Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual
Have a look at the manual Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 137 Netgear manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Set Up Virtual Private Networking with SSL Connections 429 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 •Add SSL VPN users that are allowed to access the SSL portal (see Manage User Accounts on page 498. •Add more applications and services for SSL port forwarding (see Configure Applications for SSL VPN Port Forwarding on page 453). •Add network resource objects such as groups of IP addresses, IP address ranges, and application of services for easier configuration of SSL access policies (see Manage Network Resource Objects to Simplify Policies on page 467). •Add SSL access policies to reinforce that users access only the applications and services that you assigned to the SSL portal (see Configure User, Group, and Global Policies on page 473). Build an SSL Portal with the SSL VPN Wizard The SSL VPN Wizard lets you build an SSL portal by guiding you through six screens. To build an SSL portal with the SSL VPN Wizard: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select VPN > IPSec VPN > SSL VPN Wizard. The SSL VPN Wizard Step 1 of 6 screen displays.
Set Up Virtual Private Networking with SSL Connections 430 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 7. Enter the settings as described in the following table. WARNING: Do not enter an existing portal layout name in the Portal Layout Name field; otherwise, the SSL VPN Wizard fails when you attempt to apply the settings.
Set Up Virtual Private Networking with SSL Connections 431 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 SettingDescription Portal Layout and Theme Name Portal Layout NameA descriptive name for the portal layout. This name is part of the path of the SSL VPN portal URL. Use only alphanumeric characters, hyphens (-), and underscores (_) in the Portal Layout Name field. If you enter other types of characters or spaces, the layout name is truncated before the first nonalphanumeric character, hyphen, or underscore. Unlike most other names in URLs, this name is case-sensitive. Note:If you leave the Portal Layout Name field blank, the SSL VPN Wizard uses the default portal layout. (The name of the default portal is SSL-VPN). To enable the SSL VPN Wizard to create a portal layout, you must enter a name other than SSL-VPN in the Portal Layout Name field. Portal Site Title The title that displays at the top of the user’s web browser window, for example, Company Customer Support. Banner TitleNote:The banner title of a banner message that users see before they log in to the portal, for example, Welcome to Customer Support. Note:For an example, see Access a Custom SSL VPN Portal on page 440. The banner title is displayed in the orange header bar of the login screen that is shown in the procedure. Banner Message The text of a banner message that users see before they log in to the portal, for example, In case of login difficulty, call 123-456-7890. Enter a plain text message, or include HTML and JavaScript tags. The maximum length of the login screen message is 4096 characters. Note:You can enlarge the field (that is, the text box) by manipulating the lower right corner of the field. Note:For an example, see Access a Custom SSL VPN Portal on page 440. The banner message text is displayed in the gray header bar of the login screen that is shown in the procedure. Display banner message on login pageSelect this check box to show the banner title and banner message text on the login screen. HTTP meta tags for cache control (recommended)Select this check box to apply HTTP meta tag cache control directives to this portal layout. Cache control directives include the following: Note:NETGEAR strongly recommends enabling HTTP meta tags for security reasons and to prevent out-of-date web pages, themes, and data being stored in a user’s web browser cache. ActiveX web cache cleanerSelect this check box to enable ActiveX cache control to be loaded when users log in to the SSL VPN portal. The web cache cleaner prompts the user to remove all temporary Internet files, cookies, and browser history when the user logs out or closes the web browser window. Web browsers that do not support ActiveX ignore ActiveX web cache control.
