1. SSL VPN
1.1. Establish SSL VPN Connection with Cyberoam having Private IP on WAN Interface

Applicable Version: 10.00 onwards

Scenario

Configure and establish SSL VPN connection between an SSL VPN user and Cyberoam which is placed behind and upstream router, as shown below.
 
 
 

Cyberoam is placed behind an upstream, Internet-facing ISP Router. Cyberoam WAN Interface is configured with a Private IP. The ISP Router acts as the gateway for all incoming and outgoing Internet traffic for the network.

Prerequisite

   The upstream router must have the SSL VPN port (default port 8443 or any custom port as configured in Cyberoam) open.
•   The upstream router must be configured to perform port forwarding of the required SSL VPN port.

Configuration

To configure SSL VPN, follow the steps given below. 

Step 1: Configure SSL VPN in Cyberoam

Refer to the article How To - Configure SSL VPN in Cyberoam. 

Step 2: Re-configure SSL VPN Client Settings

•   After the SSL VPN Client is installed and running on user machine, on the Notification Area at the bottom right 
    corner of your screen, right-click on the CrSSL Client icon  and click
Server Settings.


   Set Connect to Server as the Public IP Address of the upstream router (202.88.135.164) and Port as the configured port on Cyberoam (8443)

•   Click OK to save the settings. 

Once the above configuration is done, logon to the client by clicking on the CrSSL Client icon  and providing your user credentials.

 

 



                                                                                                                                                                        Document Version: 1.0 – 20 November, 2014
 
1.2. Error <SSL VPN Client Installation Failure in Windows 8/8.1>

Applicable Version: 10.00 onwards

Error

On installing SSL VPN client on a Windows 8/8.1 machine, the following error may occur.
 

Solution

To resolve this error, follow the steps given below. 

1.  Uninstall the existing SSL VPN Client in the machine.

2.  Go to the Device Manager and, under Other Devices, uninstall the “Unknown Device” driver.

 
 

Note: 

If you do not find Unknown Device driver under Other Devices, look under Network adapters. Right-click the Unknown Device driver under Network adapters, disable it and then re-enable it. On enabling, the driver shifts to “Other Devices”. Then, follow the step given above.
 
3.  Reboot the machine to ensure that all files related to the Unknown Device driver are removed.

4. Re-download and install the latest version of Cyberoam SSL VPN Client from http://www.cyberoam.com/cyberoamclients.html

The Client is installed successfully. You can verify successful installation by going to the Device Manager and checking under Network Adapters if the TAP-Windows Adapter is installed.

 





                                                                                                                                                                  Document Version: 1.1 – 3 September, 2014
1.3. Obtain the Passphrase for SSL VPN Authentication

Applicable Version: 10.04.0 Build 433 onwards
 
Overview
 
Cyberoam allows administrators to configure a passphrase in Self-Signed Certificates used in SSL VPN Authentication. This passphrase is used as a second level of authentication for SSL VPN users. Users can obtain this passphrase during authentication via Three (3) modes: In Client Bundle, as an On-Screen Link, in Email.

Passphrase can be configured in any one of the following ways:
 
-   While generating Self-Signed Certificate from System > Certificate > Certificate. Check Enable against Key Encryption and specify the 
    Passphrase which is to be used for second level authentication.
-   When you check Enable against Per User Certificate from VPN > SSL > Tunnel Access. This Passphrase is system generated.
 

Scenario

This article demonstrates how the Administrator can configure the Three (3) Modes of Passphrase Reception and how the user can obtain the passphrase while authenticating according to the mode configured. The modes are:

-    Client Bundle
-    
On-Screen Link
-    Email


Client Bundle
 
Configuration of Mode

Login to Cyberoam Web Admin Console using profile having read-write permission of the relevant features. Go to System > Administration > Settings. Under SSL VPN Settings, select Client Bundle in Receive Passphrase via parameter.
 
 


Obtaining Passphrase

When Administrator configures Passphrase Reception Mode as Client Bundle, the passphrase is received in a text file included the SSL VPN Client configuration. Follow the steps given below to obtain passphrase in Client Bundle.

   Login to SSL VPN Portal by browsing to https://<WAN IP address of Cyberoam:port> and logging in.
 
 
 

•   
Download the Client Configuration by clicking Download SSL VPN Client Configuration – Windows OR 
     Download SSL VPN Client Configuration – MAC Tunnelblick, depending upon your system.
 
 


The downloaded file contains a text file named Passphrase which contains the passphrase.
 
 



On-Screen Link
 
Configuration of Mode

Login to Cyberoam Web Admin Console using profile having read-write permission of the relevant features. Go to System > Administration > Settings. Under SSL VPN Settings, select On-Screen Link in Receive Passphrase via parameter.
 
