Configuring Advanced Remote Access Options

In the VPN > Remote Access Advanced page you can configure more advanced settings to determine VPN remote access users' behavior.

You can also add bookmarks (HTML links or RDP links) for specified URLs or computers when you connect through SSL VPN (see below). The next time you log in, your bookmarks are shown.

Office Mode

Remote access VPN clients connect through a VPN tunnel from their homes to the appliance and from there they can gain access into the organization's resources.

The appliance assigns each remote access user an IP address from a specified network so that the traffic inside the organization is not aware that it originated from outside the organization.

This technology is called Office Mode and the network used for supplying the IP addresses is configurable.

To configure the Office Mode network:

  1. Enter the Office Network address and Office Subnet Mask.

  2. Click Apply

    The default setting for office mode is

To assign a VPN certificate:

  1. In the Advanced page > Certificate authentication section, select one of these options:

    • Automatically use the last installed certificate.

    • Manually choose a VPN certificate - Select a certificate from the list of uploaded certificates in the drop-down menu.

  2. Click Apply.

To route all traffic from VPN remote access clients through the gateway:

  1. Select the Route Internet traffic from connected clients through this gateway checkbox.

  2. Starting from R81.10.10, select the Restrict VPN Remote Access implied rule checkbox to disable implied rules and restrict VPN Remote Access according to the Access Policy.

  3. Click Apply

Normally, only traffic from the VPN clients into the organization's encryption domain is encrypted and sent through the VPN tunnel to the gateway. Selecting the above checkbox causes all traffic from the VPN clients to be encrypted and sent to the gateway. Traffic to locations outside the organization are enforced in this case by the outgoing access Policy. For more information, see Access Policy Firewall Blade Control and Policy pages.

Note - This setting does not apply to traffic from SSL Network ExtenderClosed A secure connectivity framework for remote access VPN to a corporate network. SSL Network Extender uses a thin VPN client installed on the user's remote computer that connects to an SSL-enabled web server on a VPN Gateway. Acronym: SNX. clients.

To configure a local encryption domain manually for remote access users only:

The local encryption domains are the internal networks accessible by encrypted traffic from remote access VPN users. By default, the local encryption domain is determined automatically by the appliance. Networks behind LAN interfaces and trusted wireless networks are part of the local encryption domain.

Optionally, you can manually create a local encryption domain to be used by remote access users only instead. It is possible to configure a different manual local encryption domain for VPN remote access and VPN site to site. See VPN > Site to Site Blade Control page.

  1. Click on the local encryption domain link: automatically according to topology or manually. The link shown is a reflection of what is currently configured.

  2. Select Define local network topology manually.

  3. Click Select to show the full list of available networks and choose the relevant checkboxes.

  4. Click New if the existing list does not contain the networks you need. For information on creating a new network object, see the Users & Objects > Network Objects page.

  5. Click Apply

    The Remote Access Local Encryption Domain window opens and shows the services you selected.

DNS Servers for Remote Access users

You can define up to three DNS servers for Remote Access clients. By default, the Office mode first DNS for clients is set to this gateway.

To use a different DNS Primary server:

  1. Click Configure manually.

  2. In Office mode first DNS for clients, enter the IP address of a server to use as the DNS server.

  3. Click Apply

DNS Domain Name

You can set a DNS domain name that the Remote Access clients' devices automatically use to attempt to resolve non-FQDN domains. By default, the suffix is automatically configured to take the DNS domain name configured in the DNS page.

To configure a manual DNS domain name:

  1. Click Configure manually.

  2. In DNS domain name, enter the DNS domain name suffix to use.

  3. Click Apply

To configure the DNS domain name to be the same as the defined DNS domain name:

  1. Click Configure automatically.

  2. Click Apply

    The DNS domain name shows the text "Same as DNS domain name".

SSL VPN bookmarks

To configure SSL VPN bookmarks:

  1. Click Add > New Local User/Users Group/Active Directory Group > SSL VPN Bookmarks tab.

    A new window opens.

  2. Enter new bookmarks or select existing bookmarks.

    Note - If you select Global bookmark, this bookmark is always shown.

  3. Click Apply

To set SSL VPN bookmarks:

  1. In SSL VPN bookmarks, click New to create new bookmarks.

    A new window opens.

  2. Enter these details:

    • URL

      Note - If you select Global bookmark, then all users see this bookmark.

    • Type - Link or RDP (remote desktop protocol)

    • Label - The bookmark name

    • Tooltip - Description

  3. Click Apply

If you select RDP as the bookmark type, you must enter the user name and password in the RDP Advanced Settings. These credentials are sent to the end user.

Note - If Show characters is selected, Web UI shows the password characters.

You can also specify the screen size of the remote desktop. The default mode is full screen.

To manage SSL VPN bookmarks:

  1. Click on a bookmark.

  2. Click Edit or Delete.

  3. Click Apply