Configure SSL VPN on the X-Series Firewall to give end users remote access to corporate resources. It is recommended to use a signed certificate to avoid browser certificate warnings when accessing the SSL VPN portals.
Before you begin
- If you are running a VPN server on the same public IP address, go to VPN > Settings and verify that Use TCP Port 443 is set to No.
- Verify that you are not using DNAT access rules to redirect HTTPS traffic on the same public IP that the SSL VPN is using.
Step 1. Enable SSL VPN
When you enable the SSL VPN portal, determine if you are using a static, dynamic, or secondary IP address for the portal. Typically, the SSL VPN portal is deployed on a static public IP address with a respective DNS A resource record. The portal can also use a secondary IP address for internal access.
Static IP address
- Go to the NETWORK > IP Configuration page.
- In the Static Interface Configuration section, click Edit to configure your static WAN interface.
In the Edit Static Network Interface window, select the SSL VPN check box.
- Click Save.
Secondary IP address
Typically, a secondary IP address is used to provide the SSL VPN portal on internal network segments.
- Go to the NETWORK > IP Configuration page.
- In the Management IP Configuration section, select the SSL VPN check box next to the required IP address in the Secondary IP Addresses table, OR
- When the IP address resides in a configured static network interface, edit the interface in the Static Interface Configuration section, and select the SSL VPN check box.
- Click Save.
Dynamic network interface
To use a dynamic interface to access the SSL VPN portals, redirect incoming HTTPS traffic to the SSL VPN service.
- Go to the FIREWALL > Firewall Rules page.
- Add a redirect access rule with the following settings:
- Name – Enter a name for the access rule. E.g.,
Redirect-to-SSL-VPN
. - Action – Select Redirect to Service.
- Source – Select Internet from the list, and click +.
- Destination – Select the network object representing your incoming Internet connection, and click +. E.g., DHCP1-Local-IP
- Redirected To – Select SSL VPN.
- Name – Enter a name for the access rule. E.g.,
- To enable access to the SSL VPN portal via a hostname instead of only via the IP address (because the latter may change), you can use the third-party DynDNS service.
- Go to the NETWORK > IP Configuration page.
- In Dynamic Interface Configuration, enable Use Dynamic DNS for the required interface.
- Click Save.
Step 2. Configure user authentication
End users must authenticate themselves before they can access internal resources and applications via SSL VPN. You can manage user authentication either locally on the firewall or externally with Active Directory, LDAP, or RADIUS. For instructions on how to configure local or external user authentication, see Managing Users and Groups.
To specify how users are authenticated for the SSL VPN:
- Go to the VPN > SSL VPN page and click the Server Settings tab.
- In the Authentication section, select the method from the User Authentication list.
- (optional) To restrict SSL VPN access by user group:
- Set Group Access Restrictions to Yes.
- Enter the user groups that can access the SSL VPN in the Allowed Groups list, and click + after each entry. Use question marks (?) and asterisks (*) as wildcard characters.
- Enter the user groups that are denied access to the SSL VPN in the Blocked Groups list, and click + after each entry.
- Click Save.
Step 3. Configure SSL VPN settings
Configure the SSL VPN web portal, enable CudaLaunch, and configure general and appearance settings.
- Go to the VPN > SSL VPN page and click the Server Settings tab.
- To provide users access via CudaLaunch, set Enable CudaLaunch to Yes.
- Set Enforce Strong Ciphers to Yes unless you require backward compatibility with SSLv3-only clients.
- Set Allow SSLv3 to No. SSLv3 is considered unsafe.
In the Appearance section, customize the SSL VPN portal by uploading your company's logo, and welcome and help texts.
- Click Save.
Step 4. Upload a certificate
It is recommended to install a CA-trusted SSL certificate for the SSL VPN on the X-Series Firewall, so that web browsers do not issue a SSL warning to end users when they access the portal. By default, the Web UI certificate is used.
- Go to the Advanced > Certificate Manager page.
- Upload or create a certificate. For instructions, see How to Use and Manage Certificates with the Certificate Manager.
- Go to the VPN > SSL VPN page and click on the Server Settings tab.
- Select the SSL VPN certificate you just created or uploaded from the Certificate drop-down list.
- Click Save.
Next steps
After you enable and configure the SSL VPN, end users can access the portal in their web browsers. Configure your DNS server or service to resolve sslvpn.
To add resources for your end users to the SSL VPN portal, see: