1. SSL VPN
1.1. Error <SSL VPN Client Installation Failure in Windows 8/8.1>

Applicable Version: 10.00 onwards

Error

On installing SSL VPN client on a Windows 8/8.1 machine, the following error may occur.
 

Solution

To resolve this error, follow the steps given below. 

1.  Uninstall the existing SSL VPN Client in the machine.

2.  Go to the Device Manager and, under Other Devices,uninstall the “Unknown Device” driver.

 
 

Note:

 

If you do not find Unknown Device driver under Other Devices, look under Network adapters. Right-click the Unknown Device driver under Network adapters, disable it and then re-enable it. On enabling, the driver shifts to “Other Devices”. Then, follow the step given above.

3. Re-download and install the Cyberoam SSL VPN Client from

http://www.cyberoam.com/cyberoamclients.html

The Client is installed successfully. You can verify successful installation by going to the Device Manager and checking under Network Adapters if the TAP-Windows Adapter is installed.

 





                                                                                                                                                                  Document Version: 1.0 – 15 July, 2014
1.2. Obtain the Passphrase for SSL VPN Authentication

Applicable Version: 10.04.0 Build 433 onwards
 
Overview
 
Cyberoam allows administrators to configure a passphrase in Self-Signed Certificates used in SSL VPN Authentication. This passphrase is used as a second level of authentication for SSL VPN users. Users can obtain this passphrase during authentication via Three (3) modes: In Client Bundle, as an On-Screen Link, in Email.

Passphrase can be configured in any one of the following ways:
 
-   While generating Self-Signed Certificate from System > Certificate > Certificate. Check Enable against Key Encryption and specify the 
    Passphrase which is to be used for second level authentication.
-   When you check Enable against Per User Certificate from VPN > SSL > Tunnel Access. This Passphrase is system generated.
 

Scenario

This article demonstrates how the Administrator can configure the Three (3) Modes of Passphrase Reception and how the user can obtain the passphrase while authenticating according to the mode configured. The modes are:

-    Client Bundle
-    
On-Screen Link
-    Email


Client Bundle
 
Configuration of Mode

Login to Cyberoam Web Admin Console using profile having read-write permission of the relevant features. Go to System > Administration > Settings. Under SSL VPN Settings, select Client Bundle in Receive Passphrase via parameter.
 
 


Obtaining Passphrase

When Administrator configures Passphrase Reception Mode as Client Bundle, the passphrase is received in a text file included the SSL VPN Client configuration. Follow the steps given below to obtain passphrase in Client Bundle.

   Login to SSL VPN Portal by browsing to https://<WAN IP address of Cyberoam:port> and logging in.
 
 
 

•   
Download the Client Configuration by clicking Download SSL VPN Client Configuration – Windows OR 
     Download SSL VPN Client Configuration – MAC Tunnelblick, depending upon your system.
 
 


The downloaded file contains a text file named Passphrase which contains the passphrase.
 
 



On-Screen Link
 
Configuration of Mode

Login to Cyberoam Web Admin Console using profile having read-write permission of the relevant features. Go to System > Administration > Settings. Under SSL VPN Settings, select On-Screen Link in Receive Passphrase via parameter.
 
 


Obtaining Passphrase

When Administrator configures Passphrase Reception Mode as On-Screen Link, a link appears on the Portal screen clicking which the user receives the passphrase. Follow the steps given below to obtain passphrase via On-Screen Link.

•    Login to SSL VPN Portal by browsing to https://<WAN IP address of Cyberoam:port> and logging in.
 
 


•   
Click the Show Link against Receive Passphrase to view the passphrase.
 
 
 
 
 

Email

Configuration of Mode

Login to Cyberoam Web Admin Console using profile having read-write permission of the relevant features. Go to System > Administration > Settings. Under SSL VPN Settings, select Email in Receive Passphrase via parameter.
 
 


Obtaining Passphrase

When Administrator configures Passphrase Reception Mode as Email, a link appears on the Portal screen clicking which the user receives an Email that contains the passphrase. Follow the steps given below to obtain passphrase via Email.

•    Login to SSL VPN Portal by browsing to https://<WAN IP address of Cyberoam:port> and logging in.
 
 


•   
Click on the Send Email Link against Receive Passphrase to receive an Email containing the passphrase.
 
 
 
 

Note:

-    The Email is sent to the User’s Email Address, as configured in Cyberoam (Identity > Users).

-    Make sure that Mail Server is configured in Cyberoam. You can configure Mail Server from System > Configuration > Notification.
 



