Operation: Configure SSLVPN Tunnel Access
Description: To configure SSL VPN Tunnel Access mode for providing remote access to the users. 

Sample Configuration
<SSLTunnelAccessSettings> <Protocol>UDP/TCP</Protocol> <SSLServerCertificate>ApplianceCertificate</SSLServerCertificate> <OverrideHostName>Text</OverrideHostName> <Port>Number</Port> <IPLeaseRange> <StartIP>ip</StartIP> <EndIP>ip</EndIP> </IPLeaseRange> <SubnetMask>255.255.255.0</SubnetMask> <IPv6Lease /> <IPv6Prefix /> <LeaseMode>IPv4/IPv4 and IPv6</LeaseMode> <PrimaryDNSIPv4>ip</PrimaryDNSIPv4> <SecondaryDNSIPv4>ip</SecondaryDNSIPv4> <PrimaryWINSIPv4>ip</PrimaryWINSIPv4> <SecondaryWINSIPv4>ip</SecondaryWINSIPv4> <DomainName>Text</DomainName> <DisconnectDeadPeerAfter>180</DisconnectDeadPeerAfter> <DisconnectIdlePeerAfter>15</DisconnectIdlePeerAfter> <EncryptionAlgorithm>AES-256-GCM/AES-192-GCM/AES-128-GCM/AES-256-CBC/AES-192-CBC/AES-128-CBC/DES-EDE3-CBC/BF-CBC</EncryptionAlgorithm> <AuthenticationAlgorithm>SHA1/SHA256/SHA384/SHA512/MD5</AuthenticationAlgorithm> <Keysize>1024bit/2048bit</Keysize> <KeyLifetime>Number</KeyLifetime> <CompressSSLVPNTraffic>Enable/Disable</CompressSSLVPNTraffic> <DebugMode>Enable/Disable</DebugMode> <SecurityHeartbeat>Enable/Disable</SecurityHeartbeat> <SaveCredential>Enable/Disable</SaveCredential> <TwoFAToken>Enable/Disable</TwoFAToken> <AdLogon>Enable/Disable</AdLogon> <AutoConnect>Enable/Disable</AutoConnect> <HostorDNSName>FQDN name</HostorDNSName> <StaticIPAddresses>Enable/Disable</StaticIPAddresses> </SSLTunnelAccessSettings>



