Uplink are trademarks or registered trademarks of NETGEAR, Inc.
Microsoft, Windows, and Wi ndow s NT are registered trademar ks of Microsoft Corporation.
Other brand and product names are registered trademarks or trademarks of their respective holders.
Statement of Conditions
In the interest of improving internal design, operational function, and/or reliability, NETGEAR reserves the right to
make changes to the products described in this document without notice.
NETGEAR does not assume any liability that may occur due to the use or application of the product(s) or circuit
layout(s) described herein.
FCC Statement
This device complies with part 15 of the FCC Rules. Operation is subject to the following two conditions:
• This device may not cause harmful interference.
• This device must accept any interference received, including interference that may cause undesired operation.
FCC Requirements for Operation in the United States
Radio Frequency Interference Warnings & Instructions This equipment has been tested and found to comply
with the limits for a Class B digital device, pursuant to part 15 of the FCC Rules. These limits are designed to provide
reasonable protection against harmful interference in a residential installation. This equipm ent generates, uses, and can
radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful
interference to radio communications. However, there is no guarantee that interference will not occur in a particular
installation. If this equipment does cause harmful interference to radio or television reception, which can be determined
by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the
following measures:
• Reorient or relocate the receiving antenna
• Increase the separation between the equipment and receiver
• Connect the equipment into an outlet on a circuit different from that to which the receiver is connected
• Consult the dealer or an experienced radio/TV technician for help.
ii
v2.1, November 2008
EU Regulatory Compliance Statement
ProSafe SSL VPN Concentrator 25 is compliant with the following EU Council Directives: 89/336/EEC and
LVD 73/23/EEC. Compliance is verified by testing to the following standards: EN55022 Class B, EN55024 and
EN60950.
Certificate of the Manufacturer/Importer
It is hereby certified that the ProSafe SSL VPN Concentrator 25 has been suppressed in accordance with the conditions
set out in the BMPT-AmtsblVfg 243/1991 and Vfg 46/1992. The operation of some equipment (for example, test
transmitters) in accordance with the regulations may, however, be subject to certain restrictions. Please refer to the notes
in the operating instructions.
The Federal Office for Telecommunications Approvals has been notified of the placing of this equipment on the market
and has been granted the right to test the series for compliance with the regul ations.
Bestätigung des Herstellers/Importeurs
Es wird hiermit bestätigt, daß dasProSafe SSL VPN Concentrator 25 gemäß der im BMPT-AmtsblVfg 243/1991 und
Vfg 46/1992 aufgeführten Bestimmungen entstört ist. Das vorschriftsmäßige Betreiben einiger Geräte (z.B. T e stsender)
kann jedoch gewissen Beschränkungen unterliegen. Lesen Sie dazu bitte die Anmerkungen in der Betriebsanleitung.
Das Bundesamt für Zulassungen in der Telekommunikation wurde davon unterrichtet, daß dieses Gerät auf den Markt
gebracht wurde und es ist berechtigt, die Serie auf die Erfüllung der Vorschriften hin zu überprüfen.
Export
This software product and related technology is subject to U.S. export control and may be subject to export or import
regulations in other countries. Purchaser must strictly comply with all such laws and regulations. A license to export or
reexport may be required by the U.S. Department of Commerce.
Licensing
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit
(http://www.openssl.org/).
This product includes software developed by the Apache Sof tware Foundation (http://www.apache.org/).
This product includes SSLeay cryptographic software written by Tim Hudson (tjh@cryptsoft.com) and Eric Young
(eay@cryptsoft.com).