                                                                                                                                                                      Document Version: 1.0 – 18/06/2013
1.3. Configure SSL VPN for Android Devices using OpenVPN Connect


Applicable Cyberoam Version: 10.04.02 Build 527 onwards

Overview  

OpenVPN Connect is the official full-featured Android client for the OpenVPN Access Server, Private Tunnel and OpenVPN Community, developed by OpenVPN Technologies, Inc.

OpenVPN Connect can be used to establish SSL VPN connection between any Android Device and Cyberoam.


Scenario
 
Configure SSL VPN for Android Device using OpenVPN Connect.   

Cyberoam Configuration

Configure SSL VPN from Cyberoam Web Admin Console. Configuration requires read-write permission for the relevant features.

Configure SSL VPN with Tunnel Access Mode in Cyberoam

To know how to configure SSL VPN in Cyberoam, refer to the article How To – Configure SSL VPN in Cyberoam.

Android Configuration

Configure OpenVPN Connect in your Android Device by following the steps below.

Step 1: Download and Install OpenVPN Connect

Download OpenVPN Connect and install it on your Android Device.

Step 2: Download Cyberoam SSL VPN Client Configuration in Local System

To download Cyberoam SSL VPN Client Configuration, follow the steps below.

·         Access Cyberoam SSL VPN Portal using the URL - https://<WAN IP address of Cyberoam:port> and login to the Portal.  If Two Factor Authentication 
is enabled, refer to the article How to Login in a Two Factor Authentication Environment?
 
 
·         Click Download SSL VPN Client Configuration – MAC Tunnelblick to download the client configuration and save it in your system.
 
 
 

A compressed file called ClientBundle.tgz is downloaded and saved at your mentioned location.

Note:

The SSL VPN Client Configuration for MAC Tunnelblick is compatible with Macintosh, iOS and Android platforms. 

Step 3: Extract ClientBundle.tgz to your local system
Extract ClientBundle.tgz to your local system. The following files are obtained.
 
-       UserPrivateKey.key
-       UserCertificate.pem
-       RootCertificate.pem
-       Client.ovpn
 

Step 4: Configure client.ovpn file

You need to edit the configuration of the client.ovpn file ONLY IF any or both of the following criteria are applicable:
 
·   If your OpenVPN Connect version is below 1.1.11 Build 44.
If your network has Two Factor Authentication configured.
 

 
OpenVPN Connect Version below 1.1.11 Build 44

If your OpenVPN Connect version is 1.1.11 Build 44 or above, skip to step 5.

Double click client.ovpn to open it in a text editor. 

·    If the Protocol for SSL VPN connection is configured as TCP, then set the parameter proto asTCP. If the Protocol is configured as UDP, no change required.
·   Set the parameter reneg-sec to 3600.
 
 

 

 

Note:

 

For OpenVPN Connect version 1.1.11 Build 44 and below, it is mandatory to set the value of reneg_sec to 3600, and set proto according to the protocol being used for SSL VPN connection. For more information, please refer to the links given below:
 
-    Sourceforge
-    
OpenVPN

 

 

Two Factor Authentication Configured

 

If Two Factor Authentication is not configured in your network, skip to Step 5.

 

Double click client.ovpn to open it in a text editor and add the parameter:

 

ping-restart 65

 

 
 
 
Step 5: Transfer SSL VPN Configuration files to Android Device
 
Transfer the files mentioned above (UserPrivateKey.key, UserCertificate.pem, RootCertificate.pem, Client.ovpn) from your local system to your Android Device.
 

Step 6: Import SSL VPN Configuration to OpenVPN Connect in Android Device

·         Launch OpenVPN Connect and click Settings.
 
 
 
 
·         Click Import to import the client.ovpn file included in the SSL VPN Configuration files.
 
 
 
 
 
 

Step 7: Connect to Cyberoam

Once the files are imported, a new VPN profile gets created pertaining to configuration mentioned in client.ovpn. Enter Password and click Connect to
establish connection with Cyberoam.If Two Factor Authentication is enabled, refer to the article How to Login in a Two Factor Authentication Environment?
 
 
 
 
 
 
 
The above configuration establishes an SSL VPN connection between Cyberoam and Android Device using OpenVPN Connect.
 






                                                                                                                                                                                 Document Version: 1.3 – 13/09/2013
1.4. Configure SSL VPN for iPhone/iPad using OpenVPN Connect

Applicable Version: 10.04.02 Build 527 onwards
 
Overview
 
OpenVPN Connect is the official full-featured iPhone/iPad client for the OpenVPN Access Server, Private Tunnel and OpenVPN Community, developed by OpenVPN Technologies, Inc.

OpenVPN Connect can be used to establish SSL VPN connection between iPhone/iPad and Cyberoam.
 

Scenario

Configure SSL VPN for iPhone using OpenVPN Connect.
 

