Versionen im Vergleich

Schlüssel

  • Diese Zeile wurde hinzugefügt.
  • Diese Zeile wurde entfernt.
  • Formatierung wurde geändert.

...

Info

The field Subject Alternative Name can be used for easier identification of each employee, such as entering their e-mail address.

The rest of the parameters (e.g. the encryption settings) can be left at the default values.

1.7) Switch to the menu VPN → VPN SSL → VPN SSL Settings.

1.8) Enable the VPN SSL service via the slider, modify the following parameters and click Save:

  • Host certificate: From the drop-down menu, select the VPN certificate created in step 1.4 (in this example VPN-SSL-Headquarter).
  • Private key password: Enter the private key password of the VPN certificate entered in step 1.4.
  • Routes: The networks that the VPN client should communicate with should be entered in CIDR notation (Classless Inter-Domain Routing). These are shared with all of the VPN SSL clients.
Info

Optionally you can enter a DNS and/or WINS server, which are assigned to all VPN SSL clients.

If necessary, you can change the protocol and the port.

The Address Pool is the range of IP addresses that are assigned to the dial-in VPN SSL clients. This address range must not already be in use as an internal network in the Unified Firewall.

1.9) Change to the menu VPN → VPN SSL → Connections and click on the “+” icon to create a new VPN SSL connection.

1.10) Modify the following parameters and click Create:

  • Name: Enter a descriptive name (in this example VPN_SSL_Employee1).
  • Certificate: From the drop-down menu, select the VPN certificate for the employee created in step 1.6.
  • Connection type: Choose Client-to-Site.
Info

With the function Set Default Gateway activated, the VPN client can communicate with the Internet via the Internet connection of the Unified Firewall.

The item Client IP allows a fixed IP address to be assigned to the VPN client. If this entry is left empty, the VPN client is given an IP address from the Address Pool (see step 1.8).

Additional Local Networks optionally allows the VPN client to access other local networks. In this way, individual employees can be given access to different local networks.

1.11) For the VPN SSL connection click on the Export this connection button to export the connection parameters including the certificate.

Info

It is possible that you have to click on the double arrow symbol first (right next to the field Filter) to expand the menu, so that the symbol for the profile export is visible.

As an alternative you can also click on the "pencil" button to edit the configuration and click on Export Client Configuration afterwards.

1.12) Modify the following parameters and then click on Export.

  • Type: Select OVPN to generate a profile for the OpenVPN client.
  • Remote Hosts: Enter the public IPv4 address or the DynDNS name of the Unified Firewall along with the VPN SSL port (see step 1.8).
  • Key Password: Enter the private key password set in step 1.6.
  • Transport Password: Set a password. This has to be entered when the user starts the VPN connection with the OpenVPN client.

1.13) Click the button to create a new VPN host.

1.14) Modify the following parameters and click Create:

  • Name: Enter a descriptive name (in this example VPN-SSL-Employee1).
  • VPN connection type: Select VPN-SSL.
  • VPN-SSL Connection: From the drop-down menu, select the VPN SSL connection created in step 1.10.

1.15) In the VPN host click on the "connection" icon and, to open the firewall objects, click on the network object that the OpenVPN client should access.

Repeat this step for every network that the OpenVPN client should be able to access.

1.16) Use the “+” signs to assign the required protocols to the VPN host.

Info
A Unified Firewall uses a deny-all strategy. You therefore have to explicitly allow communication.

1.17) Finally, implement the configuration changes by clicking Activate in the Unified Firewall.

1.18) This concludes the configuration steps on the Unified Firewall.

...

2) Configuration steps in the OpenVPN client:

2.1) Right click on the OpenVPN icon in the task bar.

2.2) Click Import file to import the VPN profile.

2.3) A message is displayed to indicate that the profile was successfully imported.

2.4) This concludes the configuration steps in the OpenVPN client.



3) Setting up port and protocol forwarding on a LANCOM router (scenario 2 only):

By default VPN SSL uses the TCP port 1194. This must be forwarded to the Unified Firewall.

Info
If you are using a router from another manufacturer, ask them about appropriate procedure.

3.1) Open the configuration for the router in LANconfig and switch to the menu item IP-Router → Masq. → Port forwarding table.

3.2) Save the following parameters:

  • First port: Specify the Port 1194.
  • Last port: Specify the Port 1194.
  • Intranet address: Specify the IP address of the Unified Firewall in the transfer network between the Unified Firewall and the LANCOM router.
  • Protocol: From the drop-down menu, select TCP.

3.3) Write the configuration back to the router.