v2.1, November 2008
iii
Product and Publication Details
Model Number: SSL312
Publication Date: November 2008
Product Family: Concentrator
Product Name: ProSafe SSL VPN Concentrator 25
Home or Business Product: Business
Language: English
Publication Part Number: 202-10208-05
Publication Version Number: 2.1
iv
v2.1, November 2008
Contents
About This Manual
Conventions, Formats and Scope .................................................................................... ix
Using This Manual .............................................................................................................x
Printing this Manual ...........................................................................................................x
Revision History ..................... ... ... .... ... ... ... .......................................... ..............................xii
Chapter 1
Introduction
About the ProSafe SSL VPN Concentrator 25 ...............................................................1-1
Key Features ..................................................................................................................1-1
Web Browser Requirements ...........................................................................................1-2
What’s in the Box ............................................................................................................1-3
Hardware Description .....................................................................................................1-3
Front Panel ...............................................................................................................1-4
Back Panel ...............................................................................................................1-5
Steps for Deploying the SSL312 .....................................................................................1-5
Chapter 2
Installing the SSL312
Choosing a Network Topology ........................................................................................2-1
Single Arm ................................................................................................................2-1
Routing .................................. ................................. ................................... ............... 2-2
Initial Connection to the SSL VPN Concentrator ............................................................2-3
Accessing the Management Interface ............................................................................2-4
Configuring Basic Network Settings ...............................................................................2-6
Installing the SSL VPN Concentrator .............................................................................2-8
Managing Certificates ................................................................ .....................................2-8
Obtaining a Certificate from a Certificate Authority .................................................. 2-9
Generating a Self-Signed Certificate ......................................................................2-11
Uploading and Enabling the New Certificate ..........................................................2-12
Viewing and Deleting Certificates ..........................................................................2-14
v2.1, November 2008
v
Steps for Further Configuration ....................................................................................2-15
Chapter 3
Authenticating Users
Authentication Domains ............................ .... ..................................................................3-1
Local User Database Authentication ..............................................................................3-2
RADIUS and NT Domain Authentication ........................................................................ 3-3
Configuring for RADIUS Domain Authentication ....................... ............................... 3-4
Configuring for NT Domain Authentication ................... ....... ...... ....... ...... ...... ....... .....3-5
LDAP Authentication ......................................................................................................3-7
Sample LDAP Attributes ..........................................................................................3-7
LDAP Attribute Rules ...............................................................................................3-8
Sample LDAP Users and Attributes Settings ............................................... .... ... ... ..3-8
Querying an LDAP Server ........................................................................................3-9
Configuring for LDAP Authentication .......................................................................3-9
Kerberos Authentication (Active Directory) ...................................................................3-11
Troubleshooting Active Directory Authentication ...................................................3-12
Deleting a Domain ........................................................................................................3-12
Chapter 4
Setting Up User and Group Access Policies
Determine Your Requirements .......................................................................................4-1
Users, Groups and Global Policies ..................... ... ... .... ... ... ... .... .....................................4-2
Global Policies .......................... ... .... ... ... ... .... ... ... ... ... .......................................... ............4-3
Editing Global Policy Settings ..................................................................................4-4
Adding and Editing Global Policies ..........................................................................4-6
Defining and Editing Global Bookmarks ...................................................................4-7
Groups Configuration .....................................................................................................4-8
Adding a New Group ....... ... ... .... ... ... ... .... .......................................... ... ... ... ... .... ........4-8
Editing Group Settings .............................................................................................4-9
Defining and Editing Group Policies .......................................................................4-11
Defining and Editing Group Bookmarks .................................................................4-12
Deleting a Group ....................................................................................................4-13
Users Configuration ......................................................................................................4-14
Adding a New User ...................................... ... ... .... ... ... ... .... ...................................4-15
Editing a User .........................................................................................................4-17
Defining and Editing User Policies .........................................................................4-20
vi
v2.1, November 2008
Defining and Editing a User Bookmarks ................................................................4-21
Deleting a User ......................................................................................................4-22
Using Network Resource Objects to Simplify Policies ..................................................4-22