Configuration

You can configure SSL VPN for iPhone using OpenVPN Connect by following the steps below.  

Step 1: Configure SSL VPN with Tunnel Access Mode in Cyberoam

To know how to configure SSL VPN in Cyberoam, refer to the article How To – Configure SSL VPN in Cyberoam.
 

Step 2: Download and Install OpenVPN Connect
 
Download OpenVPN Connect and install it on your iPhone.
 

Step 3: Download Cyberoam SSL VPN Client Configuration

To download Cyberoam SSL VPN Client Configuration, follow the steps below.

·         Access Cyberoam SSL VPN Portal using the URL - https://<WAN IP address of Cyberoam:port> and login to the Portal. If Two Factor Authentication is 
enabled, refer to the article How to Login in a Two Factor Authentication Environment?
 
 
·         Click Download SSL VPN Client Configuration – MAC Tunnelblick to download the client configuration and save it in your system.
 
 
 

A compressed file called ClientBundle.tgz is downloaded and saved at your mentioned location.

Note:

The SSL VPN Client Configuration for MAC Tunnelblick is compatible with Macintosh as well as iOS.

Step 4: Extract ClientBundle.tgz to your local system

Extract ClientBundle.tgz to your local system. The following files are obtained.

-       UserPrivateKey.key
-       UserCertificate.pem
-       RootCertificate.pem
-       Client.ovpn 

Step 5: Configure client.ovpn file

You need to edit the configuration of the client.ovpn file ONLY IF any or both of the following criteria are applicable:
 

 

If your OpenVPN Connect version is 1.0.1 Build 88 or above, skip to step 6.

 

Double click client.ovpn to open it in a text editor. 


·    If the Protocol for SSL VPN connection is configured as TCP, then set the parameter proto as TCP. If the Protocol is configured as UDP, no change required.
·    Set the parameter reneg-sec to 3600.
 
 

 

 

Note:

 

For OpenVPN Connect version 1.0.1 Build 88 and below, it is mandatory to set the value of reneg_sec to 3600, and set proto according to the protocol being used for SSL VPN connection. For more information, please refer to the links given below:
 
-        Sourceforge
-        
OpenVPN

 

 

Two Factor Authentication Configured

 

If Two Factor Authentication is not configured in your network, skip to Step 6.

 

Double click client.ovpn to open it in a text editor and add the parameter:

 

ping-restart 65

 

 

Step 6: Import all files to OpenVPN Connect

Import the files mentioned above into OpenVPN Connect using iTunes. Once the files are imported, a new VPN profile gets created pertaining to configuration mentioned in client.ovpn.
 

Step 7: Connect to Cyberoam

·         Select the newly created profile to connect to Cyberoam.
 
 
 
 
·         Enter user credentials and connect to Cyberoam. If Two Factor Authentication is enabled, refer to the article How to Login in a Two Factor Authentication Environment? 
  
 
 
 
 
 
 
 
 
                                                                                                  Document Version: 1.2 – 12/09/2013
1.5. Allow an SSL VPN User Access to an Application Hosted at Remote Side of an IPSec Connection

Applicable Version: 10.00 onwards
 
Overview
 
This article describes how you can allow an SSL VPN user access to an application hosted at the remote side of an IPSec VPN connection.
 

Scenario

Allow any SSL VPN user, connected to Head Office Network, access to the RDP Server hosted in the Branch Office network as shown below. The Head Office and Branch Office are connected via an IPSec VPN tunnel.
 
 
 
 
 

Prerequisite

The Head Office and Branch Office should be connected via an IPSec VPN connection.
 

Configuration

In IPSec Configuration, you can allow the SSL VPN user access to the RDP server by adding the Head Office WAN IP in the trusted Local Networks at the Head Office side and trusted Remote Networks at the Branch office side.
 

Head Office Configuration

To configure the Head Office Cyberoam, follow the steps given below.

Step 1: Create Bookmark for RDP Service

Go to VPN à SSL à Bookmark and click Add to add a bookmark using the following parameters.
 
 
 
 
 
Parameter Description
 
 
Parameter
Value
Description
RDP
Type
RDP
Select type of Bookmark.
Available options:
-       HTTP
-       HTTPS
-       RDP
-       Telnet
-       SSH
-       FTP
URL
172.16.16.17

 
 
 

Step 2: Create SSL VPN Policy

Create an SSL VPN policy to allow access to the RDP server. Go to VPN à SSL à Policy and click Add to add an SSL VPN policy using the following parameters.
 
 
 
 
Parameter Description
 
 
Parameter
Value
Description
Add SSL VPN Policy
Name
Access_RDP
Access Mode
Application Access
Mode
Application Access Settings
 
Accessible Resources
RDP
Select Bookmarks/Bookmarks Group that remote user can access.

 
 

Step 3: Create IP Host Object of Head Office WAN IP

Go to Objects à Hosts à IP Host and click Add to create an IP Host using the following parameters.
 
 
  

Parameter Description
 
 
Parameter
Value
Description
Name
192.168.20.182
Name to identify the Host.
Type
IP
Select type of Host.
Available options:
-       IP
-       Network
-       IP Range
-       IP List
IP Address
192.168.20.182
Specify the IP address of the Host.

 
 

Step 4: Include Host in Trusted Local Subnet in IPSec Connection

Go to VPN à IPSec à Connection and select the Head_to_Branch IPSec connection.
 
 
 
 
 
Add Head Office Wan IP, i.e., 192.168.20.182, in Trusted Local Subnet of the connection.
 
 
 
 

Branch Office Configuration

To configure the Branch Office Cyberoam, follow the steps given below.

Step 1: Create IP Host Object of Head Office WAN IP

Go to Objects à Hosts à IP Host and click Add to create an IP Host using the following parameters.
 
 
 
 
Parameter Description
 
 
Parameter
Value
Description
Name
192.168.20.182
Name to identify the Host.
Type
IP
Select type of Host.
Available options:
-       IP
-       Network
-       IP Range
-       IP List
IP Address
192.168.20.182
Specify the IP address of the Host.

 

 

Step 2: Include Host in Trusted Remote Subnet in IPSec Connection

Go to VPN à IPSec à Connection and select the Branch_to_Head IPSec connection.
 
 
 
 
Add Head Office Wan IP, i.e., 192.168.20.182, in Trusted Remote Subnet of the connection.
 
 
 
 
Once the above configuration is done at the Head Office and the Branch Office side, the SSL VPN user is able to access RDP server located at the Branch Office.




                                                                                                                                                                                          Document Version: 1.0 – 28/07/2012
1.6. Configure SSL VPN for Macintosh OS X using Tunnelblick VPN client

Applicable Version: 10.00 onwards

Overview

Tunnelblick is an open source graphic user interface for SSL VPN on Macintosh (Mac) OS X. It comes as a ready-to-use application with all necessary binaries and drivers.It does not require any additional installation. You just need to add the VPN tunnel configuration and encryption information.

 

Tunnelblick Client can be used to establish SSL VPN connection between Mac OS and Cyberoam. 

Scenario

Configure SSL VPN for Mac OS X using Tunnelblick VPN client. 

Configuration

You can configure SSL VPN for Mac OS X using Tunnelblick VPN client by following the steps below. Configuration is to be done in Cyberoam and Mac OS using profile having read-write administrative rights for relevant features. 

Step 1: Configure SSL VPN with Tunnel Access Mode in Cyberoam

To know how to configure SSL VPN in Cyberoam, refer to the article How To – Configure SSL VPN in Cyberoam

Step 2: Download and Install Tunnelblick Client

Download Tunnelblick Client from http://code.google.com/p/tunnelblick/ and install it on your Mac workstation.  

Step 3: Download Cyberoam SSL VPN Client Configuration

To download Cyberoam SSL VPN Client Configuration, follow the steps below.


   Access Cyberoam SSL VPN Portal using the URL - https://<WAN IP address of Cyberoam:port> and login to the Portal. 

 


    
Click Download SSL VPN Client Configuration – MAC Tunnelblick to download the client configuration specific for Mac OS and save it in your system.

 

 

A compressed file called clientbundle.tar is downloaded and saved in your system.  

Step 4: Extract clientbundle.tar

Double-click clientbundle.tar to extract it.

 

 

 

A folder named ‘clientbundle’ is extracted, which contains Two (2) files: CRSSLconfig.tblk and Passphrase.txt.

 

CRSSLconfig.tblk: This is a Tunnelblick configuration file containing information about the VPN configuration with Cyberoam and CA Certificate.

Passphrase.txt: This file contains the passphrase to be used by user during SSL VPN Authentication.
 
 

 

Note:

 

Passphrase.txt is present in the clientbundle ONLY IF configured in Cyberoam. For more details refer to article How To - Obtain the Passphrase for SSL VPN Authentication

Step 5: Install Configuration in Tunnelblick

Double-click CRSSLconfig.tblk to install the Cyberoam SSL configuration in Tunnelblick. The following screen appears.

 

 

If you want to install the configuration for all users of the system, click All Users. Else, click Only Me. The VPN configuration for Cyberoam gets installed in Tunnelblick.


Step 6: Establish SSL VPN Connection with Cyberoam

•    Launch Tunnelblick Client from Finder > Applications > Tunnelblick.app. Click the Tunnelblick icon that appears on the top left corner of the screen and click Connect CRSSLconfig

 

•    Login to establish an SSL VPN connection with Cyberoam at remote site.
 

