Configuring ssl vpn in cos core – Amer Networks E5Web GUI User Manual

iv.

Client users need to be defined in the Authentication Source of the authentication rule.
This source can be a local user database, a RADIUS server or an LDAP server.

v.

Define appropriate cOS Core IP rules to allow data flow within the SSL VPN tunnel. As
discussed below, IP rules do not normally need to be defined for the setup of the SSL
VPN tunnel itself, they are only needed for the traffic that flows inside the tunnel.

vi.

Specify the interfaces on which client IPs will be ARP published. This is necessary so a
server behind the security gateway knows how to send replies back to an SSL VPN client.

Usually, the only time proxy arp needs to be enabled is if the IPs assigned to clients are
part of an already existing subnet that clients need access to. In that case, proxy arp
must be enabled on the interface that has the corresponding subnet. If the traffic is
routed by the security gateway, for example with an Allow or NAT rule, proxy arp is not
needed.

The option exists with cOS Core SSL VPN to automatically ARP publish all client IPs on all
security gateway interfaces but this is not recommended because of the security issues
that are raised.

vii. Routes for clients do not need to be defined in the routing tables as these are added

automatically by cOS Core when SSL VPN tunnels are established.

•

On the Windows based client side:

A proprietary Clavister VPN SSL client application needs to be installed and configured to
route traffic to the correct interface on the security gateway.

Installing and running the SSL VPN client software is done as part of the logging in process
for users as they access the security gateway through a web browser. The Windows based
client software is automatically downloaded through the browser directly from the gateway.

SSL VPN with PPPoE

Where PPPoE is used as the method of connection to the Clavister Security Gateway over the
public Internet, it is possible to have SSL VPN function over the PPPoE connection.

This is done by setting up the SSL VPN tunnel so that the Outer Interface property of the SSL VPN
tunnel object is specified to be a PPPoE configuration object instead of a physical Ethernet
interface. Setting up a PPPoE interface object is described in Section 3.4.5, “PPPoE”.

9.6.2. Configuring SSL VPN in cOS Core

To configure the SSL VPN in cOS Core, an SSL VPN Interface object must be defined for each
interface on which connections will be made. The object properties are as follows:

General Options

•

Name

A descriptive name for the object used for display in the cOS Core configuration.

•

Inner IP

This is the IP number within the tunnel that SSL VPN clients will connect to.

All clients that connect to the SSL VPN object interface are allocated an IP from the SSL VPN
interface's IP Pool. All the pool addresses as well as the Inner IP must belong to the same

Chapter 9: VPN

637