Chapter 5
Configuring the Remote Access Web Portal
Creating the Portal ....................... .... ... .......................................... ..................................5-1
Portal Options ..........................................................................................................5-2
Adding Portal Layouts ............... ... ... .......................................... ... .... ... ... ... ... .... ... ... ..5-3
Adding Terminal Services Applications to the Portal .... ... .... ... ... ... ............................5-6
Customizing the Banner ...........................................................................................5-7
Duplicating and Editing Portal Layouts ...........................................................................5-8
Preparing the Client for Using Portal Services ...................... .... ... ... ... .... ... ... ... ... .... ... ... ..5-9
Terminal Services Client Compatibility .....................................................................5-9
Creating a User Guide for Portal Services ............................................. ................5-10
Chapter 6
Configuring the SSL VPN Tunnel Client and Port Forwarding
Two Approaches for VPN ...................................................... .... ... ... ...............................6-1
SSL VPN Client Configuration ........................................................................................6-2
Adding IP Address Ranges ............. ... .... ... ... ... ... .... ... ... ... .... ... ... ... .... ... .....................6-3
Adding Routes for VPN Tunnel Clients ........ ... ... .... ... ... .......................................... ..6-4
Configuring Applications for Port Forwarding .................................................. ... .... ... ... ..6-6
Configuring Host Name Resolution ..........................................................................6-8
Chapter 7
Additional System Configuration
Configuring Network Settings .........................................................................................7-1
Sample SSL VPN Concentrator Configuration .........................................................7-1
Network Interface and Default Gateway Configuration ... .... .....................................7-2
Static Route Configuration .......................................................................................7-4
Network Host Table Settings ....................................................................................7-6
Configuring DNS Settings ........................................................................................7-7
Setting Date and Time .................................. ... ... ... ... .... ... ... .......................................... ..7-9
System Configuration Utilities .......................................................................................7-10
Encrypting the Configuration File ...........................................................................7-11
Exporting and Saving a Backup Configuration File ................................................7-11
Importing a Configuration File ................................ ................................................ 7-12
v2.1, November 2008
vii
Erasing the Configuration and Restoring the Default Settings ......................... ...... 7-13
Upgrading the SSL VPN Concentrator Firmware ..................................................7-13
Additional Notes on the Management Interface ...........................................................7-14
Chapter 8
Monitoring and Logging
SSL VPN Concentrator Status ........................................................................................8-1
Active Users ............................. ... .... ... ... ... ....................................... ... .... ... ... ... ... .... ........8-3
Event Log .......................................................................................................................8-4
Log Settings ....................................................................................................................8-5
Diagnostics .....................................................................................................................8-9
Appendix A
Default Settings and Technical Specifications
Factory Default Settings ................................................................................................ A-1
Technical Specifications ................................................................................................. A-2
Appendix B
Related Documents
Index
viii
v2.1, November 2008
About This Manual
The NETGEAR® Prosafe™ SSL VPN Concentrator 25 SSL312 Reference Manual describes how
to install and configure the SSL312. The information in this manual is intended for administrators
who will configure the SSL312. You should have intermediate computer and Internet skills.
Conventions, Formats and Scope
The conventions, formats, and scope of this manual are described in the following paragraphs:
• Typographical Conventions. This manual uses the following typographical conventions:
Italics Emphasis, books, CDs, file and server names, extensions
Bold User input, IP addresses, GUI screen text
Fixed Command prompt, CLI text, code
italic URL links
• Formats. This manual uses the following formats to highlight special messages:
Note: This format is used to highlight information of importance or special interest.
Tip: This format is used to highlight a procedure that will save time or resources.
Warning: Ignoring this type of note could result in a malfunction or damage to the
equipment.
v2.1, November 2008
-ix
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual
Danger: This is a safety warning. Failure to take heed of this notice could result in
personal injury or death.
• Scope. This manual is written for the SSL VPN Concentrator according to these
specifications:
Product Version ProSafe SSL VPN Concentrator 25 SSL312
Manual Publication Date November 2008
For more information about network, Internet, firewall, and VPN technologies, see the links to the
NETGEAR website in Appendix B, “Related Documents”.
Note: Product updates are available on the NETGEAR, Inc. website at
http://kbserver.netgear.com/products/SSL312.asp.
Using This Manual
The HTML version of this manual includes the following:
• Buttons, and , for browsing forwards or backwards through the manual one page
at a time
• A button that displays the table of contents and an button. Double-click on a
link in the table of contents or index to navigate directly to where the topic is described in the
manual.
• A button to access the full NETGEAR, Inc. online knowledge base for the product
model.
• Links to PDF versions of the full manual and individual chapters.
Printing this Manual
To print this manual you can choose one of the following several options, according to your needs.
• Printing a Page in the HTML View.
-x
v2.1, November 2008
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual
Each page in the HTML version of the manual is dedicated to a major topic. Use the Print
button on the browser toolbar to print the page contents.
• Printing a Chapter.
Use the PDF of This Chapter link at the top left of any page.
– Click the PDF of This Chapter link at the top right of any page in the chapter you want to
print. The PDF version of the chapter you were viewing opens in a browser window.
