Cyberoam SSL VPN Installation and Configuration Guide

Important Notice
Cyberoam Technologies Pvt. Ltd. has supplied this Information believing it to be accurate and reliable at the time of printing, but
is presented without warranty of any kind, expressed or implied. Users must take full responsibility for their application of any
products. Cyberoam Technologies Pvt. Ltd. assumes no responsibility for any errors that may appear in this document.
Cyberoam Technologies Pvt. Ltd. reserves the right, without notice to make changes in product design or specifications.
Information is subject to change without notice.
USERS LICENSE
Use of this product and document is subject to acceptance of the terms and conditions of Cyberoam End User License
Agreement (EULA) and Warranty Policy for Cyberoam UTM Appliances.
You will find the copy of the EULA at http://www.cyberoam.com/documents/EULA.html and the Warranty Policy for Cyberoam
UTM Appliances at http://kb.cyberoam.com.
RESTRICTED RIGHTS
Copyright 1999 - 2014 Cyberoam Technologies Pvt. Ltd. All rights reserved. Cyberoam, Cyberoam logo are trademark of
Cyberoam Technologies Pvt. Ltd.
Corporate Headquarters
Cyberoam Technologies Pvt. Ltd.
901, Silicon Tower, Off. C.G. Road,
Ahmedabad 380006, INDIA
Phone: +91-79-66065606
Fax: +91-79-26407640
Web site: www.cyberoam.com

Page 2 of 18

Cyberoam SSL VPN Installation and Configuration Guide

Technical Support
You may direct all questions, comments, or requests concerning the software you purchased, your
registration status, or similar issues to Customer care/service department at the following address:
Corporate Office
Cyberoam Technologies Pvt. Ltd.
901, Silicon Tower
Off C.G. Road
Ahmedabad 380006
Gujarat, India.
Phone: +91-79-66065606
Fax: +91-79-26407640
Web site: www.cyberoam.com
Cyberoam contact:
Technical support (Corporate Office): +91-79-66065777
Email: support@cyberoam.com
Web site: www.cyberoam.com
Visit www.cyberoam.com for the regional and latest contact information.

Page 3 of 18

Cyberoam SSL VPN Installation and Configuration Guide

Contents

Introduction to SSL VPN ................................................................................................... 6

Concepts of SSL VPN ....................................................................................................... 7

SSL VPN Access Modes ................................................................................................................ 7
Network Resources ........................................................................................................................ 9

Installing Cyberoam SSL VPN Client............................................................................... 10

Configuring Cyberoam SSL VPN Client .......................................................................... 14

Page 4 of 18

Cyberoam SSL VPN Installation and Configuration Guide

Typographic Conventions
Material in this manual is presented in text, screen displays, or command-line notation.

Item
User
Username
Topic titles

Convention

Example
The end user
Username uniquely identifies the user of the system

Shaded
font
typefaces

Cyberoam SSL VPN Client

Subtitles

Bold & Black

typefaces

Navigation link

Bold typeface

Group Management > Groups > Create

it means, to open the required page click on Group
management then on Groups and finally click Create tab

Name
of
a
particular
parameter
/
field / command
button text
Cross
references

Lowercase
italic type

Enter policy name, replace policy name with the specific

name of a policy
Or
Click Name to select where Name denotes command button
text which is to be clicked
refer to Customizing User database Clicking on the link will
open the particular topic

Notes & points

to remember

Bold typeface
between
the
black borders

Prerequisites

Bold typefaces
between
the
black borders

Hyperlink
in
different color

Notation conventions

Note

Prerequisite
Prerequisite details

Page 5 of 18

Cyberoam SSL VPN Installation and Configuration Guide

Introduction to SSL VPN

A Virtual Private Network (VPN) is a tunnel that carries private network traffic from one endpoint
system to another over a public network such as the Internet without the traffic being aware that
there are intermediate hops between the endpoints or the intermediate hops being aware they are
carrying the network packets that are traversing the tunnel. The tunnel may optionally compress
and/or encrypt the data, providing enhanced performance and some measure of security.

VPN is cost-effective because users can connect to the Internet locally and tunnel back to connect
to corporate resources. This not only reduces overhead costs associated with traditional remote
access methods, but also improves flexibility and scalability.
For business telecommuters or employees working from home, connecting securely to the
corporate intranets or extranets to access files or application is essential.
Hence, whenever users access the organization resources from remote locations, it is essential
that not only the common requirements of secure connectivity be met but also the special
demands of remote clients. These requirements include:
Flexible Access: The remote users must be able to access the organization from various
locations, like Internet cafes, hotels, airport etc. The range of applications available must
include web applications, mail, file shares, and other more specialized applications required to
meet corporate needs.
Secure connectivity: Guaranteed by the combination of authentication, confidentiality and
data integrity for every connection.
Usability: Installation must be easy. No configuration should be required as a result of
network modification at the remote user end. The given solution should be seamless for the
connecting user.
To satisfy the above basic requirements, a secure connectivity framework is needed to ensure that
remote access to the corporate network is securely enabled.
SSL (Secure Socket Layer) VPN provides simple-to-use and implement secure access for the
remote users. It allows access to the Corporate network from anywhere, anytime and provides the
ability to create point-to-point encrypted tunnels between remote user and companys internal
network, requiring combination of SSL certificates and a username/password for authentication to
enable access to the internal resources.
Depending on the access requirement, remote users can access through SSL VPN Client or End
user Web Portal (clientless access).

Note

SSL VPN is not supported when Appliance is deployed as Bridge mode.

SSL VPN feature is not available for CR15i

Page 6 of 18

Cyberoam SSL VPN Installation and Configuration Guide

Concepts of SSL VPN

SSL VPN Access Modes
When a remote user connects to the Cyberoam appliance, the Cyberoam appliance authenticates
the user based on user name and password. A successful login determines the access rights of
remote users according to user group SSL VPN policy. The user group SSL VPN policy specifies
whether the connection will operate in Web Access mode or Tunnel Access mode.
Tunnel Access mode
Tunnel Access mode provides access to the Corporate network to remote users through laptops
as well as from Internet cafes, hotels, airport etc. It requires an SSL VPN Client at the remote end.
Remote users are required to download and install SSL VPN Client from the End-user Web Portal.
SSL VPN client establishes a SSL VPN tunnel over the HTTPS link between the web browser and
the Cyberoam appliance to encrypt and send the traffic to the Cyberoam appliance.
Cyberoam allows two types of tunneling:
Split Tunnel: To avoid the bandwidth choking, split tunnel can be configured which ensures
that only the traffic for the private network is encrypted and tunneled while the Internet traffic
is send through the usual unencrypted route .This is configured by default and is used to
avoid bandwidth choking.
In this mode, Cyberoam acts as a secure HTTP/HTTPS gateway and authenticates the
remote users. On successful authentication, Cyberoam redirects the web browser to the Web
portal. Remote users can download SSL VPN client and configuration file for installation.
Configuring Tunnel Access mode is a two-step process:
1. Select Tunnel Access mode in VPN SSL policy
2. Assign policy to the user group
Full Tunnel: This ensures that not only private network traffic but other Internet traffic is also
tunneled and encrypted.
For administrators, Cyberoam Web Admin console provides SSL VPN management. Administrator
can configure SSL VPN users, access method and policies, network resources, and system and
portal settings.
For remote users:
Access End user Web Portal
If you are installing SSL VPN Client for the first time, download bundled SSL VPN Client and
install client on desktop machine. Bundle includes installer as well as configuration file.
If you have already installed the SSL VPN Client, download only the configuration file from
End user Web Portal and import the downloaded SSL VPN Client Configuration file.
Web Access Mode
Web Access mode provides access to the remote users who are equipped with the web browser
only and when access is to be provided to the certain Enterprise Web applications/servers through
web browser only. In other words, it offers a clientless network access using any web browser. The
feature comprises of an SSL daemon running on the Cyberoam unit and End user Web portal
which provides users with access to network services and resources.
In this mode, Cyberoam acts as a secure HTTP/HTTPS gateway and authenticates the remote

Page 7 of 18

Cyberoam SSL VPN Installation and Configuration Guide

users. On successful authentication, Cyberoam redirects the web browser to the Web portal from
where remote users can access the applications behind the Cyberoam appliance. Configuring
Web Access mode is a two-step process:
1. Select Web Access mode in VPN SSL policy
2. Assign policy to the User or Group
For administrators, Cyberoam Web Admin console provides SSL VPN management. Administrator
can configure SSL VPN users, access method and policies, user bookmarks for network
resources, and system and portal settings.
For remote users, customizable End user Web Portal enables access to resources as per the
configured SSL VPN policy.
With no hassles of client installation, it is truly a clientless access.
Application access mode
Application Access mode provides access to the remote users who are equipped with the web
browser and when access is to be provided to the certain Enterprise applications through web
browser only. Application access mode also offers a clientless network access using any web
browser. The feature comprises of an SSL daemon running on the Cyberoam unit and End user
Web portal which provides users with access to network services and resources.
Application access allows remote access to different TCP based applications like HTTP, HTTPS,
RDP, TELNET, SSH and FTP without installing client.
In this mode, Cyberoam acts as a secure gateway and authenticates the remote users. On
successful authentication, Cyberoam redirects the web browser to the Web portal from where
remote users can access the applications behind the Cyberoam appliance. Configuring Application
Access mode is a two-step process:
1. Select Application Access mode in VPN SSL policy
2. Assign policy to the User or Group
For administrators, Cyberoam Web Admin console provides SSL VPN management. Administrator
can configure SSL VPN users, access method and policies, user bookmarks for network
resources, and system and portal settings.
For remote users, customizable End user Web Portal enables access to resources as per the
configured SSL VPN policy.
With no hassles of client installation, it is also a clientless access.

Prerequisite (Remote User)

Microsoft Windows Supported Windows 2000, Windows XP, Windows 7, Windows Vista
and Windows Server 2003
Admin Rights Required Remote user must be logged on as Admin User or must have
Admin privilege
JRE Installation Java Runtime Environment Version 1.6 or above must be installed

Page 8 of 18

Cyberoam SSL VPN Installation and Configuration Guide

Threat - Free Tunneling

Cyberoam scans VPN Tunnel Traffic (incoming and outgoing) for malware, spam, inappropriate
content and intrusion attempts, ensuring Threat-free Tunneling. Furthermore, VPN traffic is
subjected to DoS inspection, although Cyberoam does provide the option of bypassing DoS
inspection for specific traffic.
Cyberoam does not have an exclusive port assigned for the VPN Zone like the LAN, WAN and
DMZ ports. As soon as a VPN connection is established, the port/interface used by the connection
is automatically added to the VPN zone, and on disconnection, the port is removed by itself. VPN
zone is used by both IPSec and SSL VPN traffic.

Note
Threat Free Tunneling is applicable only when SSL VPN tunnel is established through Tunnel Access
Mode.

Network Resources
Network Resources are the components that can be accessed using SSL VPN. SSL VPN provides
access to an HTTP or HTTPS server on the internal network, Internet, or any other network
segment that can be reached by the Cyberoam. The Administrator can configure Web (HTTP) or
Secure Web (HTTPS) bookmarks and internal network resources to allow access to Web-based
resources and applications.
If required, custom URL access can also be provided.

Network resources:
Resource

Accessible in Mode

Bookmarks

Web Access Mode, Application Access Mode

Bookmark Groups

Web Access Mode, Application Access Mode

Custom URLs - Not defined as Bookmark

Web Access Mode

Enterprise Private Network resources

Tunnel Access Mode

Page 9 of 18

Cyberoam SSL VPN Installation and Configuration Guide

Installing Cyberoam SSL VPN Client

Step 1
Download Cyberoam SSL VPN client installation program CyberoamSSLVPNClient_Setup.exe
from the Client page of Cyberoam website.
Step 2
Double click on the downloaded file to install and select the language for displaying the installation
steps. Follow the onscreen instructions given by the installation wizard.

Note
Need Administrator privileges to install the client.

On clicking Download Client, the following message appears.

Screen - Prompt Message

Step 3
Click Save to save a copy of the executable (.exe) file on your local machine. The following
warning message appears.

Screen Warning Message

On clicking Allow, the Installer Language dialog box appears.

Page 10 of 18

Cyberoam SSL VPN Installation and Configuration Guide

Screen Language Selection

Step 4
Select the preferred language. The default language is English.

Screen Choose Install Location

Page 11 of 18

Cyberoam SSL VPN Installation and Configuration Guide

Step 5
Click Browse to change the location of the Destination Folder where the client is to be installed.
Click Install. The following screen appears while installation is in progress.

Screen Installation in Progress

Screen TAP Adapter Confirmation

Page 12 of 18

Cyberoam SSL VPN Installation and Configuration Guide

Step 6
A screen will be displayed that prompts you to install the Tap-Windows adapter titled TAPWindows Provider V9 Network adapters. It is mandatory to install the Tap-Windows adapter to
proceed further.

Screen Warning Message

Screen Installation Complete

Once the installation is complete, you will find CrSSL Client icon

in the system tray.

Page 13 of 18

Cyberoam SSL VPN Installation and Configuration Guide

Configuring Cyberoam SSL VPN Client

Step 1
Right click the Client icon

in the System Tray to configure the SSL VPN server IP Address.

Screen Server Settings

Screen SSL VPN Server Settings

Step 2
Configure the SSL VPN Server, the Protocol and the Port. Use the Restore to default (last
imported) configuration to import the configurations made in the previous version.

Page 14 of 18

Cyberoam SSL VPN Installation and Configuration Guide

Step 3
Previous Configuration can also be imported by selecting the Import Configuration option as
shown below:

Screen Import Configuration

Import Configuration using the on screen instructions that follow.
Step 3 Login to access network resources or Internet
Double click SSL VPN Client icon

and specify username and password and click Login button.

Screen User Authentication

Enable Save username and password checkbox, if you dont want to type username and
password every time you login. Enable Auto Start SSLVPN checkbox to automatically initiate the
SSL VPN Client when the system starts. For enabling Auto Start SSLVPN checkbox, Save
username and password checkbox needs to be enabled.

Page 15 of 18

Cyberoam SSL VPN Installation and Configuration Guide

If the Per User Certificate option is enabled from VPN > SSL > Tunnel Access > Tunnel
Access Settings in Cyberoam, the user will be prompted to specify the configured Passphrase in
the Enter Password option as shown in the screen below:

Screen Enter Password (Passphrase)

The icon turns yellow
indicating that connection is in progress.
Right click the CrSSL Client icon and click Show Status to view the connection status.

Screen View Connection Status

Screen Connection Status

Page 16 of 18

Cyberoam SSL VPN Installation and Configuration Guide

The icon turns green

the moment connection is established and IP is leased.

Screen Connection Established

Right click the green SSL VPN Client icon

and click Logout to disconnect the connection.

Screen Disconnect the connection

Once disconnected, the SSLVPN Client icon turns red. Right click the red icon
the SSL VPN Client.

and click Exit to

Screen Exit the SSL VPN Client

This finishes the configuration of Cyberoam SSL VPN client on the remote users machine.

Page 17 of 18

Cyberoam SSL VPN Installation and Configuration Guide

Configure Proxy (if required)

Configure proxy if Client is not able to connect to the Internet directly i.e. outbound access is
restricted via HTTP or SOCKS proxy.

Note
If you are configuring proxy, make sure, you have not selected UDP protocol in the Server Settings
(Step 2).

Screen Configuring Proxy

Screen Proxy Settings

This completes the Installation and Configuration for Cyberoam SSL VPN Client.

Page 18 of 18