24.1  Configuration of WinRoute's SSL-VPN

SSL-VPN interface requirements

For proper functionality of the SSL-VPN interface, the following conditions must be met:

  1. The WinRoute host must be a member of the corresponding domain (Windows NT or Active Directory domain).

  2. User accounts that will be used for connections to SSL-VPN must be authenticated at the domain (it is not possible to use local authentication). This implies that the SSL-VPN interface cannot be used for accessing shared items in multiple domains or to items at hosts which are not members of any domain.

  3. Users who are supposed to be allowed to access the SSL-VPN interface needs the right to use Clientless SSL-VPN in WinRoute (see chapter 15.2  Local user accounts).

  4. If WinRoute is installed on the domain server, the corresponding users need to be allowed to log on to the server locally. Local logon can be allowed under Domain Controller Security Policy. For details, refer to our Knowledge Base.

SSL-VPN interface configuration

The SSL-VPN interface can be enabled/disabled on the Web Interface → SSL-VPN in the Configuration → Advanced Options section.

Configuration of the SSL-VPN interface

Figure 24.1. Configuration of the SSL-VPN interface


Through the Advanced button, you can get to configuration of a port and SSL certificate for the SSL-VPN interface.

Setting of TCP port and SSL certificate for SSL-VPN

Figure 24.2. Setting of TCP port and SSL certificate for SSL-VPN


SSL-VPN's default port is port 443 (standard port of the HTTPS service).

Click Change SSL Certificate to create a new certificate for the SSL-VPN service or to import a certificate issued by a trustworthy certification authority. When created, the certificate is saved as sslvpn.crt and the corresponding private key as sslvpn.key. The process of creating/importing a certificate is identical as the one for WinRoute's interface or the VPN server, addressed in detail in chapter 11.1  Web interface preferences.

Hint

Certificates for particular server name issued by a trustworthy certification authority can also be used for the Web interface and the VPN server   it is not necessary to use three different certificates.

Allowing access from the Internet

Access to the SSL-VPN interface from the Internet must be allowed by defining a traffic rule allowing connection to the firewall's HTTPS service. For details, see chapter 7.4  Basic Traffic Rule Types.

Traffic rule allowing connection to the SSL-VPN interface

Figure 24.3. Traffic rule allowing connection to the SSL-VPN interface


Note: If the port for SSL-VPN interface is changed, it is also necessary to modify the Service item in this rule!

Antivirus control

If at least one antivirus is enabled in WinRoute (see chapter 13  Antivirus control), all files transferred by the SSL-VPN interface can be scanned for viruses.

In default configuration, only files uploaded to hosts in remote private networks are scanned. For connection speed reasons, files downloaded to local hosts from remote networks are not scanned by antiviruses (files downloaded from private networks are considered as trustworthy). Settings of antivirus check can be changed in antivirus configuration — see chapter 13.5  Scanning of files transferred via Clientless SSL-VPN (Windows).