Beruflich Dokumente
Kultur Dokumente
TECHNICAL DOCUMENT
Table of Contents
TABLE OF CONTENTS 1
OVERVIEW 2
OVERVIEW 16
NOW WHAT? 17
Technical Document 1
Overview
The Forcepoint SSL VPN provides a user a method to connect to protected resources using Secure
Sockets Layer (SSL) via a web browser. This secure VPN method does not require a client to be
installed, so is typically more portable than an IPSEC VPN.
The purpose of this document is to provide a sample network, a configuration overview, and
troubleshooting steps to aide in simple problem resolution.
Relevant IP Information:
INTERFACE IP ADDRESS
WAN 10.100.0.33
DMZ 172.16.20.1
INSIDE 172.16.50.1
Technical Document 2
Network Diagram:
Technical Document 3
BASIC SSL VPN CONFIGURATION FLOW
Technical Document 4
Configure the NGFW Engine
The Next Generation Firewall Engine has to two sections that should be reviewed when configuring SSL
VPN. To review the Engine configuration, log into the System Management Console (SMC) and follow
the steps below:
2. Expand VPN > End-Points. Right click the Interface in question and click Properties.
3. Under the VPN Type section, select the radial button for All Types or Selected Types Only. If
the latter is selected, select the SSL VPN Portal and Tunnel method. The tunnel mode is not
convered in this case study. Click the OK button to close the Properties window.
Technical Document 5
ADD SSL VPN Users
ADDING LOCAL USERS THE SMC DATABASE
1. On the SMC Home Page, clock the Configuration button.
2. Expand the User Authentication policy section. On the InternalDomain pane, right click the
stonegate domain, select New > Internal User.
3. On the General tab, enter the user name in the Name field.
Technical Document 6
Sample User configuration (Authentication):
2. Right click on the Stonegate internal domain and select New > Internal User Group.
Technical Document 7
3. Specify the Group name and a comment (optional).
4. Click OK.
5. Drag and drop the users previously created to the Portal_Users group.
Technical Document 8
Configuration of SSL VPN Policies
CONFIGURE SSL VPN PORTAL SERVICES
1. On the SMC Home Page, clock the Configuration button.
2. On the Navigation pane, expand the VPN section and the SSL VPN Portal section.
3. Click on the SSL VPN Portal Services. Right click on the Policy pane (right side) and select
New SSL VPN Portal Service.
4. Select the General tab. Enter the data for the Name, External URL Prefix, and Internal URL.
Technical Document 9
Select the Look and Feel tab. Enter the value for the Title field. Click OK.
5. Create a second entry for New SSL VPN Portal Service. Select the General tab. Enter the
data for the Name, External URL Prefix, and Internal URL. Select the Look and Feel tab.
Enter the value for the Title field. Click OK.
Technical Document 10
CONFIGURE THE SSL VPN PORTAL POLICIES
1. On the Policy pane, select SSL VPN Portal Policies. Right click on the SSL VPN Portal Policy
pane and select New SSL VPN Portal Policy. Populate the General tab and click OK.
2. Right click on the SSL VPN Portal Policies entry that was just created and select Edit SSL
VPN Portal Policy <name>
4. Using the Resources pane values, populate the newly created rule with the SSL VPN Portal
Service and Authentication values previously configured.
Technical Document 11
5. Save the policy by clicking the Save icon in the navigation bar.
2. On the General tab, enter the name, select the SAHPORTAL SSL VPN Portal Policy, enter the
hostname that your SSL VPN NGFW will resolve to. This should be the IP Address selected
under the NGFW Engine properties previously defined. Upload certificates or select Use Self-
Signed Certificate.
Technical Document 12
3. Select the Look & Feel tab. Enter the Title for the SSLVPN Portal.
4. Select the Target Engine tab. Click the ADD button. Right click the Target Engine column and
select Edit Target Engine. Select the SAH engine and click Select. Click OK.
Technical Document 13
TESTING THE SSL VPN
LOGGING IN AND TESTING LINKS
1. Open a browser and enter https://10.100.0.33 in the address bar.
2. Log in with John Gero’s login info: johngero and the password entered previously.
Technical Document 14
4. Verify the link opens and note the address bar.
5. The address bar appends the name to the URL (“Server1”). This is the External URL Prefix that
was configured in the SSL VPN Portal Services policy.
Test the SSL VPN with SSO Domains and different policies to limit access and customize SSL VPN
users’ experience!
Technical Document 15
SSL VPN Troubleshooting
OVERVIEW
With troubleshooting, most issues need to go through a process. Below is the overview:
1. Did the traffic make it to the correct Firewall?
2. Did the firewall accept the traffic?
3. Now what?
2. Ensure that the correct SSL VPN port is correct in the Configuration> VPN> SSL VPN Portal
configuration.
Technical Document 16
NOW WHAT?
1. Can you login? Verify the password for the end user.
2. Ensure that the IP and Host name specified under: Configuration > VPN > SSL VPN Portal >
SSL VPN Portals has the correct hostname or IP. If you are using a public IP address, ensure it
does resolve to the hostname in the http header. This issue will manifest will manifest while
logging into the portal:
3. Ensure you have the latest firmware installed. This will rule out possible bugs and compatibility
issues. (Optional)
4. Verify the TLS version your browser supports. The default TLS entries for the SSL VPN are
below:
Contact FORCEPOINT Support for issues related to the FORCEPOINT NGFW. We are here to help!
Technical Document 17