Cyberoam Knowledge Base

1. SSL VPN

1.1. Configure SSL VPN for iPhone/iPad using OpenVPN Connect

Applicable Version: 10.04.02 Build 527 onwards

Overview

OpenVPN Connect is the official full-featured iPhone/iPad client for the OpenVPN Access Server, Private Tunnel and OpenVPN Community, developed by OpenVPN Technologies, Inc.

OpenVPN Connect can be used to establish SSL VPN connection between iPhone/iPad and Cyberoam.

Scenario

Configure SSL VPN for iPhone using OpenVPN Connect.

Configuration

You can configure SSL VPN for iPhone using OpenVPN Connect by following the steps below. Configuration is to be done in Cyberoam using Administrator profile.

Step 1: Configure SSL VPN with Tunnel Access Mode in Cyberoam

To know how to configure SSL VPN in Cyberoam, refer to the article How To – Configure SSL VPN in Cyberoam.

Step 2: Download and Install OpenVPN Connect

Download OpenVPN Connect and install it on your iPhone.

Step 3: Download Cyberoam SSL VPN Client Configuration

To download Cyberoam SSL VPN Client Configuration, follow the steps below.

· Access Cyberoam SSL VPN Portal using the URL - https://<WAN IP address of Cyberoam:port> and login to the Portal.

· Click Download SSL VPN Client Configuration – MAC Tunnelblick to download the client configuration and save it in your system.

A compressed file called ClientBundle.tgz is downloaded and saved at your mentioned location.

Note:

The SSL VPN Client Configuration for MAC Tunnelblick is compatible with Macintosh as well as iOS.

Step 4: Extract ClientBundle.tgz to your local system

Extract ClientBundle.tgz to your local system. The following files are obtained.

- UserPrivateKey.key

- UserCertificate.pem

- RootCertificate.pem

- Client.ovpn

Step 5: Configure client.ovpn file

Double click client.ovpn to open it in a text editor.

· If the Protocol for SSL VPN connection is configured as TCP, then set the parameter proto as TCP. If the Protocol is configured as UDP, no change required in proto parameter.

· Set the parameter reneg-sec to 3600.

Note:

For OpenVPN Connect version 1.0.0 and below, it is mandatory to set the value of reneg_sec to 3600, and set proto according to the protocol being used for SSL VPN connection. For more information, please refer to the links given below:

- Sourceforge
- OpenVPN

Step 6: Import all files to OpenVPN Connect

Import the files mentioned above into OpenVPN Connect using iTunes. Once the files are imported, a new VPN profile gets created pertaining to configuration mentioned in client.ovpn.

Step 7: Connect to Cyberoam

· Select the newly created profile to connect to Cyberoam.

· Enter user credentials and connect to Cyberoam.

Document Version: 1.0 – 26/03/2013

1.2. Allow an SSL VPN User Access to an Application Hosted at Remote Side of an IPSec Connection

Applicable Version: 10.00 onwards

Overview

This article describes how you can allow an SSL VPN user access to an application hosted at the remote side of an IPSec VPN connection.

Scenario

Allow any SSL VPN user, connected to Head Office Network, access to the RDP Server hosted in the Branch Office network as shown below. The Head Office and Branch Office are connected via an IPSec VPN tunnel.

Prerequisite

The Head Office and Branch Office should be connected via an IPSec VPN connection.

Configuration

In IPSec Configuration, you can allow the SSL VPN user access to the RDP server by adding the Head Office WAN IP in the trusted Local Networks at the Head Office side and trusted Remote Networks at the Branch office side.

Head Office Configuration

To configure the Head Office Cyberoam, follow the steps given below.

Step 1: Create Bookmark for RDP Service

Go to VPN à SSL à Bookmark and click Add to add a bookmark using the following parameters.

Parameter Description

Parameter	Value	Description
Name	RDP	Name to identify the Bookmark.
Type	RDP	Select type of Bookmark. Available options: - HTTP - HTTPS - RDP - Telnet - SSH - FTP
URL	172.16.16.17	Specify the URL of the website/host for which the bookmark is to be created.

Step 2: Create SSL VPN Policy

Create an SSL VPN policy to allow access to the RDP server. Go to VPN à SSL à Policy and click Add to add an SSL VPN policy using the following parameters.

Parameter Description

Parameter	Value	Description
Add SSL VPN Policy
Name	Access_RDP	Name to identify the SSL VPN policy
Access Mode	Application Access Mode	Select the access mode by clicking the appropriate option.
Application Access Settings
Accessible Resources	RDP	Select Bookmarks/Bookmarks Group that remote user can access.

Step 3: Create IP Host Object of Head Office WAN IP

Go to Objects à Hosts à IP Host and click Add to create an IP Host using the following parameters.

Parameter Description

Parameter	Value	Description
Name	192.168.20.182	Name to identify the Host.
Type	IP	Select type of Host. Available options: - IP - Network - IP Range - IP List
IP Address	192.168.20.182	Specify the IP address of the Host.

Step 4: Include Host in Trusted Local Subnet in IPSec Connection

Go to VPN à IPSec à Connection and select the Head_to_Branch IPSec connection.

Add Head Office Wan IP, i.e., 192.168.20.182, in Trusted Local Subnet of the connection.

Branch Office Configuration

To configure the Branch Office Cyberoam, follow the steps given below.

Step 1: Create IP Host Object of Head Office WAN IP

Go to Objects à Hosts à IP Host and click Add to create an IP Host using the following parameters.

Parameter Description

Parameter	Value	Description
Name	192.168.20.182	Name to identify the Host.
Type	IP	Select type of Host. Available options: - IP - Network - IP Range - IP List
IP Address	192.168.20.182	Specify the IP address of the Host.

Step 2: Include Host in Trusted Remote Subnet in IPSec Connection

Go to VPN à IPSec à Connection and select the Branch_to_Head IPSec connection.

Add Head Office Wan IP, i.e., 192.168.20.182, in Trusted Remote Subnet of the connection.

Once the above configuration is done at the Head Office and the Branch Office side, the SSL VPN user is able to access RDP server located at the Branch Office.

Document Version: 1.0 – 28/07/2012

1.3. Configure SSL VPN for Mac OS X using Tunnelblick VPN client

Applicable Version: 10.00 onwards

Overview

Tunnelblick is an open source graphic user interface for SSL VPN on Mac OS X. It comes as a ready-to-use application with all necessary binaries and drivers. It does not require any additional installation. You just need to add the VPN tunnel configuration and encryption information.

Tunnelblick Client can be used to establish SSL VPN connection between Mac OS and Cyberoam.

Scenario

Configure SSL VPN for Mac OS X using Tunnelblick VPN client.

Configuration

You can configure SSL VPN for Mac OS X using Tunnelblick VPN client by following the steps below. Configuration is to be done in Cyberoam and Mac OS using Administrator profile.

Step 1: Configure SSL VPN with Tunnel Access Mode in Cyberoam

To know how to configure SSL VPN in Cyberoam, refer to the article How To – Configure SSL VPN in Cyberoam.

Step 2: Download and Install Tunnelblick Client.

Download Tunnelblick Client from http://tunnelblick.googlecode.com/files/Tunnelblick_3.2.3.dmg and install it on your Mac workstation.

Step 3: Download Cyberoam SSL VPN Client Configuration

To download Cyberoam SSL VPN Client Configuration, follow the steps below.

· Access Cyberoam SSL VPN Portal using the URL - https://<WAN IP address of Cyberoam:port> and login to the Portal.

· Click Download SSL VPN Client Configuration to download the client configuration and save it in your system.

A compressed file called ClientBundle.tgz is downloaded and saved at your mentioned location.

Step 4: Extract ClientBundle.tgz to Tunnelblick’s Configurations folder

Extract ClientBundle.tgz to Tunnelblick’s Configurations folder in your Mac system. The following files will be added to the folder as shown below.

- UserPrivateKey.key

- UserCertificate.pem

- RootCertificate.pem

- Client.crssl

Step 5: Configure client.crssl file according to parameters given below

Double click client.crssl to open it in a text editor. Append the following parameters to it and save it with the extension .ovpn.

Parameter	Value
ca	RootCertificate.pem
cert	UserCertificate.pem
key	UserPrivateKey.key

Note:

For firmware version 10.02.0 Build 224 onwards, append the parameters given above and remove the parameters:

- dhcp-renew

- dhcp-release

Step 5: Establish SSL VPN Connection with Cyberoam

Launch Tunnelblick Client and login to establish an SSL VPN connection with Cyberoam at remote site.

The above configuration applies Cyberoam SSL VPN Client Configuration to Tunnelblick client in Mac OS X and establishes an SSL VPN

connection with Cyberoam at a remote site.

Document Version: 1.0 – 09/05/2012

Disclaimer:

Steps described in this document are for reference purpose only. Cyberoam is not responsible for any malfunction or misbehaviour on the part

of the Tunnelblick Client. Kindly contact Tunnelblick support to resolve any such issues.

1.4. Configure SSL VPN in Cyberoam

Applicable Version: 10.00 onwards

Overview

SSL (Secure Socket Layer) VPN provides simple-to-use, secure access for remote users to the corporate network from anywhere, anytime. It enables creation of point-to-point encrypted tunnels between remote user and company’s internal network, requiring combination of SSL certificates and a username/password for authentication.

Cyberoam allows remote users access to the corporate network in 3 Modes:

- Tunnel Access Mode: User gains access through a remote SSL VPN Client.

- Web Access Mode: Remote users can access SSL VPN using a web browser only, i.e., clientless access.

- Application Access Mode: users can access web applications as well as certain enterprise applications through a web browser, i.e., clientless access.

Scenario

Configure SSL VPN in Cyberoam such that the remote user shown in the diagram below is able to access the Web and Intranet Servers in the company’s internal network. The user is to have Full Access, i.e., Tunnel, Web and Application Access. The network particulars given below are used as an example throughout this article.

Network Parameters

Configuration Parameter	Value
Cyberoam WAN IP	203.10.10.100
LAN Network	172.16.16.0/24
Intranet Server IP	172.16.16.1
Web Server IP	172.16.16.2
IP Range Leased to user after successful connection through SSL VPN	10.10.10.1 to 10.10.10.254

Configuration

Configure SSL VPN in Cyberoam by following the steps given below. All configurations are to be done from Web Admin Console using ‘Administrator’ profile.

Step 1: Generate Default Certificate Authority

To generate the default Certificate Authority, go to Systemà Certificate à Certificate Authority and click Default CA.

Update the Default CA as shown below.

Click OK to generate Default Certificate Authority.

Note:

If the customer is using an external certificate authority, then upload the same from System à Certificate à Certificate Authority.

Step 2: Create self-signed Certificate

To create a self-signed Certificate, go to System à Certificate à Certificate and click Add. Generate a Self Signed Certificate using the parameters given below.

Parameter Description

Parameter	Value	Description
Action	Generate Self Signed Certificate	Specify action for certificate generation
Certificate Name	SSLVPN_SelfSigned	Name to identify the Certificate.
Valid upto	April 04, 2013	Specify certificate validity period using Calendar
Key length	1024	Select key length, i.e., number of bits used to construct the key.
Password	cyberoamabc	Password for a Certificate used for authentication
Certificate ID	E-mail: cyber@cyberoam.com	Specify Certificate ID.

Click OK to create the certificate.

Step 3: Configure SSL Global Parameters

To set global parameters for tunnel access, go to VPN à SSL à Tunnel Access and configure tunnel access settings with following values:

Parameter	Value	Description
Protocol	TCP	Select default protocol for all the SSL VPN clients.
SSL Server Certificate	SSLVPN_SelfSigned	Select SSL Server certificate from the dropdown list to be used for authentication
Per User Certificate	Disabled	SSL server uses certificate to authenticate the remote client. One can use the common certificate for all the users or create individual certificate for each user
SSL Client Certificate	SSLVPN_SelfSigned	Select the SSL Client certificate from the dropdown list if you want to use common certificate for authentication
IP Lease Range	10.10.10.1 to 10.10.10.254	Specify the range of IP addresses reserved for the SSL Clients
Subnet Mask	255.255.255.0	Specify Subnet mask
Primary DNS	4.2.2.2	Specify IP address of Primary DNS
Secondary DNS	8.8.8.8	Specify IP address of Secondary DNS
Enable DPD	Enabled	Click to enable Dead Peer Detection.
Check Peer after every	60	Specify time interval in the range of 60 to 3600 seconds after which the peer should be checked for its status.
Disconnect after	300	Specify time interval in the range of 300 to 1800 seconds after which the connection should be disconnected if peer is not live.
Idle Time Out	15	Specify idle timeout. Connection will be dropped after the configured inactivity time and user will be forced to re-login.
Data Transfer Threshold	250	Once the idle timeout is reached, before dropping the connection, appliance will check the data transfer. If data transfer is more than the configured threshold, connection will be dropped.

To set global Idle Time for Web Access Mode, go to VPN à SSL à Web Access and set Idle Time as shown below.

Step 4: Create Bookmarks

Bookmarks are the resources whose access is available through SSL VPN Web portal. You can also create a group of bookmarks that can be configured in SSL VPN Policy. These resources are available in Web and Application Access mode only.

To create Bookmark, go to VPN à SSL à Bookmark and click Add. Create Bookmark using following parameters.

Parameter	Value	Description
Name	Telnet	Name to identify Bookmark.
Type	TELNET	Specify type of bookmark.
URL	telnet://192.168.1.120	Specify URL at which telnet sessions are allowed to remote users.

Click OK to create Bookmark.

Similarly, create a bookmark Intranet of type HTTP to allow access to the internal Intranet server. Intranet is accessible in Web as well as Application Access Mode, while Telnet is accessible in Application Access Mode.

Step 5: Configure SSL VPN Policy

To configure SSL VPN policy, go to VPN à SSL à Policy and click Add. Create policy using parameters given below.

Parameter Description

Parameter	Value	Description
Add SSL VPN Policy
Name	Full_Access	Name to identify the SSL VPN policy
Access Mode	Tunnel Access Mode Web Access Mode Application Access Mode	Select the access mode by clicking the appropriate option.
Tunnel Access Settings
Tunnel Type	Split Tunnel	Select tunnel type. Tunnel type determines how the remote user’s traffic will be routed.
Accessible Resources	Sales	Select Hosts or Networks that remote user can access.
DPD Settings	Use Global Settings	You can customize and override the global Dead Peer Detection setting.
Idle Time out	Use Global Settings	You can use the global settings or customize the idle timeout.
Web Access Settings
Enable Arbitary URL Access	Enabled	Enable to access custom URLs not defined as Bookmarks.
Accessible Resources	Intranet	Select Bookmarks/Bookmarks Group that remote user can access.
Idle Time out	Use Global Settings	You can use the global settings or customize the idle timeout.
Application Access Settings
Accessible Resources	Intranet Telnet	Select Bookmarks/Bookmarks Group that remote user can access.

Step 6: Apply SSL VPN Policy on User

To apply SSL VPN policy on user, follow the steps given below.

Go to Identity à Users à User and select the user to which policy is to be applied. Here we have applied it on user John Smith.

Under Policies section, select Full_Access for SSL VPN as shown below.

Click OK to update the user’s SSL VPN Policy.

Note:

Make sure that Firewall Rules allowing traffic from LAN to VPN and vice versa are present. If they are not present, create them manually. They are necessary for the VPN connections to function properly.

Step 7: Download and Install SSL VPN Client at Remote End

Remote users can login to Cyberoam SSL VPN Portal by browsing to https://<WAN IP address of Cyberoam:port> and logging in.

Note:

Use default port: 8443 unless customized. Access is available only to those users who have been assigned an SSL VPN policy.

User is directed to the Main Page which displays Tunnel, Web or Application Access Mode section according to policy applied on user.

For Tunnel Access, user needs to access internal resources through an SSL VPN Client.

- Download the SSL VPN client by clicking “Download Client” and follow the on-screen instructions.

- Install the client on the remote user’s system.

- On complete installation, the CrSSL Client icon appears in the system tray. Login to the Client and access the company’s internal network through SSL VPN.

For Web and Application Access, user can access internal resources using web browser, i.e., clientless access. In this, user needs to browse to https://<WAN IP address of Cyberoam:port> and login.

Document Version: 2.0 – 13/04/2012

1.5. Configure SSL VPN Client in Linux

Applicable to Version: 10.00 onwards

Open VPN package is used in Linux to configure SSL VPN Client.

Configuration

Follow the below mentioned steps to configure SSL VPN Client in Linux.

Step 1: Configure SSL VPN on Cyberoam

Refer to SSL VPN User Guide for details on how to configure SSL VPN on Cyberoam.

Step 2: Download SSL VPN Client Configuration

Logon to SSL VPN portal with the help of username and password of SSL VPN policy member.

Click Download SSL VPN Client Configuration to download and install SSL VPN client.

Step 3: Linux Configuration

Ubuntu flavor of Linux has been taken as an example in this article for Linux Configuration.

1. Extract file using command "tar"

#tar zxvf clientbundle.tgz

2. Go to "CRSSLconfig/pem" folder and open the file client.crssl

3. Comment following lines in the configuration files

#dhcp-renew

#dhcp-release

Add following lines at the end of configuration file

status crssl_client_status.log

ca ./RootCertificate.pem

cert ./UserCertificate.pem

key ./UserPrivateKey.key

Save and exit from configuration file

4. Install Open VPN, by following below mentioned command

#sudo apt-get installopenvpn

Run following command as "ROOT" within "CRSSLconfig/pem" folder

#sudo openvpn --config client.crssl

Enter the SSL VPN username and password

Step 4: View Live User

Logon to Cyberoam Web Admin Console and Go to VPN à Live users à SSL VPN.

You can view the user “Cyberoam” logged in.

Document Version: 1.0 – 05/03/2012

Disclaimer:

Steps described in this document are for reference purpose only. Cyberoam is not responsible for any malfunction or misbehaviour on the part of the Open VPN Client. Kindly contact Open VPN support to resolve any such issues.

1.6. Access Arbitrary URLs through Cyberoam’s SSL VPN Portal

Applicable to Version: 10.00 onwards

Cyberoam SSL VPN allows users to access Internal/External URLs through bookmarks. Most of the resources are migrating to the cloud and thus are hosted on arbitrary URLs because of the shift in technology and benefits of cloud computing.

E.g. : https://example.com:9090/forms/frmservlet?config=PROD is difficult to publish through bookmark.

Note:

This is a “dummy URL” and would not correspond to a resource on the Internet.

To allow access of such URLs, Cyberoam provides options to access “Arbitrary URLs” through Cyberoam’s SSL VPN portal.

Prerequisites

This document is intended for Cyberoam administrators and it is assumed that he/she has knowledge of deploying, administering and

configuring Cyberoam.

It is assumed that Cyberoam has a way to resolve the hostname mentioned in the Arbitrary URL.

Solution

Step 1

Go to VPN à SSL à Policy and Edit the existing SSL VPN Policy to configure Arbitrary URL access option on Cyberoam.

Once Arbitrary URL access is enabled, user can access any URL either from internet or from intranet.

Note:

If user wants to access intranet URL, then make sure that DNS resolution has to be done properly on Cyberoam.

Step 2

Note: By default, Cyberoam SSL VPN Portal is accessible on https://<ip address of Cyberoam>:8443

This would let the remote user access the URL https://example.com:9090/forms/frmservlet?config=PROD

Document Version – 1.0 – 16/08/2011

1.7. Access ActiveX applications through (WebAccess) SSL VPN Bookmark

Applicable to Version : 10

Cyberoam’s Application Access Mode under SSL VPN provides for the ability to access applications through Java applets or Active X.

Scenario: Consider the need for giving administrator remote desktop access to the Active Directory Server and SSH to an internal Cyberoam in bridge mode by publishing bookmarks without the SSL VPN client.

This can be done through publishing of application bookmarks.

Remote Desktop (RDP)
Secure Shell

Bookmarks are the resources whose access will be available through End-user Web portal. You can create also a group of bookmarks that can be configured in SSL VPN Policy.

These resources will be available in Web Access mode only and is to be configured in SSL VPN Policy.

The entire configuration is to be done from Web Admin Console. Access Web Admin Console with user having ‘Administrator’ profile.

Remote Desktop (RDP)

Steps

Go to VPN à SSL à Bookmark and Click on “Add” button to create a new Bookmark with the parameters mentioned below.

Parameters	Value
Name	RemoteDesktopAD
Type	RDP This will invoke the Java applet for connecting the RDP through to the published resource when clicked from the SSL VPN Portal.
URL	rdp://172.16.16.2/ Specify the IP address of the application server for which the bookmark is to be created.

Click OK and the Bookmark ‘RemoteDesktopAD’ will be added successfully.

Secure Shell

Step 1: Add Bookmark

Go to VPN à SSL à Bookmark and Click on “Add” button to create a new Bookmark with the parameters mentioned below.

Parameters	Value
Name	SSHtoCyberoamBridge
Type	SSH This will invoke the Java applet for connecting the SSH through to the published resource when clicked from the SSL VPN Portal.
URL	ssh://172.16.16.16/ Specify the IP address of the application server for which the bookmark is to be created.

Click OK and the Bookmark ‘SSHtoCyberoamBridge’ will be added successfully.

Step 2: Create Policy for SSL VPN

Go to VPN à SSL à Policy and Click on “Add” button to add a new SSL VPN Policy with the following parameters.

Parameters	Value
Name	SSL
Access Mode	Web Access – Enabled Application Access Mode - Enabled
Application Access Settings
Accessible Resources	RemoteDesktopAD SSHtoCyberoamBridge

Click OK and the SSL VPN Policy ‘SSL’ will be inserted successfully.

Step 3: Apply Policy to User

Go to Identity à Users à User

Select user to apply SSL VPN policy created in Step 2.

Under Policies Section, select ‘SSL’ for SSL VPN

Click OK button to update

Click OK and the policy will be applied to user and the user will be updated successfully.

Step 4: Launch SSL VPN Portal

Login to Cyberoam SSL VPN Portal and as “Application Bookmarks” have been published, the following screen would be displayed on SSL VPN Portal.

Note: By default, Cyberoam SSL VPN Portal is accessible on https://<ip address of Cyberoam>:8443

Step 5: Click Bookmarks

Click any of the bookmarks above and it will initiate the respective applet as below:

Step 6: Execute Applet

Click on Yes, accept the certificate warning and execute the applet. The following screen would be displayed:

Remote Desktop (RDP)

For RDP, the below screen will be visible after following all the above steps (Step 2 to Step 6) from SSH Section:

Click on Connect, and it will launch the RDP screen without the need of executing the mstsc.exe (Remote Desktop) executable.

Document Version: 2.0-01/09/2011