Use the SSL VPN Configuration page to enable the SSL VPN feature and configure the SSL VPN gateway settings.
1. Click VPN > SSL Remote User Access > SSL VPN Configuration.
The SSL VPN Configuration window opens.
2. Click On to enable the SSL VPN feature and hence set the security appliance as a SSL VPN server, or click Off to disable it.
3. In the Mandatory Gateway area, enter the following information:
• Gateway Interface: Choose the WAN port that traffic passes through over the SSL VPN tunnels.
• Gateway Port: Enter the port number used for the SSL VPN gateway. By default, SSL operates on port 443. However, the SSL VPN gateway should be flexible to operate on a user defined port. The firewall should permit the port to ensure delivery of packets destined for the SSL VPN gateway. The SSL VPN clients need to enter the entire address pair “Gateway IP address: Gateway port number” for connecting purposes.
• Certificate File: Choose the default certificate or an imported certificate to authenticate users who try to access your network resource through the SSL VPN tunnels. For information on importing the certificates, see Managing Certificates for Authentication, page 350.
• Client Address Pool: The SSL VPN gateway has a configurable address pool that is used to allocate IP addresses to remote VPN clients. Enter the IP address pool for all remote clients. The client is assigned an IP address by the SSL VPN gateway.
NOTE: Configure an IP address range that does not directly overlap with any of addresses on your local network.
• Client Netmask: Enter the IP address of the netmask used for SSL VPN clients. The client netmask can only be one of 255.255.255.0, 255.255.255.128, and 255.255.255.192.
The Client Address Pool is used with the Client Netmask. The following table displays the valid settings for entering the client address pool and the client netmask.
If they are set as follows, then the SSL VPN client will get a VPN address whose range is from 10.10.10.1 to 10.10.10.254.
– Client Address Pool = 10.10.10.0
– Client Netmask = 255.255.255.0
• Client Internet Access: Check this box to automatically create advanced NAT rules to allow SSL VPN clients to access the Internet. If you uncheck this box, you can manually create advanced NAT rules. See Allowing SSL VPN Clients to Access the Internet.
• Client Domain: Enter the domain name that should be pushed to SSL VPN clients.
• Login Banner: After the users logged in, a configurable login banner is displayed. Enter the message text to display along with the banner.
4. In the Optional Gateway area, enter the following information:
• Idle Timeout: Enter the timeout value in seconds that the SSL VPN session can remain idle. The default value is 2100 seconds.
• Session Timeout: Enter the timeout value in seconds that a SSL VPN session can remain active. The default value is 0 seconds, which indicates that the SSL VPN session can always be active.
• Client DPD Timeout: Dead Peer Detection (DPD) allows detection of dead peers. Enter the DPD timeout that a session will be maintained with a nonresponsive remote client. The default value is 300 seconds.
• Gateway DPD Timeout: Enter the DPD timeout that a session will be maintained with a nonresponsive SSL VPN gateway. The default value is 300 seconds.
NOTE: If the SSL VPN gateway has no response over two or three times of the DPD timeout, the SSL VPN session will be terminated.
• Keep Alive: Enter the interval, in seconds, at which the SSL VPN client will send keepalive messages. These messages ensure that the SSL VPN connection remains open, even if the client’s maximum idle time is limited by an intermediate device, such as a proxy, firewall or NAT device.
• Lease Duration: Enter the amount of time after which the SSL VPN client must send an IP address lease renewal request to the server. The default value is 43200 seconds.
• Max MTU: Enter the maximum transmission unit for the session. The default value is 1406 bytes.
• Rekey Method: Specify the session rekey method (SSL or New Tunnel). Rekey allows the SSL keys to be renegotiated after the session has been established.
• Rekey Interval: Enter the frequency of the rekey in this field. The default value is 3600 seconds.