24.1  Configuration of WinRoute's SSL-VPN

Usage of SSL-VPN is conditioned by membership of the WinRoute host in the corresponding domain (Windows NT or Active Directory). User accounts that will be used for connections to SSL-VPN must be authenticated at the domain (it is not possible to use local authentication). This implies that SSL-VPN cannot be used for accessing shared items in multiple domains or to items at hosts which are not members of any domain.

SSL-VPN configuration

The SSL-VPN interface can be enabled/disabled on the Web Interface → SSL-VPN in the Configuration → Advanced Options section.

Configuration of the SSL-VPN interface

Figure 24.1. Configuration of the SSL-VPN interface


Click Advanced to open a dialog where port and SSL certificate for SSL-VPN can be set.

Setting of TCP port and SSL certificate for SSL-VPN

Figure 24.2. Setting of TCP port and SSL certificate for SSL-VPN


SSL-VPN's default port is port 443 (standard port of the HTTPS service).

Click Change SSL Certificate to create a new certificate for the SSL-VPN service or to import a certificate issued by a trustworthy certification authority. When created, the certificate is saved as sslvpn.crt and the corresponding private key as sslvpn.key. The process of creating/importing a certificate is identical as the one for WinRoute's interface or the VPN server, addressed in detail in chapter 11.1  Web interface preferences.

Hint

Certificates for particular server name issued by a trustworthy certification authority can also be used for the Web interface and the VPN server — it is not necessary to use three different certificates.

Allowing access from the Internet

Access to the SSL-VPN interface from the Internet must be allowed by defining a traffic rule allowing connection to the firewall's HTTPS service. For details, see chapter 7.4  Basic Traffic Rule Types.

Traffic rule allowing connection to the SSL-VPN interface

Figure 24.3. Traffic rule allowing connection to the SSL-VPN interface


Note: If the port for SSL-VPN interface is changed, it is also necessary to modify the Service item in this rule!

Antivirus control

If at least one antivirus is enabled in WinRoute (see chapter 13  Antivirus control), all files transferred by the SSL-VPN interface can be scanned for viruses.

In default configuration, only files uploaded to hosts in remote private networks are scanned. For connection speed reasons, files downloaded to local hosts from remote networks are not scanned by antiviruses (files downloaded from private networks are considered as trustworthy). Settings of antivirus check can be changed in antivirus configuration — see chapter 13.5  Scanning of files transferred via Clientless SSL-VPN.