D-Link DFL-860E User Manual for DFL-260E - Page 466
SSL VPN, 9.6.1. Overview, L2TP/PPTP/SSL VPN
View all D-Link DFL-860E manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 466 highlights
9.6. SSL VPN Chapter 9. VPN 9.6. SSL VPN 9.6.1. Overview NetDefendOS provides an additional type of VPN connection called SSL VPN. This makes use of the Secure Sockets Layer (SSL) protocol to provide a secure tunnel between a remote client computer and a NetDefend Firewall. Any application on the client can then communicate securely with servers located on the protected side of the firewall. The Advantage of SSL VPN The key advantage of SSL VPN is that it enables secure communications between a client and a firewall using the HTTPS protocol. In some environments where roaming clients have to operate, such as hotels or airports, network equipment will often not allow other tunnelling protocols, such as IPsec, to be used. In such cases, SSL VPN provides a viable, simple, secure client connection solution. The SSL VPN Disadvantage A disadvantage of SSL VPN is that it relies on tunneling techniques that make extensive use of TCP protocol encapsulation for reliable transmission. This leads to extra processing overhead which can cause noticable latencies in some high load situations. SSL VPN therefore demands more processing resources than, for example, IPsec. In addition, hardware acceleration for IPsec is available on some hardware platforms to further boost processing efficiency. A Summary of SSL VPN Setup Steps SSL VPN setup requires the following steps: • On the NetDefend Firewall side: i. An SSL VPN Interface object needs to be created which configures a particular Ethernet interface to accept SSL VPN connections. ii. An Authentication Rule needs to be defined for incoming SSL VPN clients and the rule must have the Interface property set to be the name of the SSL VPN object created above. The Authentication Agent of the rule must be set to L2TP/PPTP/SSL VPN and the rule's Terminator IP must be set to the external IP address address of the firewall's listening interface. This topic is discussed further in Section 8.2.5, "Authentication Rules". iii. Client users need to be defined in the Authentication Source of the authentication rule. This source can be a local user database, a RADIUS server or an LDAP server. iv. Define appropriate NetDefendOS IP rules to allow data flow within the SSL VPN tunnel. As discussed below, IP rules do not normally need to be defined for the setup of the SSL VPN tunnel itself. v. Specify the interfaces on which client IPs will be ARP published. This is necessary so a server behind the firewall knows how to send replies back to an SSL VPN client. The only case where this would not be needed is if the client's connections are being NATedby by NetDefendOS between the interface and the server. 466