Filter
Top Products
Connecting from a Private Computer
120 Firebox SSL VPN Gateway
• The Firebox SSL VPN Gateway terminates the SSL tunnel, accepts any incoming traffic destined for the
private network, and forwards the traffic to the private network. The Firebox SSL VPN Gateway sends
traffic back to the remote computer over a secure tunnel.
When a remote user logs on using the Secure Access Client, the Firebox SSL VPN Gateway prompts the
user for authentication over HTTP 401 Basic or Digest. The Firebox SSL VPN Gateway authenticates the
credentials using an authentication type such as local authentication, RSA SecurID, SafeWord, LDAP,
NTLM, or RADIUS. If the credentials are correct, the Firebox SSL VPN Gateway finishes the handshake
with the client. This logon step is required only when a user initially downloads the Secure Access Client.
If the user is behind a proxy server, the user can specify the proxy server and authentication credentials.
For more information, see “Configuring Proxy Servers for the Secure Access Client” on page 125.
The Secure Access Client is installed on the user’s computer. After the first connection, the remote user
can subsequently use a desktop shortcut to start the Secure Access Client.
The Advanced Options dialog box, which is used to configure client computer settings, can also be
opened by right-clicking the Secure Access Client icon on the desktop and then clicking Properties.
If users are connecting using a Web page, they are either prompted to log on or are taken directly to a
portal page where they can connect using Secure Access Client.
If the Firebox SSL VPN Gateway is configured to have users log on before making a connection with
Secure Access Client, they type their user name and password and then log on. A portal page appears
that provides the choice to log on using the full Secure Access Client or in kiosk mode (if enabled). If a
user chooses to log on using Secure Access Client, the connection provides full access to the network
resources that the user’s group(s) have permission to access.
The access granted by the security policies enable users to work with the remote system just as if they
are logged on locally. For example, users might be granted permission to applications, including Web,
client-server, and peer-to-peer such as Instant Messaging, video conferencing, and real-time Voice over
IP applications. Users can also map network drives to access allowed network resources, including
shared folders and printers.
While connected to an Firebox SSL VPN Gateway, remote users cannot see network information from
the site to which they are connected. For example, while connected to the Firebox SSL VPN Gateway,
type the following at a command prompt:
ipconfig/all or route print
You will not see network information from the corporate network.
Establishing the Secure Tunnel
After the Secure Access Client is started, it establishes a secure tunnel over port 443 (or any configured
port on the Firebox SSL VPN Gateway) and sends authentication information. When the tunnel is estab-
lished, the Firebox SSL VPN Gateway sends configuration information to the Secure Access Client
describing the networks to be secured and containing an IP address if you enabled IP pooling. For more
information about IP pooling see “Enabling IP Pooling” on page 94.
Tunneling Private Network Traffic over Secure Connections
When the Secure Access Client is started and the user is authenticated, all network traffic destined for
specified private networks is captured and redirected over the secure tunnel to the Firebox SSL VPN
Gateway.
The Firebox SSL VPN Gateway intercepts all network connections made by the client device and multi-
plexes/tunnels them over SSL to the Firebox SSL VPN Gateway, where the traffic is demultiplexed and
the connections are forwarded to the correct host and port combination.
The connections are subject to administrative security policies that apply to a single application, a sub-
set of applications, or an entire intranet. You specify the resources (ranges of IP address/subnet pairs)