 


Obtaining Passphrase

When Administrator configures Passphrase Reception Mode as On-Screen Link, a link appears on the Portal screen clicking which the user receives the passphrase. Follow the steps given below to obtain passphrase via On-Screen Link.

•    Login to SSL VPN Portal by browsing to https://<WAN IP address of Cyberoam:port> and logging in.
 
 


•   
Click the Show Link against Receive Passphrase to view the passphrase.
 
 
 
 
 

Email

Configuration of Mode

Login to Cyberoam Web Admin Console using profile having read-write permission of the relevant features. Go to System > Administration > Settings. Under SSL VPN Settings, select Email in Receive Passphrase via parameter.
 
 


Obtaining Passphrase

When Administrator configures Passphrase Reception Mode as Email, a link appears on the Portal screen clicking which the user receives an Email that contains the passphrase. Follow the steps given below to obtain passphrase via Email.

•    Login to SSL VPN Portal by browsing to https://<WAN IP address of Cyberoam:port> and logging in.
 
 


•   
Click on the Send Email Link against Receive Passphrase to receive an Email containing the passphrase.
 
 
 
 

Note:

-    The Email is sent to the User’s Email Address, as configured in Cyberoam (Identity > Users).

-    Make sure that Mail Server is configured in Cyberoam. You can configure Mail Server from System > Configuration > Notification.
 



                                                                                                                                                                      Document Version: 1.0 – 18/06/2013
1.4. Configure SSL VPN for Android Devices using OpenVPN Connect


Applicable Cyberoam Version: 10.04.02 Build 527 onwards

Overview  

OpenVPN Connect is the official full-featured Android client for the OpenVPN Access Server, Private Tunnel and OpenVPN Community, developed by OpenVPN Technologies, Inc.

OpenVPN Connect can be used to establish SSL VPN connection between any Android Device and Cyberoam.


Scenario
 
Configure SSL VPN for Android Device using OpenVPN Connect.   

Cyberoam Configuration

Configure SSL VPN from Cyberoam Web Admin Console. Configuration requires read-write permission for the relevant features.

Configure SSL VPN with Tunnel Access Mode in Cyberoam

To know how to configure SSL VPN in Cyberoam, refer to the article How To – Configure SSL VPN in Cyberoam.

Android Configuration

Configure OpenVPN Connect in your Android Device by following the steps below.

Step 1: Download and Install OpenVPN Connect

Download OpenVPN Connect and install it on your Android Device.

Step 2: Download Cyberoam SSL VPN Client Configuration in Local System

To download Cyberoam SSL VPN Client Configuration, follow the steps below.

·         Access Cyberoam SSL VPN Portal using the URL - https://<WAN IP address of Cyberoam:port> and login to the Portal.  If Two Factor Authentication 
is enabled, refer to the article How to Login in a Two Factor Authentication Environment?
 
 
·         Click Download SSL VPN Client Configuration – MAC Tunnelblick to download the client configuration and save it in your system.
 
 
 

A compressed file called ClientBundle.tgz is downloaded and saved at your mentioned location.

Note:

The SSL VPN Client Configuration for MAC Tunnelblick is compatible with Macintosh, iOS and Android platforms. 

Step 3: Extract ClientBundle.tgz to your local system
Extract ClientBundle.tgz to your local system. The following files are obtained.
 
-       UserPrivateKey.key
-       UserCertificate.pem
-       RootCertificate.pem
-       Client.ovpn
 

Step 4: Configure client.ovpn file

You need to edit the configuration of the client.ovpn file ONLY IF any or both of the following criteria are applicable:
 
·   If your OpenVPN Connect version is below 1.1.11 Build 44.
If your network has Two Factor Authentication configured.
 

 
OpenVPN Connect Version below 1.1.11 Build 44

If your OpenVPN Connect version is 1.1.11 Build 44 or above, skip to step 5.

Double click client.ovpn to open it in a text editor. 

·    If the Protocol for SSL VPN connection is configured as TCP, then set the parameter proto asTCP. If the Protocol is configured as UDP, no change required.
·   Set the parameter reneg-sec to 3600.
 
 

 

 

Note:

 

For OpenVPN Connect version 1.1.11 Build 44 and below, it is mandatory to set the value of reneg_sec to 3600, and set proto according to the protocol being used for SSL VPN connection. For more information, please refer to the links given below:
 
-    Sourceforge
-    
OpenVPN

 

 

Two Factor Authentication Configured

 

If Two Factor Authentication is not configured in your network, skip to Step 5.

 

Double click client.ovpn to open it in a text editor and add the parameter:

 

ping-restart 65

 

 
 
 
Step 5: Transfer SSL VPN Configuration files to Android Device
 
Transfer the files mentioned above (UserPrivateKey.key, UserCertificate.pem, RootCertificate.pem, Client.ovpn) from your local system to your Android Device.
 

Step 6: Import SSL VPN Configuration to OpenVPN Connect in Android Device

·         Launch OpenVPN Connect and click Settings.
 
 
 
 
·         Click Import to import the client.ovpn file included in the SSL VPN Configuration files.
 
 
 
 
 
 

Step 7: Connect to Cyberoam

Once the files are imported, a new VPN profile gets created pertaining to configuration mentioned in client.ovpn. Enter Password and click Connect to
establish connection with Cyberoam.If Two Factor Authentication is enabled, refer to the article How to Login in a Two Factor Authentication Environment?
 
 
 
 
 
 
 
The above configuration establishes an SSL VPN connection between Cyberoam and Android Device using OpenVPN Connect.
 






                                                                                                                                                                                 Document Version: 1.3 – 13/09/2013
1.5. Configure SSL VPN for iPhone/iPad using OpenVPN Connect

Applicable Version: 10.04.02 Build 527 onwards
 
Overview
 
OpenVPN Connect is the official full-featured iPhone/iPad client for the OpenVPN Access Server, Private Tunnel and OpenVPN Community, developed by OpenVPN Technologies, Inc.

OpenVPN Connect can be used to establish SSL VPN connection between iPhone/iPad and Cyberoam.
 

Scenario

Configure SSL VPN for iPhone using OpenVPN Connect.
 

Configuration

You can configure SSL VPN for iPhone using OpenVPN Connect by following the steps below.  

Step 1: Configure SSL VPN with Tunnel Access Mode in Cyberoam

To know how to configure SSL VPN in Cyberoam, refer to the article How To – Configure SSL VPN in Cyberoam.
 

Step 2: Download and Install OpenVPN Connect
 
Download OpenVPN Connect and install it on your iPhone.
 

Step 3: Download Cyberoam SSL VPN Client Configuration

To download Cyberoam SSL VPN Client Configuration, follow the steps below.

·         Access Cyberoam SSL VPN Portal using the URL - https://<WAN IP address of Cyberoam:port> and login to the Portal. If Two Factor Authentication is 
enabled, refer to the article How to Login in a Two Factor Authentication Environment?
 
 
·         Click Download SSL VPN Client Configuration – MAC Tunnelblick to download the client configuration and save it in your system.
 
 
 

A compressed file called ClientBundle.tgz is downloaded and saved at your mentioned location.

Note:

The SSL VPN Client Configuration for MAC Tunnelblick is compatible with Macintosh as well as iOS.

Step 4: Extract ClientBundle.tgz to your local system

Extract ClientBundle.tgz to your local system. The following files are obtained.

-       UserPrivateKey.key
-       UserCertificate.pem
-       RootCertificate.pem
-       Client.ovpn 

Step 5: Configure client.ovpn file

You need to edit the configuration of the client.ovpn file ONLY IF any or both of the following criteria are applicable:
 

 

If your OpenVPN Connect version is 1.0.1 Build 88 or above, skip to step 6.

 

Double click client.ovpn to open it in a text editor. 


·    If the Protocol for SSL VPN connection is configured as TCP, then set the parameter proto as TCP. If the Protocol is configured as UDP, no change required.
·    Set the parameter reneg-sec to 3600.
 
 

 

 

Note:

 

For OpenVPN Connect version 1.0.1 Build 88 and below, it is mandatory to set the value of reneg_sec to 3600, and set proto according to the protocol being used for SSL VPN connection. For more information, please refer to the links given below:
 
-        Sourceforge
-        
OpenVPN

 

 

Two Factor Authentication Configured

 

If Two Factor Authentication is not configured in your network, skip to Step 6.

 

Double click client.ovpn to open it in a text editor and add the parameter:

 

ping-restart 65

 

 

Step 6: Import all files to OpenVPN Connect

Import the files mentioned above into OpenVPN Connect using iTunes. Once the files are imported, a new VPN profile gets created pertaining to configuration mentioned in client.ovpn.
 

Step 7: Connect to Cyberoam

·         Select the newly created profile to connect to Cyberoam.
 
 
 
 
·         Enter user credentials and connect to Cyberoam. If Two Factor Authentication is enabled, refer to the article How to Login in a Two Factor Authentication Environment? 
  
 
 
 
 
 
 
 
 
                                                                                                  Document Version: 1.2 – 12/09/2013
1.6. Allow an SSL VPN User Access to an Application Hosted at Remote Side of an IPSec Connection

Applicable Version: 10.00 onwards

Scenario

Allow any SSL VPN user, connected to Head Office Network, access to the RDP Server hosted in the Branch Office network as shown below. The Head Office and Branch Office are connected via an IPSec VPN tunnel.
 

