11.1 Configuring the SSL VPN Gateway Behind NAT or L4

To configure SSL VPN behind NAT (Network Address Translation) or by using an L4 server:

  1. In the Administration Console, click Devices > SSL VPNs > Edit.

    The Server configuration page is displayed.

  2. Select Basic Configuration from the Gateway Configuration section.

    The SSL VPN Basic Configuration page is displayed.

    Configuring Gateway

  3. Specify the following NAT/L4 configuration as follows:

    Behind NAT/L4: Select the check box to specify that the SSL VPN Gateway is behind NAT.

    Public IP Address: This field is enabled when the Behind NAT check box is selected. Specify the public IP address (that is, the address exposed to the Internet user) that translates into the SSL VPN Gateway IP address. This is the IP address where the external user on the Internet must be able to access the SSL VPN server.

    Port: Specify a port number for Kiosk mode as well as for Enterprise mode when the SSL VPN server is behind an L4 or a NAT.

    Protocol: Specify a protocol for Kiosk mode as well as for Enterprise mode, when the SSL VPN server is behind an L4 or a NAT. The protocol is TCP for Kiosk mode and UDP for Enterprise mode.

  4. Specify the device-specific configuration as follows:

    Cluster Member: Select the cluster member from a list of IP addresses.

    Listening IP Address: Specify the IP address that the SSL VPN listens on.

    Port: Specify a port number for Kiosk mode as well as for Enterprise mode when the SSL VPN server is behind an L4 or a NAT. Make sure that the port you specify here is free.

    Protocol: Specify a protocol for Kiosk mode as well as for Enterprise mode, when the SSL VPN server is behind an L4 or a NAT. The protocol is TCP for Kiosk mode, but it can either be TCP or UDP for Enterprise mode.

  5. Specify the following information to configure the assigned IP address pool for Enterprise mode:

    Subnet Address: Specify the IP address of the subnet pool where SSL VPN assigns the IP address to each client in Enterprise mode. For this assigned IP address pool to work properly, you must configure the routing table and source NAT. For more information, see Section 12.0, Configuring Route and Source NAT for Enterprise Mode.

    Subnet Mask: Specify the subnet mask for Enterprise mode.

    The values specified in the Subnet Address and Subnet Mask fields determine the IP addresses that are assigned to the clients. Make sure that the assigned IP address and the IP address of the client do not match.

  6. Specify the other configuration as follows:

    Cluster Communications Port: Specify the port that is used for communication between the cluster members.

    Inactivity Timeout (Minutes): You can configure the time in minutes. If no data exchange takes place during the stipulated time, the connection is closed so that the resources are freed to allow additional incoming connections. The inactivity timeout period can be one minute to 1800 minutes. The default inactive timeout period is 30 minutes.

    Encryption: Select the type of encryption. It can be either AES128 or AES 256.

    Enterprise Mode Compression: Specify if you want to enable compression in Enterprise mode in order to reduce the time taken to establish connection.

    Server Debug Level: Set this option to On if you want to get more debug information from the server. This option is set to Off by default.

    Client Debug Level: Set this option to On if you want to get more debug information from the client side. This option is set to Off by default.

  7. To save your modifications, click OK, then click Update on the Configuration page.