beautypg.com

Tip: the inner ip can be pinged – Amer Networks E5Web GUI User Manual

Page 638

background image

network and these define the relationship between the security gateway and the connecting
clients.

A private IP network should be used for this purpose. The Inner IP itself must not be one of
the IP Pool addresses that can be handed out to connecting SSL VPN clients.

Tip: The Inner IP can be pinged

For troubleshooting purposes, an ICMP Ping can be sent to the Inner IP address. In
order for cOS Core to be able to respond, an IP rule must exist that allows traffic to flow
from the SSL VPN interface to core (in other words, to cOS Core itself).

Outer Interface

The interface on which to listen for SSL VPN connection attempts. This could be a physical
Ethernet interface but it could also be another logical interface. For example, a PPPoE or
VLAN interface could be used.

Server IP

The Ethernet interface IP address on which to listen for SSL VPN connection attempts by
clients. This will typically be a public IPv4 address which will be initially accessed using a web
browser across the public Internet. The following should be noted about this IP:

i.

The Server IP must be specified and will not default to the IP of the Outer Interface.

ii.

The Server IP cannot be an IP address which is ARP published on the interface. In order
for SSL to work on ARP published IPs, a core route with accompanying proxy ARP must
be used.

Server Port

The TCP/IP port number at the Server IP used in listening for SSL VPN connection attempts by
clients. The default value is 443 which is the standard port number for SSL.

Client IP Options

Dynamic Server Address

Instead of a fixed IP address for the SSL VPN Server IP being handed out to clients, this option
makes it possible to hand out a Fully Qualified Domain Name (FQDN) instead.

For example, the FQDN might be specified as server.some-domain.com. When a client
connects to the SSL VPN interface, this FQDN is handed out to the client which then resolves
the FQDN using DNS to a specific IP address. This allows the server address to change
dynamically with only the DNS entry being changed.

If this option is specified, the Server IP in General Options above is ignored.

IP Pool

As described above, client IP addresses for new SSL VPN connections are handed out from a
pool of private IPv4 addresses. This pool is specified by an IP address object defined in the
cOS Core address book. It is not the same as an IP Pool object used with IPsec.

The pool addresses do not need to be a continuous range but must belong to the same
network. The Inner IP property must also belong to this network but must not be one of
the pool IPs.

Chapter 9: VPN

638

This manual is related to the following products: