Creating a remote access SSL VPN

We specify an IP address range for SSL clients. This is a private address range. When SSL clients log on, they are assigned an address from the range.

1. Go to VPN and click Show VPN settings.

   

2. Specify a lease range.

   

3. Click Apply.

We create a user group for the remote SSL VPN and add a user. The group specifies a surfing quota and access time. Users in the group are allowed unlimited access.

1. Go to Authentication > Groups and click Add.
2. Specify the settings.

   Option	Description
   Name	Remote SSL VPN group
   Surfing quota	Unlimited internet access
   Access time	Allowed all the time

3. Click Save.
4. Go to Authentication > Users and click Add.
5. Specify the settings.

   Option	Description
   Username	john.smith
   Name	John Smith
   Group	Remote SSL VPN group

6. Click Save.

We create hosts for the local subnet and the remote SSL VPN range. The local subnet defines the network resources that remote clients will be able to access.

1. Go to Hosts and services > IP host and click Add.
2. Type a name and IP address for the local subnet.

   

3. Click Save.
4. Click Add.
5. Type a name and IP address for the remote subnet.

   

6. Click Save.

We create a policy that allows clients in the “Remote SSL VPN group” to connect. These users are allowed to access resources on the local subnet.

1. Go to VPN > SSL VPN (remote access) and click Add.
2. Type a name and specify policy members and permitted network resources.

   

3. Click Apply.

We use local authentication for firewall authentication methods and SSL VPN authentication methods.

1. Go to Authentication > Services.
2. Check that the authentication server is set to Local.

   

3. Scroll to SSL VPN authentication methods.
4. Check that the authentication server is set to Local.

   

To be able to deploy the connection and to ensure that users have access to the connection, device access for SSL VPN and the user portal must be enabled.

1. Go to Administration > Device access.
2. Check access to SSL VPN and the user portal.

   

3. Click Apply.

1. Go to Firewall and click + Add firewall rule > User/Network rule.

   

2. Specify the settings.

   

3. Click Save.

Install an authentication client and connect to the internal network using the VPN connection.

1. Log on to the user portal.
   Warning We don't recommend enabling the web admin console on external facing (WAN) interfaces. This could allow hackers to easily identify the firewall vendor and type, and launch a targeted attack. If the user portal is not being used, we also recommend deactivating this service on WAN interfaces.

   To restrict XG Firewall user portal and web admin console to local interfaces, go to Administration > Device Access, then deselect User Portal and HTTPS from the WAN zone.

   If you enable the user portal on WAN interfaces, we recommend you set up two-factor authentication. See Configuring two-factor authentication.

2. Download the SSL VPN client.

   

3. Double-click the client installer file and follow the prompts to finish the installation.
4. Start the client and log on using the username and password.

We check the connectivity from the client and on the firewall.

• From the client, check that you have been assigned an IP address from the SSL VPN range configured earlier in the firewall.
  On Windows, start a command prompt and type ipconfig. You should see an address in the range 10.81.234.5 – 10.81.234.55.
• On the firewall, click Firewall and view traffic.