 

 

 

 

The above configuration applies Cyberoam SSL VPN Client Configuration to Tunnelblick client in Mac OS X and establishes an SSL VPN connection with Cyberoam at a remote site.

 






                                                                                                                                                Document Version: 2.0 – 25 February, 2014

1.7. Configure SSL VPN in Cyberoam
 
Applicable Version: 10.00 onwards

Overview
 
SSL (Secure Socket Layer) VPN provides simple-to-use, secure access for remote users to the corporate network from anywhere, anytime. It enables creation of point-to-point encrypted tunnels between remote user and company’s internal network, requiring combination of SSL certificates and a username/password for authentication.

Cyberoam allows remote users access to the corporate network in 3 Modes:

-       Tunnel Access Mode: User gains access through a remote SSL VPN Client.

-       Web Access Mode: Remote users can access SSL VPN using a web browser only, i.e., clientless access.

-       Application Access Mode: users can access web applications as well as certain enterprise applications through a web browser, i.e., clientless access.
 

Scenario

Configure SSL VPN in Cyberoam such that the remote user shown in the diagram below is able to access the Web and Intranet Servers in the company’s internal network. The user is to have Full Access, i.e., Tunnel, Web and Application Access. The network particulars given below are used as an example throughout this article.
 
 
 
 

Network Parameters

Configuration Parameter

Value

Cyberoam WAN IP

203.10.10.100

LAN Network

172.16.16.0/24

Intranet Server IP

172.16.16.1

Web Server IP

172.16.16.2

IP Range Leased to user after successful connection through SSL VPN

10.10.10.1 to 10.10.10.254



Configuration

Configure SSL VPN in Cyberoam by following the steps given below. You must be logged on to the Web Admin Console as an administrator with Read-Write permission for relevant feature(s).

Step 1: Generate Default Certificate Authority

To generate the default Certificate Authority, go to System > Certificate > Certificate Authority and click Default CA.

Update the Default CA as shown below. 
 
 

Click OK to generate Default Certificate Authority. 

Note:

If you are using an external certificate authority, you can upload the same by following steps mentioned in the article Add an External Certificate Authority (CA) in Cyberoam.

Step 2: Create self-signed Certificate

To create a self-signed Certificate, go to System > Certificate > Certificate and click Add. Generate a Self Signed Certificate as shown below. 

 

Click OK to create the certificate.

Step 3: Configure SSL Global Parameters

To set global parameters for tunnel access, go to VPN > SSL > Tunnel Access and configure tunnel access settings with following values:
 
 

Parameter

Value

Description

Protocol

TCP

Select default protocol for all the SSL VPN clients.

SSL Server Certificate

SSLVPN_SelfSigned

Select SSL Server certificate from the dropdown list to be used for authentication

Per User Certificate

Disabled

SSL server uses certificate to authenticate the remote client. One can use the common certificate for all the users or create individual certificate for each user

SSL Client Certificate

SSLVPN_SelfSigned

Select the SSL Client certificate from the dropdown list if you want to use common certificate for authentication

IP Lease Range

10.10.10.1 to 10.10.10.45

Specify the range of IP addresses reserved for the SSL Clients

Subnet Mask

255.255.255.0

Specify Subnet mask

Primary DNS

4.2.2.2

Specify IP address of Primary DNS

Secondary DNS

8.8.8.8

Specify IP address of Secondary DNS

Enable DPD

Enabled

Click to enable Dead Peer Detection.

Check Peer after every

60

Specify time interval in the range of 60 to 3600 seconds after which the peer should be checked for its status.

Disconnect after

300

Specify time interval in the range of 300 to 1800 seconds after which the connection should be disconnected if peer is not live.

Idle Time Out

15

Specify idle timeout. Connection will be dropped after the configured inactivity time and user will be forced to re-login.

Data Transfer Threshold

250

Once the idle timeout is reached, before dropping the connection, appliance will check the data transfer. If data transfer is more than the configured threshold, connection will be dropped.

 
 
 
To set global Idle Time for Web Access Mode, go to VPN > SSL > Web Access and set Idle Time as shown below. 
 
 

Step 4: Create Bookmarks (Applicable for Web and Application Access Mode Only)

Bookmarks are the resources whose access is available through SSL VPN Web portal. You can also create a group of bookmarks that can be configured in SSL VPN Policy. These resources are available in Web and Application Access mode only.

To create Bookmark, go to VPN > SSL > Bookmark and click Add. Create Bookmark using following parameters. 
 

Parameter

Value

Description

Name

Telnet

Name to identify Bookmark.

