Configuring Remote Access Users

On the VPN > Remote Access section > Remote Access Users page, you can configure Remote Access VPNClosed An encrypted tunnel between remote access clients (such as Endpoint Security VPN) and a Security Gateway. permissions for individual users and user groups.

You can configure users and user groups on the Users & Objects view > Users Management > Users page.

The Remote Access Users page is dedicated to users with Remote Access VPN permissions.

You can configure:

  • Local users

  • Local user groups

  • Active Directory users (R81.10.15 and higher)

  • Active Directory user groups

  • Active Directory permissions

  • Azure AD (now known as Microsoft Entra ID) (in versions R81.10.15 and higher

  • RADIUS groups

  • RADIUS users ( in versions R81.10.15 and higher)

You can also configure SSL VPN bookmarks by user, user group, RADIUS users and Active Directory group.

Best Practice - If no authentication servers are defined, click the Active Directory / RADIUS link at the top to define them.

Note - When User Awareness is turned off, there is no user identification based on Browser-Based Authentication and Active Directory Queries.

Watch the Video (for versions R81.10.10 and lower):

Adding Remote Access Permissions to a Specific Local User

  1. Near the Add button, click the downward arrow > click New Local User.

  2. In the Remote Access tab:

    1. In the Name field, enter a username.

    2. In the Password field, enter a password.

      Note - The password can be up to 100 characters.

    3. In the Confirm Password field, enter the password again.

    4. In the Email field, enter the user's email. This is required for Two-Factor Authentication.

    5. In the Mobile phone number field, enter the user's phone number. This is required for Two-Factor Authentication.

    6. Optional: In the Comments field, enter the applicable description for this user.

    7. Select Temporary user if you configure a temporary user.

      Enter the expiration date and time.

    8. Select Remote Access permissions.

      Starting from R81.10.15, two additional checkboxes appear:

      1. Optional: Select Use Office Mode static IP address and enter the desired IP address for Office Mode. Instead of getting the WAN IP address allocated dynamically from the gateway, the user receives the static IP address associated with that user.

      2. Optional: Select Override global settings to configure policy per individual user instead of applying the settings on the gateway.

        Two additional checkboxes appear:

        • Optional: Select Route all traffic for this user through VPN to route the traffic for this user through the VPN tunnel.

        • Optional: Select Enable Two-Factor Authentication (2FA) enforcement to enforce Two-Factor Authentication for this user.

          Select the applicable option:

          • Use SMS/email

          • Use an Authenticator app

  3. Optional: In the SSL VPN Bookmarks tab:

    1. Click Add > New Local User/Users Group/Active Directory Group > SSL VPN Bookmarks tab.

    2. In the new window, enter new bookmarks or select existing bookmarks.

      Note - If you select the Global bookmark, this bookmark always appears.

    3. Click Save.

  4. Click Save.

Adding Remote Access Permissions to a Local User Group

  1. Near the Add button, click the downward arrow > click New Users Group.

  2. In the Remote Access tab:

    1. In the Group name field, enter the group name.

    2. Select Remote Access permissions.

    3. Select initial users to add to the group by selecting the relevant checkboxes in the user list or by clicking New to create new users.

      You can see a summary of the group members above the user list.

      You can remove members by clicking the X next to the relevant user name.

  3. Optional: In the SSL VPN Bookmarks tab:

    1. Click Add > New Local User/Users Group/Active Directory Group > SSL VPN Bookmarks tab.

    2. In the new window, enter new bookmarks or select existing bookmarks.

      Note - If you select the Global bookmark, this bookmark always appears.

    3. Click Save.

  4. Click Save.

Adding Remote Access Permissions to Active Directory Users

Note - This feature is available in R81.10.15 and higher.

  1. Near the Add button, click the downward arrow > click Active Directory > click Active Directory User.

  2. If no Active Directory was defined, you are prompted to configure one.

    For more information on configuring Active Directory see Configuring Authentication Servers for Remote Access.

