Downloads   Registration   Customer Service    Service Offerings    Discussion Forums    Support Home    NETGEAR Home    
SSL312 ProSafe™SSL VPN Concentrator - Howtos&Troubleshooting

SSL312 ProSafe™ SSL VPN Concentrator -
Howtos & Troubleshooting

  1. How do I configure VPN Tunnel?
  2. What network information do I need to configure?
  3. Active Directory Configuration and NTP Setup
  4. Active Directory configuration isn't working, what is wrong?
  5. Can I only allow certain Active Directory groups to log in?
  6. How do I create policies or bookmarks for Active Directory, LDAP or RADIUS users?
  7. I have a valid certificate from a CA. How do I import it?
  8. How can I customize the portal layout?
  9. Can I change the logo?
  10. When I create a new domain, I can't see the new domain on the login page!
  11. I want my domain to be selected by default on the login page
  12. How do I create a virtual hostname on the portal layout page?
  13. What is host resolution?
  14. I created client routes, but my VPN Tunnel clients cannot connect to network machines.
  15. Remote users are not able to connect to servers by host or domain name.
  16. The VPN Tunnel page takes a long time to load
  17. I can't add bookmarks on the bookmark page
  18. I don't want users to see the bookmark IP address in the bookmark table
  19. When I connect to Telnet or SSH, I am not able to type anything.
  20. I cannot connect to Intranet web sites; I see the message "Host cannot be resolved".
  21. Terminal Services 5.0 ActiveX does not work in Windows XP SP2.
  22. How do I set up applications for the Applications page?
  23. How do I set up VNC? What is VNC?
  24. Passive FTP over Port Forwarding
  25. Port Forwarding and CIFS (Common Internet File Sharing)
  26. CIFS and IE 5.0 for FTP
  27. I cannot use the SSL VPN Tunnel feature on the SSL312
  28. I am using the latest version of Internet Explorer and I am using the correct IP address to connect to the SSL312, but I cannot establish my SSL VPN
  29. Why I cannot run the SSH Client on the SSL312?
  30. I received error messages when I try to log onto one of the domains from the drop down list
  31. I received the IP conflict error message when I try to configure the virtual IP address for remote clients on the SSL312
  32. Why I cannot authenticate the users on the SSL312?
  33. If I forget the password, how can it be recovered?
  34. How to reset the system back to the factory default settings?

1. How do I configure VPN Tunnel?

As an administrator, you can configure the VPN Tunnel settings on the Access Administration > VPN Tunnel. You can either configure an address range in the same subnet as your local area network or you can configure a range in a different subnet and then use client routes. If you use addresses in the same subnet, be sure that the range does not conflict with addresses on your local network. Be sure to allocate enough IP addresses in the client address range for all of your remote users. Each remote user will require two addresses: the VPN Tunnel PPP address and the corresponding SSL312 server PPP address.

If you configure client routes, you must also be sure that you configure a static route in your corporate network router or firewall that directs traffic from the VPN Tunnel clients to the SSL312 server. This is defined in more detail in the below.

Also note that the class of the subnet is based on the PPP address. For the 3 private address ranges, 10.0.0.0 - 10.255.255.255 is a Class A subnet, 172.16.0.0 - 172.16.255.255 is a Class B subnet and 192.168.0.0 - 192.168.255.255 is a Class C subnet. What this means is that if you configure the Virtual client address range 10.1.0.1 - 10.1.0.254, then the VPN Tunnel client will the VPN Tunnel client will assume that all IP addresses from 10.0.0.0 - 10.255.255.255 are located across the SSL VPN tunnel.

[Goto Top]

2. What network information do I need to configure?

The required network information includes the SSL312 IP address, Gateway address and DNS settings. The IP address and the default gateway (route) are configured when you first install the SSL312, but may be modified on the Network > Interfaces page. The DNS server addresses are configured on the Network > DNS Settings page. Until these parameters are configured, the portal will not function properly. 

[Goto Top]

3. Active Directory Configuration and NTP Setup

To properly set up Active Directory, NTP (Network Time Protocol) must be configured in both the SSL312 and the Windows 2000 or Windows 2003 server. Active Directory uses Kerberos5 protocol for authentication. For Kerberos to work properly, the clock skew between the server (Windows) and the client (SSL312) must be less than 10 minutes.

[Goto Top]

4. Active Directory configuration isn't working, what is wrong?

Confirm that the time is synchronized between your Active Directory server and SSL312 by configuring NTP on the System Configuration > Date and Time page. If you have added users into custom groups that you have defined on the Active Directory server, then you may need to use NT Domain or LDAP authentication in order to authenticate to your Windows authentication server.