Type

TELNET

Specify type of bookmark.

URL

192.168.1.120

Specify URL at which telnet sessions are allowed to remote users.

 
  

Click OK to create Bookmark.

Similarly, create a bookmark Intranet of type HTTP to allow access to the internal Intranet server.
Note:
 
Intranet is accessible in Web as well as Application Access Mode, while Telnet is accessible in Application Access Mode.

Step 5: Configure SSL VPN Policy

To configure SSL VPN policy, go to VPN > SSL > Policy and click Add. Create policy using parameters given below.

Parameter Description
 
 

Parameter

Value

Description

Add SSL VPN Policy

Name

Full_Access

Name to identify the SSL VPN policy

Access Mode

Tunnel Access Mode
Web Access Mode
Application Access Mode

Select the access mode by clicking the appropriate option.

Tunnel Access Settings

Tunnel Type

Split Tunnel

Select tunnel type. Tunnel type determines how the remote user’s traffic will be routed.

Accessible Resources

<As required>

Select Hosts or Networks that remote user can access.

DPD Settings

Use Global Settings

You can customize and override the global Dead Peer Detection setting.

Idle Time out

Use Global Settings

You can use the global settings or customize the idle timeout.

Web Access Settings

Enable Arbitary URL Access

Enabled

Enable to access custom URLs not defined as Bookmarks.

Accessible Resources

Intranet

Select Bookmarks/Bookmarks Group that remote user can access.

Idle Time out

Use Global Settings

You can use the global settings or customize the idle timeout.

Application Access Settings

Accessible Resources

Intranet

Telnet

Select Bookmarks/Bookmarks Group that remote user can access.

 
 
 

Step 6: Apply SSL VPN Policy on User

To apply SSL VPN policy on user, follow the steps given below.

Go to Identity > Users > User and select the user to which policy is to be applied. Here we have applied it on user John Smith. Under Policies section, select Full_Access for SSL VPN as shown below. 
 
 
 
Click OK to update the user’s SSL VPN Policy.

Note:

Make sure that Firewall Rules allowing traffic from LAN to VPN and vice versa are present. If they are not present, create them manually. They are necessary for the VPN connections to function properly.
 

Step 7: Download and Install SSL VPN Client at Remote End

Remote users can login to Cyberoam SSL VPN Portal by browsing to https://<WAN IP address of Cyberoam:port> and logging in.

Note:

Use default port: 8443 unless customized. Access is available only to those users who have been assigned an SSL VPN policy. 
 
 
 
User is directed to the Main Page which displays Tunnel, Web or Application Access Mode section according to policy applied on user. 
 
 

For Tunnel Access, user needs to access internal resources through an SSL VPN Client.

-       Download the SSL VPN client by clicking “Download Clientand follow the on-screen instructions.

-       Install the client on the remote user’s system.

-       On complete installation, the CrSSL Client icon   appears in the system tray. Login to the Client and access the company’s internal network through SSL VPN.

For Web and Application Access, user can access internal resources using web browser, i.e., clientless access. In this, user needs to browse to https://<WAN IP address of Cyberoam:port> and login.

                                                                                                                                                                              









                                                                                                                                                               Document Version: 3.0 – 10 July, 2014
1.8. Configure SSL VPN Client in Linux
 

Applicable to Version: 10.00 onwards

Open VPN package is used in Linux to configure SSL VPN Client.

Configuration

Follow the below mentioned steps to configure SSL VPN Client in Linux.

Step 1: Configure SSL VPN on Cyberoam 


Refer to SSL VPN User Guide for details on how to configure SSL VPN on Cyberoam.
 
 
Step 2: Download SSL VPN Client Configuration

Logon to SSL VPN portal with the help of username and password of SSL VPN policy member.
 
 
 
 
Click Download SSL VPN Client Configuration to download and install SSL VPN client.
 
 
 
 
 

Step 3: Linux Configuration


Ubuntu flavor of Linux has been taken as an example in this article for Linux Configuration.
 
1.     Extract file using command "tar"
    
     #tar zxvf clientbundle.tgz
 
 
 
 
2.     Go to "CRSSLconfig/pem" folder and open the file client.crssl
 
 
 
 
3.     Comment following lines in the configuration files
      
      #dhcp-renew
      #dhcp-release

      Add following lines at the end of configuration file

     
      
status crssl_client_status.log
      ca ./RootCertificate.pem
      cert ./UserCertificate.pem
      key ./UserPrivateKey.key
     
      Save and exit from configuration file
 
 
 

4.    
Install Open VPN, by following below mentioned command
     
     #sudo apt-get installopenvpn
 
     Run following command as "ROOT" within "CRSSLconfig/pem" folder
    
     #sudo openvpn --config client.crssl
 
 
 
      Enter the SSL VPN username and password
 
 
 
 
 
 
 
 

Step 4: View Live User


Logon to Cyberoam Web Admin Console and Go to VPN à Live users à SSL VPN
.

