SSL Network Extender

In This Section: Configuring the Security Gateway to Support the SSL Network Extender Configuring SSL Network Extender Load Sharing Cluster Support

Configuring the Security Gateway to Support the SSL Network Extender

Note - If the Mobile Access blade is active on a Security Gateway, SSL Network Extender works through Mobile Access and not IPsec VPN. In this case, SSL Network Extender must be configured through the Mobile Access blade. If you already had SSL Network Extender configured on an IPsec VPN Security Gateway and then you enable the Mobile Access blade, you must reconfigure SSL Network Extender for the Mobile Access blade.

Configure each Security Gateway that uses SSL Network Extender. When the Mobile Access Software Blade is enabled, SSL Network Extender is enabled as a Web client.

To configure the SSL Network Extender settings for a Security Gateway:

1. In R80 SmartConsole, click Gateways & Servers and double-click the Security Gateway.

   The gateway window opens and shows the General Properties page.

2. If Mobile Access is enabled:
   1. From the navigation tree, click Mobile Access.
   2. When Web is selected, SSL Network Extender is enabled.
3. From the navigation tree, click VPN Clients.
4. Click SSL Network Extender.
5. From The gateway authenticates with this certificate, select the certificate that is used to authenticate to all SSL clients .
6. Click OK and publish the changes.

Configuring SSL Network Extender

To configure the settings for SSL Network Extender connections:

1. From Menu, click Global Properties.
2. Select Remote Access > SSL Network Extender.
3. Select the user authentication method, employed by the SSL Network Extender, from the drop-down list. The options are:
   • Certificate - The system authenticates the user only with a certificate.
   • Certificate with enrollment - The system authenticates the user only with a certificate. Enrollment is allowed.

     If the users do not have a certificate, they can enroll using a registration key that they previously received from the administrator.

   • Legacy - (Default setting) The system authenticates the user with the Username and Password.
   • Mixed - The system tries to authenticate the user with the certificate. If the user does not have a valid certificate, the system tries to authenticate the user with the Username and Password.

Load Sharing Cluster Support

The SSL Network Extender provides Load Sharing Cluster Support. When the client connects to the cluster, all its traffic will pass through a single Security Gateway. If that member Security Gateway fails, the client reconnects transparently to another cluster member and resumes the session.

To provide Load Sharing Cluster Support:

1. In R80 SmartConsole, click Gateways & Servers and double-click the cluster object.

   The cluster window opens and shows the General Properties page.

   Note - A Load Sharing Cluster must have been created before you can configure use of sticky decision function.

2. From the navigation tree, click ClusterXL and VRRP.
3. Make sure that Load Sharing is selected.
4. In the Advanced Settings section, click Use Sticky Decision Function.
5. If you are using Office Mode, configure these settings:
   1. From the navigation tree, click VPN Clients > Office Mode.
   2. In the Office Mode Method section, make sure that Automatic (using DHCP) is NOT selected.

      Only the Manual (using IP pool) method is supported.

6. Click OK and publish the changes.