– Your computer must have the free Adobe Acrobat reader installed in order to view and
print PDF files. The Acrobat reader is available on the Adobe Web site at
http://www.adobe.com.
– Click the print icon in the upper left of the window.
Tip: If your printer supports printing two pages on a single sheet of paper, you can
save paper and printer ink by selecting this feature.
• Printing the Full Manual.
Use the Complete PDF Manua l link at the top left of any page.
– Click the Complete PDF Manual link at the top left of any page in the manual. The PDF
version of the complete manual opens in a browser window.
– Click the print icon in the upper left of the window.
Tip: If your printer supports printing two pages on a single sheet of paper, you can
save paper and printer ink by selecting this feature.
-xi
v2.1, November 2008
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual
Revision History
Version Date Description of Changes
-01, v1.1 November 2006 • Restructured the contents so that common setup and configuration tasks
are easier to find
• Added new topics
• Added a link to a Microsoft Word template for creating an end-user guide
-02, v1.0 December 2006 • Refined Portal layout behavior
• Added Full Tunnel Support for VPN Tunnels
-02,v1.1 April 2007 • Removed references to SNMP – not supported
• Bug fixes
• v1.5 firmware
-04,v2.0 May 2007 • Expanded feature set.
• v2.0 firmware
-05, v2.1 November 2008 • Added two-factor authentication (WiKID)
• Minor menu changes
• v2.1 firmware
-xii
v2.1, November 2008
Chapter 1
Introduction
This chapter describes some of the key features of the NETGEAR® ProSafe™ SSL VPN
Concentrator 25 SSL312. It also includes the minimum prerequisites for installation (“Web
Browser Requirements” on page 1-2.), package contents (“What’s in the Box” on page 1-3), and a
description of the front and back panels of the SSL312 (“Hardware Description” on page 1-3).
About the ProSafe SSL VPN Concentrator 25
The ProSafe SSL VPN Concentrator 25 is a hardware-based SSL VPN solution designed
specifically to provide remote access for mobile users to their corporate resources without
requiring a pre-installed VPN client on their laptops. Using the familiar Secure Sockets Layer
(SSL) protocol, commonly used for e-commerce transactions, the SSL VPN Concentrator can
authenticate itself to an SSL-enabled client, such as a standard web browser. Once the
authentication and negotiation of encryption information is completed, the server and client can
establish an encrypted connection. With support fo r 25 concurrent sessions, users can easily access
the remote network for a customizable, secure, user portal experience from virtually any available
platform.
Key Features
The ProSafe SSL VPN Concentrator 25 is easy to use and to administer, through a customizable
and intuitive interface. Other key features:
• Uses Secure Sockets Layer (SSL) protocol to transfer data. SSL is a protocol that is
extensively used in the world of electronic commerce and has gone through years of public
scrutiny.
• Browser based, platform-independent, remote access through a number of popular browsers,
such as Microsoft Internet Explorer, Mozilla Firefox, or Apple Safari.
• Supports 25 concurrent sessions.
• Provides granular access to corporate resources based upon user type or group membership.
• Supports multiple user authentications, including local database, Kerberos, Microsoft Active
Directory (using Kerberos), LDAP, NT Domain, and RADIUS.
1-1
v2.1, November 2008
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual
• Provides client-less access with customizable user portals and support for a wide variety of
user repositories. Access includes support for:
– Full network access
– HTTP and HTTPS proxy and reverse proxy
– Remote desktop and application access including file sharing
Web Browser Requirements
The following web browsers are supported for the SSL VPN Concentrator web management
interface and the SSL VPN portal. Note that Java is only required for the SSL VPN portal, not the
web management interface.
• Microsoft Windows:
– Browsers: Microsoft Internet Explorer 5.1.or higher
Mozilla Firefox 1.x – supports VPN tunnel, VNC, Network Places and Utilities (Microsoft
Internet Explorer is required for Port Forwarding, Applications, and Terminal Services)
– Java: Sun JRE 1.1 or higher
Microsoft JVM 5 or higher
• Apple MacOS X:
– Browser: Safari 1.2 or higher
– Java: Sun JRE 1.1 or higher
• Unix, Linux, or BSD:
– Browsers: Mozilla Firefox 1.x – supports VPN tunnel, VNC, Network Places and Utilities
(Microsoft Internet Explorer is required for Port Forwarding, Applications, and Terminal
Services)
Safari 1.2 or higher
– Java: Sun JRE 1.1 or higher
To configure the NETGEAR ProSafe SSL VPN Concentrator 25, an administrator must use an
Internet Explorer 5.1 or higher, Apple Safari 1.2 or higher , or Mozilla Firefox l.x web browser with
JavaScript, cookies, and SSL enabled.