You can view the user “Cyberoam” logged in.
 
 
                                                                                                                                                                                                Document Version: 1.0 – 05/03/2012
 
 
 
Disclaimer:
 
Steps described in this document are for reference purpose only. Cyberoam is not responsible for any malfunction or misbehaviour on the part of the Open VPN Client. Kindly contact Open VPN support to resolve any such issues.
1.9. Access Arbitrary URLs through Cyberoam’s SSL VPN Portal

Applicable to Version: 10.00 onwards

Cyberoam SSL VPN allows users to access Internal/External URLs through bookmarks. Most of the resources are migrating to the cloud and thus are hosted on arbitrary URLs because of the shift in technology and benefits of cloud computing.

E.g. :
https://example.com:9090/forms/frmservlet?config=PROD
is difficult to publish through bookmark.

Note:

This is a “dummy URL” and would not correspond to a resource on the Internet.

To allow access of such URLs, Cyberoam provides options to access “Arbitrary URLs” through Cyberoam’s SSL VPN portal.

Prerequisites
 
  • This document is intended for Cyberoam administrators and it is assumed that he/she has knowledge of deploying, administering and

  •     configuring Cyberoam.
     
  • It is assumed that Cyberoam has a way to resolve the hostname mentioned in the Arbitrary URL.

    Solution 
     
    Step 1
     
    Go to VPN à SSL à Policy and Edit the existing SSL VPN Policy to configure Arbitrary URL access option on Cyberoam.
     

    Once Arbitrary URL access is enabled, user can access any URL either from internet or from intranet.

    Note:

    If user wants to access intranet URL, then make sure that DNS resolution has to be done properly on Cyberoam.

    Step 2

    Login to Cyberoam SSL VPN Portal to Access the arbitrary URL by pasting it in the address bar.

    Note: By default, Cyberoam SSL VPN Portal is accessible on https://<ip address of Cyberoam>:8443
     

    This would let the remote user access the URL https://example.com:9090/forms/frmservlet?config=PROD

                                                                                                                                                             Document Version – 1.0 – 16/08/2011
     
     
     
  • 1.10. Access ActiveX applications through (WebAccess) SSL VPN Bookmark
     
    Applicable to Version : 10

    Cyberoam’s Application Access Mode under SSL VPN provides for the ability to access applications through Java applets or Active X.
     
    Scenario: Consider the need for giving administrator remote desktop access to the Active Directory Server and SSH to an internal Cyberoam in bridge mode by publishing bookmarks without the SSL VPN client.
     
    This can be done through publishing of application bookmarks.
     

    Bookmarks are the resources whose access will be available through End-user Web portal. You can create also a group of bookmarks that can be configured in SSL VPN Policy.

    These resources will be available in Web Access mode only and is to be configured in SSL VPN Policy.

    The entire configuration is to be done from Web Admin Console. Access Web Admin Console with user having ‘Administrator’ profile.

    Remote Desktop (RDP)

    Steps

    Go to VPN à SSL à Bookmark and Click on “Add” button to create a new Bookmark with the parameters mentioned below.
     
     

    Parameters

    Value

    Name

    RemoteDesktopAD

    Type

    RDP

    This will invoke the Java applet for connecting the RDP through to the published resource when clicked from the SSL VPN Portal.

    URL

    rdp://172.16.16.2/

    Specify the IP address of the application server for which the bookmark is to be created.

     

    Click OK and the Bookmark ‘RemoteDesktopAD’ will be added successfully.
     
     

    Secure Shell

    Step 1: Add Bookmark

    Go to VPN à SSL à Bookmark and Click on “Add” button to create a new Bookmark with the parameters mentioned below.
     
     

    Parameters

    Value

    Name

    SSHtoCyberoamBridge

    Type

    SSH

    This will invoke the Java applet for connecting the SSH through to the published resource when clicked from the SSL VPN Portal.

    URL

    ssh://172.16.16.16/

    Specify the IP address of the application server for which the bookmark is to be created.

     

    Click OK and the Bookmark ‘SSHtoCyberoamBridge’ will be added successfully.
     
     

    Step 2: Create Policy for SSL VPN

    Go to VPN à SSL à Policy and Click on “Add” button to add a new SSL VPN Policy with the following parameters.
     
     

    Parameters

    Value

    Name

    SSL

    Access Mode

    Web Access – Enabled

    Application Access Mode - Enabled

    Application Access Settings

    Accessible Resources

    RemoteDesktopAD

    SSHtoCyberoamBridge

     

    Click OK and the SSL VPN Policy ‘SSL’ will be inserted successfully.
     