Prerequisite

The Head Office and Branch Office should be connected via an IPSec VPN connection. For details on how to configure an IPSec VPN tunnel refer to the following articles: 

Configuration

In IPSec Configuration, you can allow the SSL VPN user access to the RDP server by adding the Head Office WAN IP in the trusted Local Networks at the Head Office side and trusted Remote Networks at the Branch office side.

Head Office Configuration

To configure the Head Office Cyberoam, follow the steps given below.

Step 1: Create Bookmark for RDP Service

Go to VPN > SSL > Bookmark and click Add to add a bookmark using the following parameters.

Parameter
Value
Description
RDP
Type
RDP
Select type of Bookmark.
 
Available options:
HTTP
HTTPS
RDP
Telnet
SSH
FTP
URL
172.16.16.17
Screen Resolution
1024 × 768
Select from the available options.
Port
3389
Specify the port number on which the RDP service is running.
 
Default - 3389

Step 2: Create SSL VPN Policy

Create an SSL VPN policy to allow access to the RDP server. Go to VPN > SSL > Policy and click Add to add an SSL VPN policy using the following parameters.
 
 

Parameter

Value

Description

Add SSL VPN Policy

Name

Access_RDP

Name to identify the SSL VPN policy

Access Mode

Application Access

Mode

Select the access mode by clicking the appropriate option.

Application Access Settings

 

Accessible Resources

RDP

Select Bookmarks/Bookmarks Group that remote user can access.

 
 

Step 3: Include Head Office WAN IP in Trusted Local Subnet in IPSecConnection

Go to VPN > IPSec > Connection and select the Head_to_Branch IPSec connection. Add Head Office Wan IP, i.e.,192.168.20.182, in Trusted Local Subnet, as shown below.
 
 

Click OK to save changes.

Branch Office Configuration

To configure the Branch Office Cyberoam, follow the steps given below.

Step 1: Include Head Office WAN IP in Trusted Remote Subnet in IPSecConnection

Go to VPN > IPSec > Connection and select the Branch_to_Head IPSec connection. Add Head Office Wan IP, i.e.,192.168.20.182, in Trusted Remote Subnet, as shown below.
 
 

Once the above configuration is done at the Head Office and the Branch Office side, the SSL VPN user is able to access RDP server located at the Branch Office.
 















                                                                                                                                                            Document Version: 2.0 – 24 February, 2015

1.7. Configure SSL VPN for Macintosh OS X using Tunnelblick VPN client

Applicable Version: 10.00 onwards

Overview

Tunnelblick is an open source graphic user interface for SSL VPN on Macintosh (Mac) OS X. It comes as a ready-to-use application with all necessary binaries and drivers.It does not require any additional installation. You just need to add the VPN tunnel configuration and encryption information.

 

Tunnelblick Client can be used to establish SSL VPN connection between Mac OS and Cyberoam. 

Scenario

Configure SSL VPN for Mac OS X using Tunnelblick VPN client. 

Configuration

You can configure SSL VPN for Mac OS X using Tunnelblick VPN client by following the steps below. Configuration is to be done in Cyberoam and Mac OS using profile having read-write administrative rights for relevant features. 

Step 1: Configure SSL VPN with Tunnel Access Mode in Cyberoam

To know how to configure SSL VPN in Cyberoam, refer to the article How To – Configure SSL VPN in Cyberoam

Step 2: Download and Install Tunnelblick Client

Download Tunnelblick Client from http://code.google.com/p/tunnelblick/ and install it on your Mac workstation.  

Step 3: Download Cyberoam SSL VPN Client Configuration

To download Cyberoam SSL VPN Client Configuration, follow the steps below.


   Access Cyberoam SSL VPN Portal using the URL - https://<WAN IP address of Cyberoam:port> and login to the Portal. 

 


    
Click Download SSL VPN Client Configuration – MAC Tunnelblick to download the client configuration specific for Mac OS and save it in your system.

 

 

A compressed file called clientbundle.tar is downloaded and saved in your system.  

Step 4: Extract clientbundle.tar

Double-click clientbundle.tar to extract it.

 

 

 

A folder named ‘clientbundle’ is extracted, which contains Two (2) files: CRSSLconfig.tblk and Passphrase.txt.

 

CRSSLconfig.tblk: This is a Tunnelblick configuration file containing information about the VPN configuration with Cyberoam and CA Certificate.

Passphrase.txt: This file contains the passphrase to be used by user during SSL VPN Authentication.
 
 

 

Note:

 

Passphrase.txt is present in the clientbundle ONLY IF configured in Cyberoam. For more details refer to article How To - Obtain the Passphrase for SSL VPN Authentication

Step 5: Install Configuration in Tunnelblick

Double-click CRSSLconfig.tblk to install the Cyberoam SSL configuration in Tunnelblick. The following screen appears.

 

 

If you want to install the configuration for all users of the system, click All Users. Else, click Only Me. The VPN configuration for Cyberoam gets installed in Tunnelblick.


Step 6: Establish SSL VPN Connection with Cyberoam

•    Launch Tunnelblick Client from Finder > Applications > Tunnelblick.app. Click the Tunnelblick icon that appears on the top left corner of the screen and click Connect CRSSLconfig

 

•    Login to establish an SSL VPN connection with Cyberoam at remote site.
 

 

 

 

 

The above configuration applies Cyberoam SSL VPN Client Configuration to Tunnelblick client in Mac OS X and establishes an SSL VPN connection with Cyberoam at a remote site.

 






                                                                                                                                                Document Version: 2.0 – 25 February, 2014

1.8. Configure SSL VPN in Cyberoam
 
Applicable Version: 10.00 onwards

Overview
 
SSL (Secure Socket Layer) VPN provides simple-to-use, secure access for remote users to the corporate network from anywhere, anytime. It enables creation of point-to-point encrypted tunnels between remote user and company’s internal network, requiring combination of SSL certificates and a username/password for authentication.

Cyberoam allows remote users access to the corporate network in 3 Modes:

-       Tunnel Access Mode: User gains access through a remote SSL VPN Client.

-       Web Access Mode: Remote users can access SSL VPN using a web browser only, i.e., clientless access.

-       Application Access Mode: users can access web applications as well as certain enterprise applications through a web browser, i.e., clientless access.
 

Scenario

Configure SSL VPN in Cyberoam such that the remote user shown in the diagram below is able to access the Web and Intranet Servers in the company’s internal network. The user is to have Full Access, i.e., Tunnel, Web and Application Access. The network particulars given below are used as an example throughout this article.
 
 
 
 

Network Parameters

Configuration Parameter

Value

Cyberoam WAN IP

203.10.10.100

LAN Network

172.16.16.0/24

Intranet Server IP

172.16.16.1

Web Server IP

172.16.16.2

IP Range Leased to user after successful connection through SSL VPN

10.10.10.1 to 10.10.10.254



Configuration

Configure SSL VPN in Cyberoam by following the steps given below. You must be logged on to the Web Admin Console as an administrator with Read-Write permission for relevant feature(s).

Step 1: Generate Default Certificate Authority

To generate the default Certificate Authority, go to System > Certificate > Certificate Authority and click Default CA.

Update the Default CA as shown below. 
 
 

Click OK to generate Default Certificate Authority. 

Note:

If you are using an external certificate authority, you can upload the same by following steps mentioned in the article Add an External Certificate Authority (CA) in Cyberoam.

Step 2: Create self-signed Certificate

To create a self-signed Certificate, go to System > Certificate > Certificate and click Add. Generate a Self Signed Certificate as shown below. 

 

Click OK to create the certificate.

Step 3: Configure SSL Global Parameters

To set global parameters for tunnel access, go to VPN > SSL > Tunnel Access and configure tunnel access settings with following values:
 
 

Parameter

Value

Description

Protocol

TCP

Select default protocol for all the SSL VPN clients.

SSL Server Certificate

SSLVPN_SelfSigned

Select SSL Server certificate from the dropdown list to be used for authentication

Per User Certificate

Disabled

SSL server uses certificate to authenticate the remote client. One can use the common certificate for all the users or create individual certificate for each user

SSL Client Certificate

SSLVPN_SelfSigned

Select the SSL Client certificate from the dropdown list if you want to use common certificate for authentication

IP Lease Range

10.10.10.1 to 10.10.10.45

Specify the range of IP addresses reserved for the SSL Clients

Subnet Mask

255.255.255.0

Specify Subnet mask

Primary DNS

4.2.2.2

Specify IP address of Primary DNS

Secondary DNS

8.8.8.8

Specify IP address of Secondary DNS

Enable DPD

Enabled

Click to enable Dead Peer Detection.

Check Peer after every

60

Specify time interval in the range of 60 to 3600 seconds after which the peer should be checked for its status.

Disconnect after

300

Specify time interval in the range of 300 to 1800 seconds after which the connection should be disconnected if peer is not live.

Idle Time Out

15

Specify idle timeout. Connection will be dropped after the configured inactivity time and user will be forced to re-login.

Data Transfer Threshold

250

Once the idle timeout is reached, before dropping the connection, appliance will check the data transfer. If data transfer is more than the configured threshold, connection will be dropped.