End Users can use Microsoft Internet Explorer 5.1 or higher , Apple Safari 1.2 or higher or Mozilla
Firefox 1.x (for VPN tunnel, VNC, Network Places and Utilities). The browsers should also
1-2 Introduction
v2.1, November 2008
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual
support JavaScript, Java, cookies, SSL and ActiveX to take advantage of the full suite of
applications.
Note: For 64-bit support with signed CABs, you must use a 64-bit version of Microsoft
Internet Explorer. The default browser in Microsoft Windows Vista 64-bit Edition
is 32-bit Internet Explorer.
What’s in the Box
The product package should contain the following items:
• ProSafe SSL VPN Concentrator 25 SSL312
• A power cord specific to your region.
• Straight through Category 5 Ethernet cable.
• A serial cable (included for Engineering and debugging purposes only)
• Resource CD
• ProSafe™ SSL VPN Concentrator 25 SSL312 Installation Guide
• Warranty and Support Registration Card
Hardware Description
This section describes the front and rear hardware functions of the SSL312.
Introduction 1-3
v2.1, November 2008
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual
1
2
3
4
5
Front Panel
The SSL VPN Concentrator front panel hardware is shown below:
Figure 1-1
The SSL VPN Concentrator front panel hardware functions are described below:
1. LED power indicator:
• Off – No power
• On – Power is on.
2. LED self test indicator.
• Self test – on while initializing. (~2 minutes)
• Loading software – blinking while uploading software
• System fault – on (prolonged)
This LED will blink for 1-2 minutes before going off.
3. Two 10/100M Ethernet ports:
• A solid green LED indicates a connectivity link has been established on either the 10M or
100M interface.
• A blinking green LED indicates activity on either the 10M or 100M interface.
4. Serial console port (for engineering and debugging only)
Male
DB-9 serial port for serial DTE connections.
5. Restore to Factory Defaults button
1-4 Introduction
v2.1, November 2008
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual
Back Panel
The SSL VPN Concentrator back panel hardware is shown below and consists of the power On/
Off switch and the 110-240V power cord connection.
Figure 1-2
Note: Never substitute a power cord. Only use the power cord provided with the SSL
VPN Concentrator.
Steps for Deploying the SSL312
Three basic steps are involved in deploying the ProSafe SSL VPN Concentrator 25 in your
network:
• Installing the SSL312: choosing a network topology, configuring its IP addressing scheme,
connecting the SSL312, and provisioning the SSL certificate. Refer to Chapter 2, “Installing
the SSL312”.
• Setting up SSL312 user accounts: creating individual user accounts, grouping users by
common access privileges, and defining those privileges. Refer to Chapter 3, “Authenticating
Users” and Chapter 4, “Setting Up User and Group Access Policies”.
• Configuring remote access to corporate network resources through the SSL312: designing the
presentation Web portal that will display the available corporate resources to remotely
connected users. Refer to Chapter 5, “Configuring the Remote Access Web Portal”.
Introduction 1-5
v2.1, November 2008
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual
1-6 Introduction
v2.1, November 2008
Chapter 2
Installing the SSL312
This chapter describes how to install the ProSafe SSL VPN Concentrator 25 SSL312. The
installation includes choosing a network topology, configuring the IP addressing scheme,
connecting the SSL312, and provisioning the SSL certificate.
This chapter includes these topics:
• Choosing a Network Topology
• Initial Connection to the SSL VPN Concentrator
• Accessing the Management Interface
• Configuring Basic Network Settings
• Installing the SSL VPN Concentrator
• Managing Certificates
• Steps for Further Configuration
Choosing a Network Topology
The physical connection of the SSL VPN Concentrator to your network is determined by the
network topology you choose. There are two common network topologies for installing the SSL
VPN Concentrator: single arm or routing. Variations of these topologies are possible, particularly
if your firewall supports a DMZ connection.