[Goto Top]

5. Can I only allow certain Active Directory groups to log in?

You can create specific rules for Active Directory users and groups by defining the users and groups in SSL312 and the configuring access policies for these different users and groups. However, you cannot prevent the users from logging in altogether. The only way to do this is to authenticate users based on Active Directory's LDAP directory services. Instead of defining an authentication domain on the Active Directory page, define the domain as an LDAP authentication domain. Then you can enter the specific LDAP organizational unit information.

[Goto Top]

6. How do I create policies or bookmarks for Active Directory, LDAP or RADIUS users?

If you are using authentication by an external AAA server (LDAP, Active Directory, etc), then you do not need to define users in the SSL312. However, you are also unable to create bookmarks or policies by users.

To create individual bookmarks by user or group, you must define the users in the SSL312. Because the users are authenticating to a AAA server, the users do not require passwords. Once defined, you can add bookmarks or policies per user or per group to which the user belongs.

Because the SSL312 can query Active Directory to find out which group a user belongs to, you can create bookmarks and policies for Active Directory groups without defining every Active Directory user name. The way this works is that the SSL312 first verifies with the Active Directory server that the user is authorized to login. Then the SSL312 checks to see if the user is defined (in any Active Directory group) in the SSL312. If the user is defined, then the user and group policies and bookmarks will apply to that user. If no matching user is defined, The SSL312 will see if the Active Directory group to which the user belongs is defined in the SSL312. If so, then the group's bookmarks and policies will apply to the user.

[Goto Top]

7. I have a valid certificate from a CA. How do I import it?

You do not need your own SSL certificate to set up and test the SSL312 software. However, NETGEAR strongly recommends that you install a valid certificate from a recognized Certificate Authority (CA) before deploying SSL VPN in production.

To upload the SSL Certificate and Key, create a zipped file containing the two files. Name the certificate file "server.crt" and the certificate key "server.key". Then upload the files on the System Configuration > Certificates page. Once uploaded, you should see the new certificate in the list of available certificates. Click View, and then enter the SSL Certificate password and click Submit. Then return to the SSL Certificate page, click Enable on the new certificate that you have imported to activate the new SSL Certificate. The SSL312 software will restart, using the new, valid SSL certificate.

[Goto Top]

8. How can I customize the portal layout?

The portal layout may be customized on the SSL VPN Portal > Portal Layout page in the web management interface. From the portal layout page, you can define what pages, icons and options to display to users. You can create multiple layouts and apply them to different authentication domains.

[Goto Top]

9. Can I change the logo?

Yes, you may upload new logos on the Portal Layouts > Custom Banner page in the web management interface. The new logo will be displayed on the top of the navigation menu in the User Portal. The recommended size of the new logo should be 612x85 and must be less than 10K. The logo also must be in GIF format -- use only small case extension - ".gif"

Once the logo is uploaded, be sure to refresh your browser window, in case the logo is cached.  Please note that you will not be able to replace the logo on the login page.

[Goto Top]

10. When I create a new domain, I can't see the new domain on the login page!

If you created a new domain and you cannot select the domain from the Domain drop down list on the login page, then you are probably not logging in from the correct portal layout URL.

For example, let's say you created a layout named "mylayout" with the virtual host name "mylayout.mycompany.com". Then you configured an authentication domain called "myRadius" and selected the new layout "mylayout" for the authentication domain. Now, if you go to the default Portal layout, you will not see the "myRadius" in the Domain Name drop down menu. To login using "myRadius", either go to https://[IP_Address_or_domain_name]/portal/mylayout. Then you will be able to see the "myRadius" authentication domain.

[Goto Top]

11. I want my domain to be selected by default on the login page.

To select a domain and portal as a default domain at the login page, go to Portal Layout and select the “Default” layout that you want to use.  This portal layout should have been configured for the domain that you have selected to be used by this layout.

[Goto Top]

12. How do I create a virtual hostname on the portal layout page?

To create a virtual hostname, enter the full URL of the virtual host--for example, "host1.mycompany.com". Because the web server needs to learn the new configuration, restart the SSL312 software on the Monitoring > Diagnostics > Reboot.

Then make sure that the new domain name resolves to the IP address of the SSL312. Login to your organization's external DNS manager and add a new DNS name or a new alias and configure it to resolve to the SSL312 IP address.

[Goto Top]

13. What is host resolution?

Host resolution is similar to the LMHOST file in Windows machines or the /etc/hosts file in Linux and UNIX machines. Host resolution can be used to map names to IP addresses. This can be helpful for a myriad of reasons. For example, you can partially obscure your network's IP address scheme from SSL VPN users by creating hostnames for local servers. Then when you create bookmarks, you can use the hostnames you have created rather than IP addresses.