 
 
 
To set global Idle Time for Web Access Mode, go to VPN > SSL > Web Access and set Idle Time as shown below. 
 
 

Step 4: Create Bookmarks (Applicable for Web and Application Access Mode Only)

Bookmarks are the resources whose access is available through SSL VPN Web portal. You can also create a group of bookmarks that can be configured in SSL VPN Policy. These resources are available in Web and Application Access mode only.

To create Bookmark, go to VPN > SSL > Bookmark and click Add. Create Bookmark using following parameters. 
 

Parameter

Value

Description

Name

Telnet

Name to identify Bookmark.

Type

TELNET

Specify type of bookmark.

URL

192.168.1.120

Specify URL at which telnet sessions are allowed to remote users.

 
  

Click OK to create Bookmark.

Similarly, create a bookmark Intranet of type HTTP to allow access to the internal Intranet server.
Note:
 
Intranet is accessible in Web as well as Application Access Mode, while Telnet is accessible in Application Access Mode.

Step 5: Configure SSL VPN Policy

To configure SSL VPN policy, go to VPN > SSL > Policy and click Add. Create policy using parameters given below.

Parameter Description
 
 

Parameter

Value

Description

Add SSL VPN Policy

Name

Full_Access

Name to identify the SSL VPN policy

Access Mode

Tunnel Access Mode
Web Access Mode
Application Access Mode

Select the access mode by clicking the appropriate option.

Tunnel Access Settings

Tunnel Type

Split Tunnel

Select tunnel type. Tunnel type determines how the remote user’s traffic will be routed.

Accessible Resources

<As required>

Select Hosts or Networks that remote user can access.

DPD Settings

Use Global Settings

You can customize and override the global Dead Peer Detection setting.

Idle Time out

Use Global Settings

You can use the global settings or customize the idle timeout.

Web Access Settings

Enable Arbitary URL Access

Enabled

Enable to access custom URLs not defined as Bookmarks.

Accessible Resources

Intranet

Select Bookmarks/Bookmarks Group that remote user can access.

Idle Time out

Use Global Settings

You can use the global settings or customize the idle timeout.

Application Access Settings

Accessible Resources

Intranet

Telnet

Select Bookmarks/Bookmarks Group that remote user can access.

 
 
 

Step 6: Apply SSL VPN Policy on User

To apply SSL VPN policy on user, follow the steps given below.

Go to Identity > Users > User and select the user to which policy is to be applied. Here we have applied it on user John Smith. Under Policies section, select Full_Access for SSL VPN as shown below. 
 
 
 
Click OK to update the user’s SSL VPN Policy.

Note:

Make sure that Firewall Rules allowing traffic from LAN to VPN and vice versa are present. If they are not present, create them manually. They are necessary for the VPN connections to function properly.
 

Step 7: Download and Install SSL VPN Client at Remote End

Remote users can login to Cyberoam SSL VPN Portal by browsing to https://<WAN IP address of Cyberoam:port> and logging in.

Note:

Use default port: 8443 unless customized. Access is available only to those users who have been assigned an SSL VPN policy. 
 
 
 
User is directed to the Main Page which displays Tunnel, Web or Application Access Mode section according to policy applied on user.  
 

For Tunnel Access, user needs to access internal resources through an SSL VPN Client.

-   Download the SSL VPN client from the Cyberoam website by clicking “Installer”.
-   Download the client configurationfrom the Portal.
-   Install the client on theremote user’s system. On complete installation, the CrSSL Client icon  appears in the system tray.
-   Right-click the Client icon  and click Import.Import the SSL VPN configuration downloaded from the Portal.
-   Login to the Client and accessthe company’s internal network through SSL VPN.

 

For Web and Application Access, user can access internal resources using web browser, i.e., clientless access. In this, user needs to browse to https://<WAN IP address of Cyberoam:port> and login.

                                                                                                                                                                              









                                                                                                                                                               Document Version: 3.1 – 24 June, 2015
1.9. Configure SSL VPN Client in Ubuntu

Applicable Version: 10.04.0 Build 214 onwards
 
Applicable Ubuntu Version: 14.04 onwards

Scenario

Configure the SSL VPN Client (OpenVPN) on Ubuntu 14.04.
 

Prerequisite

OpenVPN should be installed. 

You can install OpenVPN by executing thefollowing command:

# sudo apt-get install openvpn
 

Configuration

Follow the below mentioned steps to configure SSL VPN Client in Ubuntu.

Step 1: Configure SSL VPN on Cyberoam

Refer to the article How To -Configure SSL VPN in Cyberoam for details.