Single Arm
In the single arm, or one port, topology , the SSL VPN Concentrator’s Ethernet Port 1 is connected
to your corporate Ethernet network behind your existing firewall, while Ethernet Port 2 is not used.
The single active Ethernet port hosts both the encrypted connection to the Internet and the
decrypted connection to the corporate network’s resources.
As shown in the following figure, encrypted SSL traffic from a remote user passes through the
firewall and terminates at the SSL VPN Concentrator, which authenticates the user and displays
the portal and resources authorized for that user. The user’s subsequent requests for network
2-1
v2.1, November 2008
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual
Corporate Server
IP Address 192.168.1.3
SSL312 IP Address
192.168.1.1
Firewall/Router
IP Address
192.168.1.254
LAN Subnet
192.168.1.0/24
services are decrypted by the SSL VPN Concentrator and relayed to the appropriate corporate
network servers.
.
Figure 2-1
Single arm mode has the advantage of being protected by your firewall.
In later steps, you will use the following settings when configuring for single arm operation.
• Assign Ethernet Port 1 an IP address on your local network.
• Disable Ethernet Port 2.
• Disable Routing Mode.
• Define a default route to the firewall.
• If your firewall performs NAT, you must configure the firewall to forward incoming HTTPS
traffic to the IP address of Ethernet Port 1.
Note: NETGEAR recommends single arm operation for most networks.
Routing
In the routing, or two port, topology , the SSL VPN Concentrator is connected in parallel with your
existing firewall. Ethernet Port 1 is connected to the untrusted side of your firewall, while Ethernet
Port 2 connects to your corporate network.
2-2 Installing the SSL312
v2.1, November 2008
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual
SSL312
10.0.0.254
10.0.0.10
10.0.0.20
10.0.0.1
66.123.4.80
Red = Public (untrusted)
Green = Local (trusted)
As shown in the following figure, encrypted SSL traffic from a remote user is sent directly to the
SSL VPN Concentrator, which authenticates the user and displays the portal and resources
authorized for that user. The user’s subsequent requests for network services are decrypted by the
SSL VPN Concentrator and relayed to the appropriate network servers on the corporate network.
Figure 2-1
Routing mode has the advantage of unloading SSL traffic from your firewall. However, your
network may not be as well protected since the firewall can not inspect this traffic.
In later steps, you will use the following settings when configuring for routing operation.
• Assign Ethernet Port 1 a public IP address.
• Assign Ethernet Port 2 an IP address on your local network.
• Enable Routing Mode.
Initial Connection to the SSL VPN Concentrator
In its factory default state, the SSL VPN Concentrator Ethernet Port 1 IP address is 192.168.1.1
and the Ethernet Port 2 IP address is 10.0.0.1. Unless these default IP addresses are compatible
with your network, you must configure and connect a computer directly to Ethernet Port 1 for
initial configuration including reassignment of the Ethernet Port IP addresses. This procedure is
described in the following steps:
Installing the SSL312 2-3
Note: The SSL VPN Concentrator does not perform Network Address Translation
(NAT). Also, the SSL VPN Concentrator only enforces access policies on SSL
VPN traffic, not on other TCP/IP protocols. Therefore, the SSL VPN
Concentrator should always be used in conjunction with a network firewall.
v2.1, November 2008
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual
https://
192.168.1.1
1. Prepare a PC with an Ethernet adapter. If this PC is already part of your network, record its
TCP/IP configuration settings so that you can restore them later.
2. Configure your PC with a static IP address of 192.168.1.10 and 255.255.255.0 as the subnet
mask.
3. Connect an Ethernet cable from your computer to Ethernet Port 1 on the front of the SSL VPN
Concentrator.
4. Connect the power cord to the SSL312, turn on the concentrator and verify the following:
• The PWR (power) light goes on immediately.
• The TEST light goes off after about one minute, indicating that the system has initialized.
• One of the Ethernet lights is lit: either the 10 Mbps or the 100 Mbps LED should light
showing that a connectivity link as been established
Accessing the Management Interface
Using the PC with the static IP address configured, you can log into the SSL VPN Concentrator
web management interface. The initial administrative setup of the concentrator must be performed
using a supported browser listed in “Web Browser Requirements” on page 1-2. The machine used
for management is referred to as the “Management Station”.