     

    Step 3: Apply Policy to User 

    • Go to Identity à Users à User
    • Select user to apply SSL VPN policy created in Step 2.
    • Under Policies Section, select ‘SSL’ for SSL VPN
    • Click OK button to update
     
     
    Click OK and the policy will be applied to user and the user will be updated successfully.

    Step 4: Launch SSL VPN Portal

    Login to Cyberoam SSL VPN Portal and as “Application Bookmarks” have been published, the following screen would be displayed on SSL VPN Portal.

    Note: By default, Cyberoam SSL VPN Portal is accessible on https://<ip address of Cyberoam>:8443
     
     

    Step 5: Click Bookmarks

    Click any of the bookmarks above and it will initiate the respective applet as below:
     
     

    Step 6: Execute Applet 

    Click on Yes, accept the certificate warning and execute the applet. The following screen would be displayed:
     
     
     
     
     

    Remote Desktop
    (RDP)
     
    For RDP, the below screen will be visible after following all the above steps (Step 2 to Step 6) from SSH Section:
     

    Click on Connect, and it will launch the RDP screen without the need of executing the mstsc.exe (Remote Desktop) executable.
     
     
                                                                                                                                                   Document Version: 2.0-01/09/2011
     
     
    1.11. How can I access SSL VPN portal page using different port?
     
       1.  Login to Web Admin Console with user having “Administrator” profile.
     
       2.  Go to System à Administration à Settings and go to SSL VPN Settings to make modifications in the general 
            port settings. Configure Port number on SSL VPN port to access SSL VPN Portal page using different port.
        
                                                                                                                        Document Version: 1.0 – 17/11/2011
    1.12. How to check SSL VPN Logs from CLI?

    Follow the below mentioned steps to check SSL VPN Logs from CLI:

       1.  Login to CLI Console (Telnet or SSH)

       2.  Choose option 4 – Cyberoam Console and press Enter

       3.  Execute the command - show sslvpn log (tunnel-access/web-access/application-access). Choose the access mode 
            for which you want to see the logs.
     
            For E.g.: show sslvpn log tunnel-access
     
     
                                                                                                               Document Version: 1.0 – 17/11/2011
    1.13. Why I am unable to access network resources after successful connection of SSL VPN from Windows 7/ Vista machine

    Windows7/Vista operating system have the UAC security feature enabled which aims to improve the security of Microsoft Windows by limiting application software to
    standard user privileges.
     
    Even if you are an administrator, any exe that is going to modify the system will have lower privileges if the UAC is turned ON (Vista and Windows 7). This causes the restrictions on CR SSL VPN Client and results in failure of the SSL VPN remote network route addition on local machine’s routing table.
     
    To allow CR SSL VPN Client to be able to add routes on local machine, right click on the CR SSL VPN Client and specify “Run as Admin”. 
     
    This document consists of two (2) sections:

    How to confirm that UAC is blocking the route addition on machine?

    After you get connected with the CR SSL VPN Client and an IP Address is leased to you, check the status logs to verify if UAC has blocked route addition on local machine.
     
    1. Right click on the SSL VPN Logo on System tray.
    2. Click on Show Status after the IP Address is leased to client.
    3. If it shows logs “route addition failed: Access Denied”, it means UAC is enabled which is preventing the route addition on local machine. Refer the below screen: 
     
     
    How to avoid error “route addition failed: Access Denied” when you dial SSL VPN?

    Follow below steps to avoid error “route addition failed: Access Denied” when you dial SSL VPN.

    1.  Right click on the CR SSL VPN Client logo on desktop and click on properties.
     
     
    2.  Click on “Compatibility” tab and select check box “Run this program as an administrator” and apply the settings.
     

    3.  Go to Start à Run and type “msconfig” and press enter. It will open a System Configuration Window.
     
    4.  Uncheck the crssl-client from the list of startup selection list.
     
     
     
    5.  Next time when you start the CR SSL VPN Client, it will by default launch with the administrative rights and you will get following prompt.
     
     
    Click on Yes and it will allow CR SSL VPN Client to add routes on local machines and you will have no issues accessing remote network resources on successful connection of SSL VPN.
     
                                                                                                                                      Document Version: - 1.0-14/06/2011
    1.14. Can I use Cyberoam as an SSL VPN Gateway when it is deployed in Bridge Mode?

    Applicable Version: 10.02.00 Build 224 onwards
     
    Yes. From Cyberoam firmware version 10.02.00 Build 224 onwards, you can configure Cyberoam as an SSL VPN Gateway by using Bridge Pair Configuration.