A descriptive name for the object used for display in the NetDefendOS configuration.
• Inner IP
This is the IP number within the tunnel that SSL VPN clients will connect to.
All clients that connect to the SSL VPN object interface are allocated an IP from the SSL VPN
interface's IP Pool. All the pool addresses as well as the Inner IP must belong to the same
network and these define the relationship between the firewall and the connecting clients.
A private IP network should be used for this purpose. The Inner IP itself must not be one of
the IP Pool addresses that can be handed out to connecting SSL VPN clients.
Tip: The Inner IP can be pinged
For troubleshooting purposes, an ICMP Ping can be sent to the Inner IP address. In
order for NetDefendOS to be able to respond, an IP rule must exist that allows traffic to
flow from the SSL VPN interface to core (in other words, to NetDefendOS itself).
• Outer Interface
The interface on which to listen for SSL VPN connection attempts. This could be a physical
Ethernet interface but it could also be another logical interface. For example, a PPPoE or
VLAN interface could be used.
• Server IP
The Ethernet interface IP address on which to listen for SSL VPN connection attempts by
clients. This will typically be a public IPv4 address which will be initially accessed using a web
browser across the public Internet. The following should be noted about this IP:
i. The Server IP must be specified and will not default to the IP of the Outer Interface.
ii. The Server IP cannot be an IP address which is ARP published on the interface. In order
for SSL to work on ARP published IPs, a core route with an accompanying proxy ARP
property must be used. This is done with the following steps:
• Define a route with the Interface property set to core and the Network property set to
the Server IP value.
• Set the route's Proxy ARP property to the interfaces which clients are connecting to.
Proxy ARP is explained further in Section 4.2.6, “Proxy ARP”.
• Server Port
The TCP/IP port number at the Server IP used in listening for SSL VPN connection attempts by
clients. The default value is 443 which is the standard port number for SSL.
Client IP Options
• Dynamic Server Address
Instead of a fixed IP address for the SSL VPN Server IP being handed out to clients, this option
makes it possible to hand out a Fully Qualified Domain Name (FQDN) instead.
For example, the FQDN might be specified as server.example.com. When a client connects to
Chapter 9: VPN
754
To Next Page
Loading...