Note: You must have administrative access to the SSL VPN Concentrator to configure the
Management Interface settings.
To log into the management interface:
1. Connect to the SSL312 by opening your browser and entering https://192.168.1.1 (for the
Ethernet Port 1 IP) in the address field. Be sure to type https, not http..
Figure 2-2
If you are connected to Ethernet Port 2 IP, the default address is https://10.0.0.1.
2-4 Installing the SSL312
v2.1, November 2008
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual
2. A certificate security warning may appear. Click Yes or OK to continue. A login screen with
User Name and Password dialog boxes displays.
Figure 2-3
3. When prompted, enter admin for the User Name and password for the Password, both in
lower case letters.
Note: Both the user name and password are case-sensitive.
4. From the Domain drop-down menu, select geardomain.
5. Click Login to log in to the SSL VPN Concentrator Management Interface.
Once you have logged in, the following Status screen will display. The navigation links under
System Configuration, Access Administration, Monitoring, SSL VPN Portal and Web Support
headings on the left side of the browser window allow you to access and configure
administrative settings. When one of the navigation options is clicked, the corresponding
management configuration screen will display.
Installing the SSL312 2-5
v2.1, November 2008
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual
Figure 2-4
Configuring Basic Network Settings
Before deploying the SSL VPN Concentrator into your existing network, you should configure the
following basic settings:
• Change the administrator password
• Configure DNS server IP address
• Configure a default route
2-6 Installing the SSL312
v2.1, November 2008
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual
• Configure Ethernet interface IP addresses
To prepare for installation:
1. Change the administrator account password.
a. On the left side of the browser window, select the Users and Groups link.
b. In the Users table, click on admin.
c. Type your new Password and re-type to Confirm Password.
d. Click Apply.
2. Configure the DNS server IP address.
a. On the left side of the browser window, select the Network link.
b. In the Network menu, click the DNS Settings radio button.
c. Enter at least one DNS server IP address.
d. Click Apply.
3. Configure a default route for Internet access.
a. On the left side of the browser window, select the Network link.
b. In the Network menu, click the Static Routes radio button.
c. Specify the Default Gateway Address.
• If you plan a single arm topology, the Default Gateway is your corporate firewall.
Specify that IP address for the ethernet-1 interface.
• If you plan a routing topology , the Default Gateway for the ethernet-1 interface is your
Internet Service Provider’s gateway . The Default Gateway for the ethernet-2 interface
is your corporate firewall.
d. Click Apply.
4. Change the Ethernet port IP Addresses.
a. Select the Network link.
b. In the Network menu, click the Interfaces radio button.
c. Enter your chosen Ethernet Port 1 IP Address and Subnet Mask.
d. If you plan a single arm topology, clear the Enable Routing Mode checkbox. If you plan a
routing topology, check the Enable Routing Mode checkbox and enter your chosen
Ethernet Port 2 IP Address and Subnet Mask.
Installing the SSL312 2-7
v2.1, November 2008
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual
e. Click Apply. If you changed the IP address for the Ethernet Port to which you are
connected, you will now lose your connection to the SSL VPN Concentrator.
Installing the SSL VPN Concentrator
You are now ready to physically install your SSL VPN Concentrator using the following steps:
1. Turn off the power to the SSL VPN Concentrator and connect it to your network in your
chosen topology.
• For a single arm topology, connect Ethernet Port 1 to your corporate network and leave
Ethernet Port 2 disconnected.
• For a routing topology , connect Ethernet Port 1 to your pu blic network and Ethernet Port 2
to your corporate network.
2. Turn on the power to the SSL VPN Concentrator.
3. From a PC on your corporate network, open a suitable browser and access the SSL VPN
Concentrator web management interface by typing https://<IP_address>, where IP_address
is the address that you assigned to the SSL312 Ethernet Port that is connected to the corporate
network.
Note: If the default portal (SSL-VPN) is changed to another user-defined portal, the
administration portal, SSL-VPN, can be reached by typing
https://<IP_address>/portal/SSL-VPN.
4. Log in as admin using the new password that you assigned. You can now continue the
configuration of your SSL VPN Concentrator.
Managing Certificates
Establishing an SSL connection requires that the SSL server , such as your SSL VPN Concentrator,
provide a digital SSL certificate to the user’s browser. A certificate is a file that contains:
• A public encryption key to be used for encrypting your messages to the server.
• Information identifying the operator of the server.
• A digital signature confirming the identity of the operator of the server.
2-8 Installing the SSL312
v2.1, November 2008
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual
You can obtain a certificate from a well-known commercial Certificate Authority (CA) such as
Verisign or Thawte, or you can generate and sign your own certificate. Because a commercial CA
takes steps to verify the identity of an applicant, a certificate from a commercial CA provides a
strong assurance of the server’s identity. A self-signed certificate will trigger a warning from most
browsers as it provides no protection against identity theft of the server.
Note: If you obtain a certificate from a CA, you must use a Root CA, not an Intermediate
CA. Root certificates are signed by the Root CA itself, while Intermediate
certificates depend on a verification hierarchy leading back to a Root CA.
Your SSL VPN Concentrator contains a self-signed certificate from NETGEAR. NETGEAR
recommends that you replace this certificate prior to deploying the SSL VPN Concentrator in your
network.
From the Certificates menu, you can view the currently loaded certificates, upload a new
certificate and generate a Certificate Signing Request (CSR).
Obtaining a Certificate from a Certificate Authority
T o obtain a certificate from a CA, you must generate a Certificate Signing Request (CSR) for your
SSL VPN Concentrator. The CSR is a file containing information about your company and about
the device that will hold the certificate. Refer to the CA for guidelines on the information you
include in your CSR.
To generate a new Certificate Signing Request (CSR) file:
1. Under the System Configuration menu in the left navigation pane, select Certificates. The
Certificates screen displays.
Installing the SSL312 2-9
v2.1, November 2008
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual
Figure 2-5
2. In the Digital Certificate Management section, click New CSR/CRT. The Create CSR screen
displays.
3. Fill out all of the fields with the appropriate information. This information will appear in your
certificate and will be visible to users.
2-10 Installing the SSL312
v2.1, November 2008
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual
Figure 2-6
4. Click Apply. A file download screen will display. Click Save to save the CSR.ZIP file to a disk
location. You will need to provide this file to the Certificate Authority.
5. Contact the CA to purchase your certificate using the CSR file you generated.
6. When you receive your certificate from the CA, store the certificate file on your PC.
7. Upload and enable the certificate according to the instructions later in this chapter.
Generating a Self-Signed Certificate
As an alternative to obtaining a certificate from a CA, you can generate a self-signed certificate for
your SSL VPN Concentrator.
To generate a self-signed certificate file:
1. Under the System Configuration menu in the left navigation pane, select Certificates. The
Certificates menu will display as shown in the previous section.
2. In the Digital Certificate Management section, click New CSR/CRT. The Create CSR screen
will display.
Installing the SSL312 2-11
v2.1, November 2008
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual
3. Fill out all of the fields with the appropriate information. This information will appear in your
certificate and will be visible to users.
4. Check the Generate a Self-signed Certificate checkbox to generate a new CRT.
5. Click Apply. If all information is entered correctly , a file download screen displays. Click Save
to save the crt.zip file to a disk location. This file includes a server.crt and a server.key key file.
6. Upload and enable the certificate according to the instructions later in this chapter.
Uploading and Enabling the New Certificate
For uploading to the SSL VPN Concentrator, the certificate information must be in a zipped file
containing a certificate file named server.crt and a certificate key file named server.key. If the
zipped file does not contain these two files, the zipped file will not be uploaded. Any file name
will be accepted, but it must have the .zip extension.
Note: Do not upload the CSR file to the SSL VPN Concentrator.
To upload and enable the new certificate:
1. Under the System Configuration menu in the left navigation pane, select Certificates. The
Certificates menu will display as shown in the previous section.
2. In the Import Digital Certificate table, select Browse to locate the zipped digital certificate file
on your disk or network drive.
3. Click Upload to save the file to the Cert Description table. Once the certificate has been
uploaded, the certificate is displayed in the Current Certificates table.
Note: Valid certificates generated by an authorized Certificate Authority (CA), or a
non-authorized CA, require a password. Before you enable the certificate and
restart the software, be sure to enter the correct certificate password in the
Enable Certificate window. The password for the NETGEAR default
certificate is password.
2-12 Installing the SSL312
v2.1, November 2008
Loading...