Step 2: Downloadand Install SSL VPN Client at User's End

   Login to Cyberoam SSL VPN Portal by browsing to https://<WAN IP address of Cyberoam:port> and log in. 

    Note: 

    Use default port: 8443 unless customized. Access is available only to those users who have been assigned an SSL VPN policy.
 

  
User is directed to the MainPage. Click
Download SSL VPN ClientConfiguration - MAC Tunnelblick to download the Client configuration for OpenVPN.
 

    A compressed file named clientbundle.tgz is downloaded.

   Go to the downloaded directory and extract the clientbundle.tgz using the following command.
     #tar -xvf clientbundle.tgz
 
   
 

   A file named Passphrase.txt and folder named CRSSLconfig.tblk are extracted. The folder contains the following files: 

   -      client.ovpn
   -      UserPrivateKey.key
   -      UserCertificate.pem
   -      RootCertificate.pem
 

Step 3: Connect to Cyberoam

Go to the CRSSLconfig.tblk directory and execute the following command as a ROOT user. 

# openvpn --configclient.ovpn
 

The Username and Password prompt appears. Enter the password to connect.

 

 

 

 

 

 

 

 

                                                                                                                                        Document Version: 2.0 – 25 February, 2015

1.10. Allow Access to Custom URLs through SSL VPN Portal

Applicable Version: 10.00 onwards

Overview

Cyberoam SSL VPN allows users to access Internal/External URLs using bookmarks. However, you cannot provide access to certain custom URLs using bookmarks. For example, URLs of internal resources hosted on cloud. 

This article describes how you can provide access to such custom or arbitrary URLs from the SSL VPN Portal. 

Scenario

Enable access to Arbitrary URLs from the SSL VPN Portal so that SSL users can access the URL https://example.com:9090/forms/frmservlet?config=PROD.
 

Prerequisite

The network has appropriate DNS configuration to resolve the URL given above.
 

Configuration

You must be logged on to the Web Admin Console as an administrator with Read-Write permission for relevant feature(s). 

Step 1: Enable Access to Arbitrary URL

Go to VPN > SSL > Policy and select the applied SSL VPN Policy. Select Enable Arbitrary URL Access and click Apply to save settings.
 


Step 2: Access the custom URL
    

Login to Cyberoam SSL VPN Portal by browsing to https://<WAN IP address ofCyberoam:port> and logging in.

Note: 

Use default port: 8443 unless customized. Access is available only to those users who have been assigned an SSL VPN policy.
 
 

Under Web Access Mode, the Enter URL field is displayed from where user can access custom URLs. 

The above configuration allows user access to https://example.com:9090/forms/frmservlet?config=PROD.

 













                                                                                                                                          Document Version: 2.0 – 26 February, 2015
1.11. Provide Access to ActiveX Applications through SSL VPN Portal

Applicable Version: 10.00 onwards

Overview

This article describes how administrator can provide SSL VPN Users access to ActiveX Applications like RDP and SSH.

Scenario

An SSL VPN User needs Remote Desktop(RDP) access to the Active Directory (AD) Server 172.16.16.5 in the LAN. Also he needs to have SSH access of a Cyberoam deployed in Bridge Mode 172.16.16.10 at an internal network point. 

This is done by publishing bookmarks of the applications to the User.

Configuration

You must be logged on to the Web Admin Console as an administrator with Read-Write permission for relevant feature(s).

Step 1: Create Bookmark for RDP

Go to VPN > SSL > Bookmark and click Add to create a new Bookmark as per parameters given below. 

Parameter

Value

Description

Name

RDPtoADS

Name to identify the Bookmark.

Type

RDP

Select type of Bookmark.

 

Available options:

HTTP

HTTPS

RDP

Telnet

SSH

FTP

URL

172.16.16.5

Specify the URL of the website/host for which the bookmark is to be created.

Screen Resolution

1024 × 768

Select from the available options.

Port

3389

Specify the port number on which the RDP service is running.

 

Default - 3389

 

 

Click OK to save the bookmark. 

Step 2: Create Bookmark for SSH

Go to VPN > SSL > Bookmark and click Add to create a new Bookmark as per parameters given below. 

Parameter

Value

Description

Name

SSHtoCR

Name to identify the Bookmark.

Type

SSH

Select type of Bookmark.

 

Available options:

HTTP

HTTPS

RDP

Telnet

SSH

FTP

URL

172.16.16.5

Specify the URL of the website/host for which the bookmark is to be created.

 

 

Click OK to save the bookmark. 

Step 3: Create SSL VPN Policy

Go to VPN > SSL > Policy and click Add to create a policy. 

In the policy,select the Access Mode as Application Mode. Under the Application Access Settings, select thebookmarks created in step 1 and 2.
 