  3. In the Name field, enter the username as configured in Active Directory.

  4. In the Email field, enter the user's email as configured in Active Directory.

  5. Optional: Select Override global settings to configure policy per individual user instead of applying the settings on the gateway.

    Two additional checkboxes appear:

    • Optional: Select Route all traffic for this user through VPN to route the traffic for this user through the VPN tunnel.

    • Optional: Select Enable Two-Factor Authentication (2FA) enforcement to enforce Two-Factor Authentication for this user.

      Select the applicable option:

      • Use SMS/email

      • Use an Authenticator app

      When this Remote Access VPN user connects to the Quantum Spark Gateway for the first time, the credentials are sent to the Active Directory server. After confirmation from the Active Directory server, the Quantum Spark Gateway sends a one-time code in an SMS or Email, or the user must enter a one-time from an Authenticator app.

  6. Click Save.

In addition, refer to Procedure to add Remote Access permissions to all users defined in an Active Directory.

  1. Do one of these:

    • From the toolbar, click Edit Permissions.

    • Near the Add button, click the downward arrow > click Active Directory > click Active Directory Group.

  2. Near the Add button, click the downward arrow > click Active Directory > click Active Directory Group.

  3. If no Active Directory was defined, you are prompted to configure one.

  4. When an Active Directory has been defined, you see a list of available user groups defined in the server.

  5. Select one of the user groups.

  6. Click Save.

  1. Near the Add button, click the downward arrow > click Active Directory > click Active Directory Permissions.

  2. Select the applicable option:

    • All users in Active Directory

      Note - Most Active Directory domains contain a large list of users. Consider limiting the Remote Access VPN permissions only to specific user groups.

    • Selected Active Directory user groups (this is the default)

      Note - Requires additional configuration.

  3. Click Save.

  4. If you selected the option Selected Active Directory user groups, then follow Procedure to add Remote Access permissions to an Active Directory specific user.

Note - This feature is available in R81.10.15 and higher.

  1. Near the Add button, click the downward arrow > click Active Directory > click Azure AD Group.

  2. In the Name field, enter the user group name as configured in Microsoft Entra ID.

    Important - On the Quantum Spark Gateway, this name must always start with the prefix "EXT_ID_".

    Example:

    If the Azure AD group is called "VPN_Users", then you must enter "EXT_ID_VPN_Users".

  3. Optional: In the Comments field, enter the applicable description for this Microsoft Entra ID user group.

  4. Optional: Select Override global settings to configure policy per individual user instead of applying the settings on the gateway.

    Optional: Select Route all traffic for this Azure AD group through VPN to route the traffic for this user group through the VPN tunnel.

For more information, see Configuring SAML Authentication for Remote Access VPN..

Adding Remote Access Permissions to RADIUS Users

  1. Near the Add button, click the downward arrow > click RADIUS > click RADIUS Group.

  2. Select Enable RADIUS authentication for User Awareness, Remote Access and Hotspot.

  3. Optional: Select For Remote Access use specific RADIUS groups only.

    In the field RADIUS groups for authentication, enter the applicable RADIUS groups.

  4. Click Save.

Note - This feature is available in R81.10.15 and higher.

  1. Near the Add button, click the downward arrow > click RADIUS > click RADIUS User (Two-Factor Authentication).

  2. In the Name field, enter a username.

  3. In the Email field, enter the user's email. This is required for Two-Factor Authentication.

  4. In the Phone number field, enter the user's phone number. This is required for Two-Factor Authentication.

  5. Optional: Select Override global settings to configure policy per individual user instead of applying the settings on the gateway.

    Two additional checkboxes appear:

    • Optional: Select Route all traffic for this user through VPN to route the traffic for this user through the VPN tunnel.

    • Optional: Select Enable Two-Factor Authentication (2FA) enforcement to enforce Two-Factor Authentication for this user.

      Select the applicable option:

      • Use SMS/email

      • Use an Authenticator app

  6. Click Save.

Deleting an Existing User or User Group

  1. Click the user or user group object.

  2. Click Delete.

  3. Click OK in the confirmation message.