Configuring Advanced SSL Settings

  1. Open the Remote Access > SSL > Settings tab.

  1. In the Server Settings section, make the following settings:

    Interface address: Select the interface address that all SSL VPN clients must use. By default, Any is selected. When using the web application firewall you need to give a specific interface address for the service to listen for SSL connections.

    Protocol: Select the network protocol that all SSL VPN clients must use. By default, this is set to TCP.

    Port: Select the port that all SSL VPN clients must use. By default, this is set to 443.

    Override hostname: Leave this field empty if you want the gateway's hostname to be the target hostname for client VPN connections. Only enter another hostname if the gateway's hostname is not reachable via Internet.

  2. Click Apply to save your settings.

  3. In the Virtual IP Pool section, select a pool network:

    Pool network: The default settings assign addresses from the private IP space 10.242.2.x/24. This network is called the VPN Pool (SSL). If you wish to use a different network, simply change the definition of the VPN Pool (SSL) on the Definitions & Users > Network Definitions page.

  4. Click Apply to save your settings.

  5. Open the Remote Access > SSL > Advanced tab.

  6. In the Cryptographic Settings section, make the following settings:

    This section controls the encryption parameters for all SSL VPN remote access clients.

    Encryption algorithm: Supported algorithms are (all in Cipher Block Chaining (CBC) mode): DES-EDE3 168bit (3DES), AES (Rijndael) 128bit/192bit/256bit, and Blowfish (BF).

    Authentication algorithm: Supported algorithms are MD5 128bit and SHA1 160bit.

    Key size: The key size (key length) is the length of the Diffie-Hellman key exchange. The longer this key is, the more secure the symmetric keys are. The length is specified in bits. You can choose between a key size of 1024 or 2048 bits.

    Server certificate: Select a local SSL certificate to be used by the SSL VPN server to identify itself against the clients (in this example: Local X.509 Cert–this certificate is automatically preset).

    Key lifetime: Enter a time period after which the key will expire. The default is 28,800 seconds.

  7. Click Apply to save your settings.

  8. Optionally, turn traffic compression on.

    In the Compression Settings section, make the following settings.

  9. Click Apply to save your settings.

  10. Optionally, enable debug mode.

    In the Debug Settings section, if you select Enable debug mode, the PPTP daemon log file contains extended information about PPTP connection negotiation.

  11. Click Apply to save your settings.

  1. Open the Remote Access > Advanced page.

    This page allows you to define name servers (DNS and WINS) and the name service domain, which should be assigned to hosts during the connection establishment.

  1. Click Apply to save your settings.

© 2019 Sophos Limited Sophos UTM 9.600