How To Configure SSL VPN in Cyberoam

How To Configure SSL VPN in Cyberoam

Applicable Version: 10.00 onwards

Overview
SSL (Secure Socket Layer) VPN provides simple-to-use, secure access for remote users to the
corporate network from anywhere, anytime. It enables creation of point-to-point encrypted tunnels
between remote user and companys internal network, requiring combination of SSL certificates and a
username/password for authentication.

Cyberoam allows remote users access to the corporate network in 3 Modes:

- Tunnel Access Mode: User gains access through a remote SSL VPN Client.
- Web Access Mode: Remote users can access SSL VPN using a web browser only, i.e.,
clientless access.
- Application Access Mode: users can access web applications as well as certain enterprise
applications through a web browser, i.e., clientless access.

Scenario
Configure SSL VPN in Cyberoam such that the remote user shown in the diagram below is able to
access the Web and Intranet Servers in the companys internal network. The user is to have Full
Access, i.e., Tunnel, Web and Application Access. The network particulars given below are used as
an example throughout this article.
 How To Configure SSL VPN in Cyberoam

Network Parameters

Configuration Parameter Value

Cyberoam WAN IP 203.10.10.100
LAN Network 172.16.16.0/24
Intranet Server IP 172.16.16.1
Web Server IP 172.16.16.2
IP Range Leased to user after successful
10.10.10.1 to 10.10.10.254
connection through SSL VPN

Configuration
Configure SSL VPN in Cyberoam by following the steps given below. You must be logged on to the
Web Admin Console as an administrator with Read-Write permission for relevant feature(s).

Step 1: Generate Default Certificate Authority

To generate the default Certificate Authority, go to System > Certificate > Certificate Authority and
click Default CA.

Update the Default CA as shown below.

Click OK to generate Default Certificate Authority.

Note:

If you are using an external certificate authority, you can upload the same by following steps
mentioned in the article Add an External Certificate Authority (CA) in Cyberoam.
 How To Configure SSL VPN in Cyberoam

Step 2: Create self-signed Certificate

To create a self-signed Certificate, go to System > Certificate > Certificate and click Add. Generate
a Self Signed Certificate as shown below.

Click OK to create the certificate.

Step 3: Configure SSL Global Parameters

To set global parameters for tunnel access, go to VPN > SSL > Tunnel Access and configure tunnel
access settings with following values:

Parameter Value Description

Select default protocol for all the SSL VPN
Protocol TCP
clients.
Select SSL Server certificate from the
SSL Server Certificate SSLVPN_SelfSigned
dropdown list to be used for authentication
SSL server uses certificate to authenticate
the remote client. One can use the common
Per User Certificate Disabled
certificate for all the users or create
individual certificate for each user
Select the SSL Client certificate from the
SSL Client Certificate SSLVPN_SelfSigned dropdown list if you want to use common
certificate for authentication
10.10.10.1 to Specify the range of IP addresses reserved
IP Lease Range
10.10.10.45 for the SSL Clients
Subnet Mask 255.255.255.0 Specify Subnet mask
Primary DNS 4.2.2.2 Specify IP address of Primary DNS
Secondary DNS 8.8.8.8 Specify IP address of Secondary DNS
Enable DPD Enabled Click to enable Dead Peer Detection.
 How To Configure SSL VPN in Cyberoam

Specify time interval in the range of 60 to

Check Peer after every 60 3600 seconds after which the peer should
be checked for its status.
Specify time interval in the range of 300 to
Disconnect after 300 1800 seconds after which the connection
should be disconnected if peer is not live.
Specify idle timeout. Connection will be
Idle Time Out 15 dropped after the configured inactivity time
and user will be forced to re-login.
Once the idle timeout is reached, before
dropping the connection, appliance will
Data Transfer Threshold 250 check the data transfer. If data transfer is
more than the configured threshold,
connection will be dropped.

To set global Idle Time for Web Access Mode, go to VPN > SSL > Web Access and set Idle Time as
shown below.
 How To Configure SSL VPN in Cyberoam

Step 4: Create Bookmarks (Applicable for Web and Application Access Mode Only)
Bookmarks are the resources whose access is available through SSL VPN Web portal. You can also
create a group of bookmarks that can be configured in SSL VPN Policy. These resources are
available in Web and Application Access mode only.

To create Bookmark, go to VPN > SSL > Bookmark and click Add. Create Bookmark using following
parameters.

Parameter Value Description

Name Telnet Name to identify Bookmark.
Type TELNET Specify type of bookmark.
Specify URL at which telnet
URL 192.168.1.120 sessions are allowed to
remote users.

Click OK to create Bookmark.

Similarly, create a bookmark Intranet of type HTTP to allow access to the internal Intranet server.

Note:

Intranet is accessible in Web as well as Application Access Mode, while Telnet is accessible in
Application Access Mode.
 How To Configure SSL VPN in Cyberoam

Step 5: Configure SSL VPN Policy

To configure SSL VPN policy, go to VPN > SSL > Policy and click Add. Create policy using
parameters given below.

Parameter Value Description

Add SSL VPN Policy
Name Full_Access Name to identify the SSL VPN policy
Tunnel Access Mode
Web Access Mode Select the access mode by clicking the appropriate
Access Mode
Application Access option.
Mode
Tunnel Access Settings
Select tunnel type. Tunnel type determines how the
Tunnel Type Split Tunnel
remote users traffic will be routed.
Accessible Select Hosts or Networks that remote user can
<As required>
Resources access.
Web Access Settings
Enable Arbitary Enable to access custom URLs not defined as
Enabled
URL Access Bookmarks.
Accessible Select Bookmarks/Bookmarks Group that remote
Intranet
Resources user can access.
Application Access Settings
Accessible Intranet Select Bookmarks/Bookmarks Group that remote
Resources Telnet user can access.
 How To Configure SSL VPN in Cyberoam

Step 6: Apply SSL VPN Policy on User

To apply SSL VPN policy on user, follow the steps given below.

Go to Identity > Users > User and select the user to which policy is to be applied. Here we have
applied it on user John Smith. Under Policies section, select Full_Access for SSL VPN as shown
below.
 How To Configure SSL VPN in Cyberoam

Click OK to update the users SSL VPN Policy.

Note:

Make sure that Firewall Rules allowing traffic from LAN to VPN and vice versa are present. If they are
not present, create them manually. They are necessary for the VPN connections to function properly.

Step 7: Download and Install SSL VPN Client at Remote End

Remote users can login to Cyberoam SSL VPN Portal by browsing to https://<WAN IP address of
Cyberoam:port> and logging in.

Note:

Use default port: 8443 unless customized. Access is available only to those users who have been
assigned an SSL VPN policy.
 How To Configure SSL VPN in Cyberoam

User is directed to the Main Page which displays Tunnel, Web or Application Access Mode section
according to policy applied on user.
 How To Configure SSL VPN in Cyberoam

For Tunnel Access, user needs to access internal resources through an SSL VPN Client.

- Download the SSL VPN client from the Cyberoam website by clicking Installer.
- Download the client configuration from the Portal.
- Install the client on the remote users system. On complete installation, the CrSSL Client icon
appears in the system tray.
- Right-click the Client icon and click Import. Import the SSL VPN configuration downloaded
from the Portal.
- Login to the Client and access the companys internal network through SSL VPN.

For Web and Application Access, user can access internal resources using web browser, i.e.,
clientless access. In this, user needs to browse to https://<WAN IP address of Cyberoam:port> and
login.

Document Version: 3.1 24 June, 2015