Step 4: Assign VPN Policy to User

Go to
Identity > Users > Users, select the user on whom the policy is to be applied. Apply the policy as shown below.
 
 

Click OK to save user settings. 

The above configuration allows user John Smith to access the Active Directory Server over RDP and internal Cyberoam over SSH via an SSL Connection.

 

 

 

 

 

                                                                                                                                                             Document Version: 2.0 – 26 February, 2015

1.12. Configure access to SSL VPN User Portal using a Custom Port

Applicable Version: 10.00 onwards

Overview

The default port through which the SSL VPNUser Portal can be accessed is port 8443. Hence, to access the SSL VPN Userportal using the default port, user can browse to https://<Cyberoam WAN IPAddress>:8443. 

However, Cyberoam provides the flexibilityof changing the default SSL VPN Portal ports to custom ports,to enhance security while accessing the portalfrom the non-trusted publicinterface like WAN. 

Note 

   SSL VPN Port configuration is not available for Cyberoam ModelCR15i because SSL VPN feature is not available in CR15i.

   Make sure that the custom ports you configure are not alreadyused by other services. Avoid using ports below 1024, because those are oftenreserved by the operating system for other uses. 


Scenario

Change the default SSL VPN ports to 8446.


Configuration

You must be logged on to theWeb Admin Console as an administrator with Read-Write permission for relevantfeature(s).

Step 1: Take Backup of Appliance Configuration

It is recommended totake backup of the Appliance configuration. Refer to the article How To – Backup and Restore CyberoamConfiguration for details. 

Step 2: Change Default Ports

Go to System > Administration > Settings. Under Web Admin Settings,mention the SSL VPN Port as 8446, as shown below.
 
 

Click Apply to save settings. 

On clicking Apply, the Web Service is reinitialized due to which access to the Appliance is temporarily lost. You need to relogin to Cyberoam. 

In the above example: 

SSL VPN users can access the SSL VPNPortal from https://172.16.16.2:8446. 

Note: 

If, in case, access to Web Admin Consoleand Telnet Console is lost, refer Article to resolve the issue. 

 

 

 

                                                                                                                                                                                    Document Version: 2.0 – 4 February, 2015

 

1.13. How to check SSL VPN Logs from CLI?

Applicable Version: 10.00 onwards

Follow the steps mentioned below to check SSL VPN Logs from CLI:
 
1.    Logon to CLI Console via Telnetor SSH. You can also access the CLI Console by clicking  on the upper right corner of the 
       Web Admin Console screen.
 

       Note: 

       From firmware version 10.6.1 onwards, the Console button is visible to the Super Administrator ONLY. 

2.    Choose option 4. Cyberoam Console. 

3.    Execute the command:

      console> show sslvpn log <tunnel-access/web-access/application-access>

 
      











                                                                                                                                                                     Document Version: 1.1 – 3 February, 2015

 

1.14. Why am I NOT able to access internal network resources even after successful SSL VPN connection between Cyberoam and Windows 7/Vista?

Applicable CyberoamVersion: 10.00 onwards

Applicable SSL VPN Client Version: 1.0 onwards

By default, the User Account Control(UAC) in Windows 7 or Vista is enabled which helps to prevent unauthorizedchanges to user's machine. This hampers the working of SSL VPN Client installedon user machines in which the users do not have administrative rights. The UACprevents the SSL VPN Client to add routes to the remote network in the usermachine's routing table. 

View Error 

In this case, after the SSL VPNconnection is established, the error "route addition failed: Access Denied" is displayed. To view the logs,right-click on the SSL VPN icon in the System Tray and click Show Status.
 

Solution 

To resolve this, follow the steps givenbelow: 

1.  Right click the SSL VPN Client shortcuton the desktop and click Properties. 

2.  Switch to Compatibility tab and select Run this program as an administrator and apply the settings.
 

3.  Go to Start > Run and run msconfig.The System Configuration Window opens. Uncheck the crssl-client from the Startup Item list.
 
 

This ensures that the next time onwards, when you start the CR SSL VPN Client, it will launch with the administrative rightsand you will get the following prompt.
 
 

On clicking Yes, SSL VPN Client will be allowed to add routes local machine andyou will have no issues accessing remote network resources on successfulconnection of SSL VPN.

 

 







                                                                                                                                                                                 Document Version: 1.1 – 6 February, 2015
1.15. Can I use Cyberoam as an SSL VPN Gateway when it is deployed in Bridge Mode?

Applicable Version: 10.02.00 Build 224 onwards
 
Yes. From Cyberoam firmware version 10.02.00 Build 224 onwards, you can configure Cyberoam as an SSL VPN Gateway by using Bridge Pair Configuration.