Parameter Mandatory Default Description
ProtocolYes  
Select protocol to be used for SSL VPN connection from the available options: TCP or UDP.
Protocol confines to:
  • Type is 'SCALAR'.
  • Only 'TCP', 'UDP' are allowed.
SSLServerCertificateYes  
Select SSL Server Certificate to be used for Authentication.
SSLServerCertificate confines to:
  • Type is 'SCALAR'.
  • Datatype is 'STRING'.
StartIPYes  
Specify starting IP Address of the range from which IP Address is leased to SSL VPN Clients.
StartIP confines to:
  • Type is 'SCALAR'.
  • Datatype is 'IPADDRESS'.
  • Maximum characters allowed are 15.
  • IP Class other than 'MULTICAST', 'RESERVED', 'LOCALHOST', 'UNSPECIFIED', 'BROADCAST', 'LINKLOCAL' is allowed.
SubnetMaskYes  
Specify Subnet mask.
SubnetMask confines to:
  • Type is 'SCALAR'.
  • Datatype is 'IPADDRESS'.
  • Maximum characters allowed are 15.
IPv6LeaseYes  
Used to set IPv6 address for interface in IPv6 Configuration.
IPv6Lease confines to:
  • Type is 'SCALAR'.
  • Datatype is 'IPADDRESS6'.
  • Maximum characters allowed are 45.
IPv6PrefixYes  
Used to set Prefix for IPv6 Configuration.
IPv6Prefix confines to:
  • Type is 'SCALAR'.
  • Datatype is 'INTEGER'.
  • Range 64 to 112 is allowed.
  • Maximum digits allowed are 3.
LeaseModeYes  
Select Lease Mode.
LeaseMode confines to:
  • Type is 'SCALAR'.
  • Only 'IPv4 and IPv6', 'IPv4' are allowed.
PrimaryDNSIPv4No  
Specify Primary DNS Server IP Address.
PrimaryDNSIPv4 confines to:
  • Type is 'SCALAR'.
  • Datatype is 'IPADDRESS'.
  • Maximum characters allowed are 15.
  • IP Class other than 'MULTICAST', 'RESERVED', 'LOCALHOST', 'UNSPECIFIED', 'BROADCAST', 'LINKLOCAL' is allowed.
SecondaryDNSIPv4No  
Specify Secondary DNS Server IP Address.
SecondaryDNSIPv4 confines to:
  • Type is 'SCALAR'.
  • Datatype is 'IPADDRESS'.
  • Maximum characters allowed are 15.
  • IP Class other than 'MULTICAST', 'RESERVED', 'LOCALHOST', 'UNSPECIFIED', 'BROADCAST', 'LINKLOCAL' is allowed.
PrimaryWINSIPv4No  
Specify Primary WINS Server IP Address.
PrimaryWINSIPv4 confines to:
  • Type is 'SCALAR'.
  • Datatype is 'IPADDRESS'.
  • Maximum characters allowed are 15.
SecondaryWINSIPv4No  
Specify Secondary WINS Server IP Address.
SecondaryWINSIPv4 confines to:
  • Type is 'SCALAR'.
  • Datatype is 'IPADDRESS'.
  • Maximum characters allowed are 15.
DisconnectDeadPeerAfterNo 300 
Specify time in seconds after which connection must be disconnected, if peer is not live.
DisconnectDeadPeerAfter confines to:
  • Type is 'SCALAR'.
  • Datatype is 'INTEGER'.
  • Range 60 to 1800 is allowed.
DisconnectIdlePeerAfterNo 15 
Specify user inactivity time in minutes after which the connection will be dropped.
DisconnectIdlePeerAfter confines to:
  • Type is 'SCALAR'.
  • Datatype is 'INTEGER'.
  • Range 15 to 360 is allowed.
EncryptionAlgorithmNo  
Select Encryption Algorithm to be userd for Authentication.
EncryptionAlgorithm confines to:
  • Type is 'SCALAR'.
  • Only 'AES-256-GCM', 'AES-192-GCM', 'AES-128-GCM', 'AES-256-CBC', 'AES-192-CBC', 'AES-128-CBC', 'DES-EDE3-CBC', 'BF-CBC' are allowed.
AuthenticationAlgorithmNo  
Select Authentication Algorithm to be userd for Authentication.
AuthenticationAlgorithm confines to:
  • Type is 'SCALAR'.
  • Only 'SHA1', 'SHA256', 'SHA384', 'SHA512', 'MD5' are allowed.
KeysizeNo  
Specify the key size from the dropdown list.
Keysize confines to:
  • Type is 'SCALAR'.
  • Only '1024bit', '2048bit' are allowed.
KeyLifetimeNo  
Specify the key life time.
KeyLifetime confines to:
  • Type is 'SCALAR'.
  • Datatype is 'INTEGER'.
  • Range 60 to 86400 is allowed.
CompressSSLVPNTrafficNo  
Enable/Disable Compress Traffic.
CompressSSLVPNTraffic confines to:
  • Type is 'SCALAR'.
  • Only 'Disable', 'Enable' are allowed.
DebugModeNo  
Enable/Disable Debugging mode.
DebugMode confines to:
  • Type is 'SCALAR'.
  • Only 'Disable', 'Enable' are allowed.
OverrideHostNameNo  
Specify the override hostname.
OverrideHostName confines to:
  • Type is 'SCALAR'.
  • Datatype is 'STRING'.
DomainNameNo  
Specify the domain name.
DomainName confines to:
  • Type is 'SCALAR'.
  • Datatype is 'STRING'.
PortNo  
Specify the SSL VPN port
Port confines to:
  • Type is 'SCALAR'.
  • Datatype is 'INTEGER'.
  • Range 1 to 65535 is allowed.
SecurityHeartbeatNo Disable 
Sends the endpoint's Security Heartbeat through the tunnel.
SecurityHeartbeat confines to:
  • Type is 'SCALAR'.
  • Only 'Disable', 'Enable' are allowed.
SaveCredentialNo Disable 
Allows users to save their username and password.
SaveCredential confines to:
  • Type is 'SCALAR'.
  • Only 'Disable', 'Enable' are allowed.
TwoFATokenNo Disable 
Requires users to enter a one-time password to establish the tunnel.
TwoFAToken confines to:
  • Type is 'SCALAR'.
  • Only 'Disable', 'Enable' are allowed.
AdLogonNo Disable 
Runs the Active Directory sign-in script after connecting the tunnel.
AdLogon confines to:
  • Type is 'SCALAR'.
  • Only 'Disable', 'Enable' are allowed.
AutoConnectNo Disable 
Connects the tunnel automatically.
AutoConnect confines to:
  • Type is 'SCALAR'.
  • Only 'Disable', 'Enable' are allowed.
HostorDNSNameNo  
Checks if the hostname or the domain name can be reached when the tunnel connects automatically.
HostorDNSName confines to:
  • Type is 'SCALAR'.
  • Datatype is 'STRING'.
  • Maximum characters allowed are 255.
StaticIPAddressesNo  
Turn the static IP address option on or off.
StaticIPAddresses confines to:
  • Type is 'SCALAR'.
  • Only 'Disable', 'Enable' are allowed.



Operation   Status   Message
Configure SSLVPN Tunnel Access200
Configure SSLVPN Tunnel Access500
Configure SSLVPN Tunnel Access541
Configure SSLVPN Tunnel Access542
Configure SSLVPN Tunnel Access543
Configure SSLVPN Tunnel Access544

© Copyright 2019 Sophos Firewall Limited. All rights reserved.
Sophos Firewall is registered trademarks of Sophos Firewall Limited and Sophos Firewall Group. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner.