Make services available in the SSL VPN Portal

SSL VPN Portal Services map external URLs to HTTP-based services in the protected network.

SSL VPN Portal Service elements contain settings that define how the internal URLs of the HTTP-based services are translated to external URLs. URL translation makes sure that all traffic to registered web resource hosts is routed through the SSL VPN Portal. End users can access the SSL VPN Portal Services through the SSL VPN Portal, or directly through web browser bookmarks.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Configuration, then browse to SD-WAN.
  2. Browse to SSL VPN Portal > SSL VPN Portal Services.
  3. Right-click SSL VPN Portal Services, then select New SSL VPN Portal Service.
  4. Configure the settings, then click OK.

Next steps

You are now ready to define which users are allowed to access the services.

SSL VPN Portal Service Properties dialog box

Use this dialog box to define the properties of an SSL VPN Portal Service element.

Option Definition
General tab
Name Specifies a unique name for the element.
Note: The name must only contain letters, numbers, dashes (-), and underscores (_).The name cannot contain spaces.
Link Translation Specifies how incoming connections are routed to services in the protected network.
  • URL Rewrite — A URL prefix that corresponds to a service in the protected network is added to the URL.

    Incoming connections are routed to the service in the protected network based on the URL prefix. HTTP responses from the servers in the protected network are rewritten to change the outgoing URLs. This option does not require any additional DNS entries.

  • DNS Mapping — Incoming connections to the SSL VPN Portal are translated to an internal host running on a specific port.

    This option requires a DNS entry for each service in the protected network.

  • Freeform URL — Users can manually enter a URL in the SSL VPN Portal in addition to selecting a predefined service.

    Instead of having to configure every portal service individually, you can create a list of allowed URLs and certificates or CAs.

Disable Client-Side Rewrite When selected, disables client-side URL rewriting. Select this option only if client-side URL rewriting does not work as expected and you need to revert to a previous working configuration.

Client-side URL rewriting improves compatibility when JavaScript is used to dynamically construct URLs. Disabling the rewriting changes the way the URLs in JavaScript are handled and often breaks the links within JavaScript.

Note: Client-side URL rewriting must be enabled to connect to some services, such as Sharepoint and Office365, through the SSL VPN Portal.
Option Definition
When Link Translation method is URL Rewrite
Profile Shows the selected SSL VPN Portal Service Profile element. Click Select to select a SSL VPN Portal Service Profile. Click Select to select an element.The profile contains settings for SSO and cookie protection.
External URL Prefix Specifies the prefix of the URL where users access the service. Enter a forward slash (/) followed by a unique prefix.
Internal URL Specifies the URL of the service in the protected network. The URL must be followed by a forward slash (/).
Alternative Hosts Specifies additional host names or IP addresses at which the web server can be contacted. Click Add to add a row to the table, or Remove to remove the selected row.
SSO Domain Shows the selected SSO Domain element.

Users can use SSO for all services that share credentials as part of the same SSO Domain.

Client Trust Specifies which certificate authorities (CA) are trusted for client connections to the service. Clients trust the CA that you select from the drop-down list. To allow the client to trust any CA, select Trust All CAs.
Option Definition
When Link Translation method is DNS Mapping
Profile Shows the selected SSL VPN Portal Service Profile element. Click Select to select a SSL VPN Portal Service Profile. Click Select to select an element.The profile contains settings for SSO and cookie protection.
External URL Specifies the URL where users access the service. The URL must be an HTTPS URL and a valid host name with a top-level domain.
Internal URL Specifies the URL of the service in the protected network. The URL must be followed by a forward slash (/).
Server Credentials Specifies the certificate that is used for HTTPS connections.
  • Use Self-Signed Certificate — When selected, the engine creates and uses a self-signed certificate. The self-signed certificate expires in 30 days.
  • Select — Allows you to select a TLS Credentials element.
Rewrite HTML When selected, the SSL VPN Portal searches the HTML content of the service and rewrites URLs so that traffic is routed through the SSL VPN Portal.
Note: By default, the SSL VPN Portal searches the HTML content of the service and rewrites URLs so that traffic is routed through the SSL VPN Portal.
Alternative Hosts Specifies additional host names or IP addresses at which the web server can be contacted. Click Add to add a row to the table, or Remove to remove the selected row.
SSO Domain Shows the selected SSO Domain element.

Users can use SSO for all services that share credentials as part of the same SSO Domain.

Client Trust Specifies which certificate authorities (CA) are trusted for client connections to the service. Clients trust the CA that you select from the drop-down list. To allow the client to trust any CA, select Trust All CAs.
Option Definition
When Link Translation method is Freeform URL
Cookie Protection Specifies whether cookie protection is used.
  • On — When selected, the SSL VPN Portal creates temporary cookies that it passes to the browser to minimize the risk of misuse.
  • Off — When selected, cookie protection is not used.
Allowed URLs Specifies the protocols, IP addresses, or DNS names of the accessible services.
  • Protocol — The protocol used by the service.
  • Host Name or IP Address — The host name or IP address 0 that end users can enter in the Access Services field on the SSL VPN Portal webpage.
  • Port — The port used by the service.
Trusted CAs Specifies which certificate authorities (CA) are trusted for client connections to the service. Clients trust the CA that you add to the list.

Click Add to add an element to the list, or Remove to remove the selected element.

To allow the client to trust any CA, click Add, then click Select Any to add the Trust All CAs element to the list.

Option Definition
Look & Feel tab
Visible in Portal When selected, a link to the service appears on the SSL VPN Portal webpage.
Title The title that is displayed for the service on the SSL VPN Portal webpage.
Start Page Specifies the path to the page to open when the user connects to the service.
Icon

(Optional)

The icon for the service on the SSL VPN Portal. Shows the file name of the selected icon. Click Browse to browse to the location of the file.
Description

(Optional)

The description that is displayed for the service on the SSL VPN Portal webpage.

SSL VPN Portal Service Profile dialog box

Use this dialog box to define the properties of an SSL VPN Portal Service Profile element.

Option Definition
General tab
Name Specifies a unique name for the element.
Summary A summary of the defined settings.
Category Shows the assigned category. Click Select to include the element in predefined categories.
Comment An optional comment for your own reference.
Option Definition
Single Sign-On tab
Authentication Type
  • Single Sign-On Not Used — The SSO feature is not used.
  • HTTP — HTTP authentication is used. In most web browsers, the user must enter their credentials in a pop-up window. Basic, Digest, or NT LAN Manager (NTLM) are used as the authentication method. If more than one method is available in the HTTP headers, the precedence is in this order: NTLM, Digest, then Basic.
  • Form — The web browser redirects to a custom logon webpage that has a customizable logon form.
Option Definition
When Authentication Type is HTTP
Support NTLMv2 Deselect this option if you have legacy devices that do not support NTLMv2.
Option Definition
When Authentication Type is Form
Logon Page URL Enter a forward slash (/) followed by the path to the page that the user uses to log on.
POST Request URL Enter a forward slash (/) followed by the path to the resource that is called for the POST request.
User Name Field Name

Enter the field name used for the user name.

Domain and User Name Format If you select Custom, enter the custom format.
Use these variables:
  • %DOMAIN
  • %USER

For example, you can enter: %DOMAIN\%USER.

Password Field Name

Enter the field name used for the password.

Extra Parameters Enter the other parameters used in the form in the Field Name and Value columns.
Add Adds a row to the Extra Parameters list.
Remove Removes the selected row from the Extra Parameters list.
Option Definition
Cookie Hiding tab
Cookie Hiding
  • Only Encrypt The Cookies Listed Below — Only the cookies listed in the Exceptions list are encrypted.
  • Encrypt All Cookies, Except For The Cookies Listed Below — All cookies are encrypted, except for the cookies listed in the Exceptions list.
Exceptions Enter the names of the cookies that you want to include or exclude from encryption.
Add Adds a row to the Exceptions list.
Remove Removes the selected row from the Exceptions list.

SSL VPN SSO Domain dialog box

Use this dialog box to define the properties of an SSL VPN SSO Domain element.

Option Definition
Name Specifies a unique name for the element.
SSO Mode
  • Session-Based — The user is logged off when the session ends.
  • Persistent — The user remains logged on for a set number of days.
Timeout

(Only if the SSO mode is Persistent)

Enter the number of days that the user remains logged on.
Comment An optional comment for your own reference.