[Goto Top]

14. I created client routes, but my VPN Tunnel clients cannot connect to network machines.

If a VPN Tunnel client can connect and receive a VPN Tunnel PPP address, but cannot access network resources, then you may need to check your network and client settings. The most likely problem is that you need to add a static route on you local network.

If your client address range is in a different subnet then your local area network, you need to configure client routes to inform your VPN Tunnel clients that they need to go through the VPN Tunnel in order to access your local network. If you have done this correctly and you can see the client routes on the client machines (you can verify client routes by typing route print from a MSDOS prompt) then your clients can probably connect to machines on your local network. However, machines on your local network will see the VPN Tunnel client addresses as being on a different subnet, and will send data out to the Internet rather than back to the SSL312 server. For example, if a VPN Tunnel client with PPP address 192.168.1.1 pings a local mail server at 10.0.0.10, the server may receive the ping and send the ping echo out to the Internet, rather than back to the SSL312 server, where the ping response can be forwarded on to the VPN Tunnel client.

The easiest way to solve this issue is to add a static route on the local network firewall or router that forwards all data sent to the VPN Tunnel address range to the SSL312 server. In our example, the network administrator could create a static route on the corporate firewall for the network 192.168.1.0 and mask 255.255.255.0 to the SSL312 server address, 10.0.0.25.

Please refer to the “SSL – VPN Static Route Configuration” Application Note for complete information and explanation on how to configure VPN Tunnel static route.

[Goto Top]

15. Remote users are not able to connect to servers by host or domain name.

If remote users are not able to access local resources by domain name or host name, then check the DNS settings and WINS settings in the SSL312 web management interface. WINS and DNS settings are sent down to the VPN Tunnel clients. So, make sure that you add the IP addresses of your local WINS and DNS servers in the SSL312 Network > DNS Settings page. Then the VPN Tunnel will query your local WINS and DNS servers to resolve host names and domain names.

[Goto Top]

16. The VPN Tunnel page takes a long time to load.

Many pages, including the VPN Tunnel page, require that the SSL312 server can resolve the URL that is used to access the SSL VPN portal. Because of NAT, the public address that is seen by remote users may be different from the actual IP address of the SSL312 server. To resolve the issue, add a new host resolution entry resolving the SSL VPN server domain name to the private IP address SSL312 server. The host entry can be added on the Network > Host Table page.

[Goto Top]

17. I can't add bookmarks on the bookmark page.

If you see the Add Bookmark button on the Desktop or Services page in the SSL VPN portal but you are unable to create bookmarks, then you may be logged in as an Active Directory, LDAP, NT or RADIUS user and a corresponding user may not be defined in the SSL312.

It is recommended that the SSL312 administrator either define the Active Directory, LDAP, NT or RADIUS user names on the Access Administration > Users and Groups page or that the administrator hides the Add Bookmark buttons in the SSL VPN portal. The Add Bookmark buttons may be configured on the SSL VPN Portal > Portal Layouts page.

[Goto Top]

18. I don't want users to see the bookmark IP address in the bookmark table.

To hide bookmark names or IP addresses from users, you can hide the Services and Desktop pages from users and only allow them to access the Home page, which doe not show the bookmark IP address.

Or you can add host entries on the Network > Host Table page that resolve names to local IP addresses. Then, when you create bookmarks, add the new host name rather than the IP address. SSL VPN users will only see the host name, not the IP address, in the Bookmarks table.

[Goto Top]

19. When I connect to Telnet or SSH, I am not able to type anything.

If you are using the Microsoft Java plug-in, then you will need to click on the Telnet or SSH window near the cursor prompt before you can begin typing data.

[Goto Top]

20. I cannot connect to Intranet web sites; I see the message "Host cannot be resolved".

If you cannot connect to Intranet web sites, then either DNS is not properly configured on the SSL312 server or the user is not entering the web site host name properly.
Note: do not add the http:// or https:// prefix when accessing an Intranet web site.

[Goto Top]

21. Terminal Services 5.0 ActiveX does not work in Windows XP SP2.

With Windows XP SP2, Microsoft disabled the 127.0.0.2 loopback address used by the SSL312 Terminal Services client. So users will need to install the Windows XP SP2 loopback update (KB884020). Instructions to download and install the update are provided below. This only affects the ActiveX Terminal Services client. The Java Terminal Services client does not require the SP2 update (KB884020).

If you try to connect to a Terminal Server from Windows XP SP2 and you see an error stating that the server cannot connect, but the Java-based Terminal Services client works fine, then you need to install the Windows update patch. Download the patch at:

http://www.microsoft.com/downloads/details.aspx?FamilyID=17d997d2-5034-4bbb-b74d-ad8430a1f7c8&DisplayLang=en

After you download and install the patch, you may need to restart Internet Explorer or reboot your machine before you can access the application.

[Goto Top]

22. How do I set up applications for the Applications page?

Applications displayed on the portal Applications page are Terminal Services applications and are hosted on a Windows Terminal Server. You can define the applications on the SSL VPN Portal » Portal Layouts page in the web management GUI. You must define a path where the Terminal Services application is hosted. You can optionally define the Terminal Server IP address or name. If no IP address is defined, then the users can enter the Terminal Server address after clicking the application icon on the Applications page.

[Goto Top]

23. How do I set up VNC? What is VNC?

VNC, or Virtual Network Computing, provides remote access to desktop computers by exporting the monitor, keyboard, and mouse data over a network or the Internet. VNC is the underlying technology used in many commercial remote desktop computing applications.

To use VNC, you must install VNC server software on a local server or desktop on your corporate network. There are several free VNC server applications available, including RealVNC and TightVNC. You can download and install the server software on Windows, Linux, and UNIX servers or desktops. Be sure to run the software in server mode--you should see the VNC icon in your Windows taskbar. Run the VNC server on the default 5900 port. Also, configure a VNC server password for enhanced security.

[Goto Top]

24. Passive FTP over Port Forwarding:

For FTP to work in Port Forwarding mode, Passive FTP option must be turned on in Internet Explorer. On Internet Explorer, Click on Internet Options > Advanced and enable “Use Passive FTP (for firewall and DSL modem compatibility)” box.

[Goto Top]

25. Port Forwarding and CIFS (Common Internet File Sharing):

Port Forwarding only supports WinSock2 clients. Port Forwarding is a "Layered Service Provider" function. Layered Service Providers sit on top WinSock2 layer of Windows TCP/IP Stack. If an application uses direct sockets to communicate with TCP/IP Stack or using Transport Redirect; Port Forwarding cannot be used.

Examples of WinSock applications: IE, Firefox, Outlook etc.

Examples of Non-WinSock applications: Windows Network Neighborhood, command line FTP, Cygwin, command line Telnet.

[Goto Top]

26. CIFS and IE 5.0 for FTP:

Port Forwarding supports only outgoing TCP connections. By default all the FTP clients use Active Mode. In active mode data connections are initiated by the server. For FTP clients to work using Port Forwarding, they must support passive mode FTP. IE 5.0 does not support passive mode FTP. So IE 5.0 cannot be used as FTP client.

[Goto Top]

27. I cannot use the SSL VPN Tunnel feature on the SSL312!

Please check to make sure that you are using the latest firmware on the SSL312. Also check to see if you have any other IPSec VPN Client software installed on your PC, if you do, please be sure to disable the IPSec VPN Client so that the SSL VPN Tunnel would load correctly.

[Goto Top]

28. I am using the latest version of Internet Explorer and I am using the correct IP address to connect to the SSL312, but I cannot establish my SSL VPN.

Make sure that you select “Enable/Accept Active-X” on your PC in order for the VPN to load. If you do not enable Active-X , the VPN will not load.

[Goto Top]

29. Why I cannot run the SSH Client on the SSL312?

Make sure that you have installed the latest version of the Run time JAVA in order to use the SSH client on the SSL box.

[Goto Top]

30. I received error messages when I try to log onto one of the domains from the drop down list.

Make sure the time and date on the SSL312 is synchronized with your authentication servers (NT Domain, Active Directory, RADIUS, etc.)

[Goto Top]

31. I received the IP conflict error message when I try to configure the virtual IP address for remote clients on the SSL312.

When specifying the virtual IP under VPN Tunnel on the SSL box for incoming clients make sure that it does not conflict with your local IP scope.

[Goto Top]

32. Why I cannot authenticate the users on the SSL312?

Make sure you create a Domain and users in this domain, so they can authenticate through the SSL312 Box.

[Goto Top]

33. If I forget the password, how can it be recovered?

There is no backdoor entry to reset the password & still retain the configuration. You can reset the entire configuration to factory defaults by pressing down the Factory Default button for 5 secs when the system is fully booted.

[Goto Top]

34. How to reset the system back to the factory default settings?

You can reset the entire configuration to factory defaults by pressing down the Factory Default button for 5 secs when the system is fully booted.

 

n101642..asp August 29, 2006

 

 

 

 

  
   


Support Knowledgebase
Manuals
Sales and Company Information


                © 1998-2006 NETGEAR | Contact Us | Configure Your Network | Home