Set Up Virtual Private Networking with SSL Connections 432 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Note:For more information about portal settings, see Manage the Portal Layout on page 448. 8. Click the Next button. The SSL VPN Wizard Step 2 of 6 screen displays. 9. Enter the settings as described in the following table. WARNING: Do not enter an existing domain name in the Domain Name field; otherwise, the SSL VPN Wizard fails when you attempt to apply the settings. SSL VPN Portal Pages to Display Note:Although you can select both, you typically select either the VPN Tunnel page check box or the Port Forwarding check box. VPN Tunnel page To provide full network connectivity, select this check box. Note:Step 13 describes how to assign IP addresses and routes to clients for full network connectivity. Port Forwarding To provide access to specific network services, select this check box. Note:Step 15 describes how to select the specific network services. SettingDescription
Set Up Virtual Private Networking with SSL Connections 433 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 SettingDescription Domain Name A descriptive (alphanumeric) name of the domain for identification and management purposes. Note:If you leave the Domain Name field blank, the SSL VPN Wizard uses the default domain name geardomain. To enable the SSL VPN Wizard to create a domain, you must enter a name other than geardomain in the Domain Name field. Authentication Type Note:If you select any type of RADIUS authentication, make sure that you configure one or more RADIUS servers (see Configure the RADIUS Servers for the VPN Firewall’s RADIUS Client on page 392).From the menu, select the authentication method that the VPN firewall applies: • Local User Database (default). Users are authenticated locally on the VPN firewall. This is the default setting. You do not need to complete any other fields on this screen. • Radius-PAP. RADIUS Password Authentication Protocol (PAP). Complete the Authentication Server and Authentication Secret fields. • Radius-CHAP. RADIUS Challenge Handshake Authentication Protocol (CHAP). Complete the Authentication Server and Authentication Secret fields. • Radius-MSCHAP. RADIUS Microsoft CHAP. Complete the Authentication Server and Authentication Secret fields. • Radius-MSCHAPv2. RADIUS Microsoft CHAP version 2. Complete the Authentication Server and Authentication Secret fields. • WIKID-PAP. WiKID Systems PAP. Complete the Authentication Server and Authentication Secret fields. • WIKID-CHAP. WiKID Systems CHAP. Complete the Authentication Server and Authentication Secret fields. • MIAS-PAP. Microsoft Internet Authentication Service (MIAS) PAP. Complete the Authentication Server and Authentication Secret fields. • MIAS-CHAP. Microsoft Internet Authentication Service (MIAS) CHAP. Complete the Authentication Server and Authentication Secret fields. • NT Domain. Microsoft Windows NT Domain. Complete the Authentication Server and Workgroup fields. • Active Directory. Microsoft Active Directory. Complete the Authentication Server and Active Directory Domain fields. • LDAP. Lightweight Directory Access Protocol (LDAP). Complete the Authentication Server and LDAP Base DN fields. Portal The portal that you selected on the SSL VPN Wizard 1 of 6 screen in Step 7. You cannot change the portal on this screen; the portal displays for information only. Authentication Server The server IP address or server name of the authentication server for any type of authentication other than authentication through the local user database. Authentication Secret The authentication secret or password that is required to access the authentication server for RADIUS, WiKID, or MIAS authentication. Workgroup The workgroup that is required for Microsoft NT Domain authentication.
Set Up Virtual Private Networking with SSL Connections 434 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Note:For more information about domains, see Manage Authentication Domains on page 488. 10. Click the Next button. The SSL VPN Wizard Step 3 of 6 screen displays. 11. Enter the settings as described in the following table. LDAP Base DN The LDAP distinguished name (DN) that is required to access the LDAP authentication server. This must be a user in the LDAP directory who has read access to all the users that you want to import into the VPN firewall. The LDAP Base DN field accepts two formats: • A display name in the DN format. For example: cn=Jamie Hanson,cn=users,dc=test,dc=com. • A Windows login account name in email format. For example: [email protected]. This last type of bind DN can be used only for a Windows LDAP server. Active Directory DomainThe Active Directory domain name that is required for Microsoft Active Directory authentication. SettingDescription
Set Up Virtual Private Networking with SSL Connections 435 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 WARNING: Do not enter an existing user name in the User Name field; otherwise, the SSL VPN Wizard fails when you attempt to apply the settings. Note:For more information about user accounts and about adding user accounts, see Manage User Accounts on page 498. 12. Click the Next button. The SSL VPN Wizard Step 4 of 6 screen displays. If you did not select the VPN Tunnel check box on the SSL VPN Wizard Step 1 of 6 screen in Step 7, the fields on the SSL VPN Wizard Step 4 of 6 screen are masked out because they do not apply to a port forwarding portal. SettingDescription User Name A descriptive (alphanumeric) name of the user for identification and management purposes. User Type When you use the SSL VPN Wizard, the user type is always SSL VPN User. You cannot change the user type on this screen; the user type is displayed for information only. Group When you create a domain on the SSL VPN Wizard 2 of 6 screen in Step 9, a group with the same name is automatically created. (A user belongs to a group, and a group belongs to a domain.) You cannot change the group on this screen; the group is displayed for information only. Password The password that a user must enter to gain access to the VPN firewall. The password must contain alphanumeric, hyphen (-), or underscore (_) characters. Confirm Password This field must be identical to the password that you entered in the Password field. Idle Timeout The period after which an idle user is automatically logged out of the web management interface. The default idle time-out period is 5 minutes.
Set Up Virtual Private Networking with SSL Connections 436 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 13. Enter the settings as described in the following table. WARNING: Do not enter an existing route for a VPN tunnel client in the Destination Network and Subnet Mask fields; otherwise, the SSL VPN Wizard fails when you attempt to apply the settings. SettingDescription Client IP Address Range Enable Full Tunnel Support Select this check box to enable full-tunnel support. Full tunnel support provides clients access to the entire LAN network. If you leave this check box cleared (which is the default setting), full-tunnel support is disabled but split-tunnel support is enabled and you must add a client route by completing the Destination Network and Subnet Mask fields. Split-tunnel support provides clients access to specific networks. Note:When full-tunnel support is enabled, client routes are not operable. DNS Suffix A DNS suffix to be appended to incomplete DNS search strings. This setting is optional. Primary DNS Server The IP address of the primary DNS server that is assigned to the VPN tunnel clients. This setting is optional. Note:If you do not assign a DNS server, the DNS settings remain unchanged in the VPN client after a VPN tunnel is established.
Set Up Virtual Private Networking with SSL Connections 437 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Note:For more information about client IP address ranges and route settings, see Configure the SSL VPN Client on page 459. 14. Click the Next button. The SSL VPN Wizard Step 5 of 6 screen displays. If you did not select the Port Forwarding check box on the SSL VPN Wizard Step 1 of 6 screen in Step 7, the fields on the SSL VPN Wizard Step 5 of 6 screen are masked out because they do not apply to a VPN tunnel portal. 15. Enter the settings as described in the following table. Secondary DNS Server The IP address of the secondary DNS server that is assigned to the VPN tunnel clients. This setting is optional. Client Address Range Begin The first IP address of the IP address range that you want to assign to the VPN tunnel clients. Client Address Range End The last IP address of the IP address range that you want to assign to the VPN tunnel clients. Add Routes for VPN Tunnel Clients Destination Network Leave this field blank or specify a destination network IP address of a local network or subnet that is not used. This setting applies only when full-tunnel support is disabled. Subnet Mask Leave this field blank or specify the address of the appropriate subnet mask. This setting applies only when full-tunnel support is disabled. SettingDescription
Set Up Virtual Private Networking with SSL Connections 438 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 WARNING: In the upper Local Server IP Address field, do not enter an IP address that is already in use or in the TCP Port Number field do not enter a port number that is already in use; otherwise, the SSL VPN Wizard fails when you attempt to apply the settings. Note:After you create the SSL portal, you can add more network services. For more information about port-forwarding settings, see Configure Applications for SSL VPN Port Forwarding on page 453. 16. Click the Next button. The SSL VPN Wizard Step 6 of 6 screen displays. SettingDescription Add New Application for Port Forwarding Local Server IP Address The IP address of an internal server or host computer that remote users have access to. TCP Port Number The TCP port number of the application that users are allowed to access through the SSL VPN tunnel. Add New Host Name for Port Forwarding Local Server IP Address The IP address of an internal server or host computer that you want to name. Note:Both the upper and lower Local Server IP Address fields on this screen (that is, the field in the Add New Application for Port Forwarding section and the field in the Add New Host Name for Port Forwarding section) must contain the same IP address. Fully Qualified Domain Name The full server name, that is, the host name–to–IP address resolution for the network server as a convenience for remote users.