Related Topics
Configure the VPN Portal Settings
The VPN Portal settings specify authentication servers, interfaces, port settings, and timers for the Access Portal and Mobile VPN with SSL.
To configure the VPN Portal settings, from Fireware Web UI or Policy Manager:
- Select Subscription Services.
- Select Access Portal > User Connection Settings.
- Select Configure.
The VPN Portal settings appear. - Follow the instructions in the next sections to configure the VPN Portal settings.
You can also connect to the VPN Portal settings from the Mobile VPN with SSL settings page. However, the SAML and customization settings do not appear because those settings do not apply to Mobile VPN with SSL.
Authentication Servers
You must specify an authentication server and port for the Access Portal and Mobile VPN with SSL.
To configure one or more authentication servers, from the Fireware Web or Policy Manager VPN Portal page:
- In the Authentication Servers section, from the drop-down list, select an authentication server.
Authentication Server settings in Fireware Web UI
Authentication Server settings in Policy Manager
- Click Add or Remove.
Interfaces
The interface settings control which IP addresses users specify to connect to the Access Portal.
- Select Subscription Services > Access Portal.
- Select the User Connection Settings tab.
- Click Configure.
The VPN Portal page appears. - In the Interface section, from the drop-down list, select to add or remove interfaces.
The interfaces you specify appear in the WG-VPN-Portal alias.
- Select Subscription Services > Access Portal.
- Select the User Connection Settings tab.
- Click Configure.
The VPN Portal Settings dialog box appears. - In the Interfaces section, from the drop-down list, select to add or remove interfaces.
The interfaces you specify appear in the WG-VPN-Portal alias.
Ports
The VPN Portal port specifies the channel where the Access Portal and Mobile VPN with SSL listen for user connections.
- In Fireware 12.1 and higher, the VPN Portal port is the configuration port for Mobile VPN with SSL and the Access Portal. The VPN Portal port uses the TCP protocol. The data channel port for Mobile VPN with SSL is in the Mobile VPN with SSL settings.
- In Fireware 12.0.1. and lower, the data channel port and configuration channel port are in the Mobile VPN with SSL settings.
If you specify a VPN Portal port other than 443, users must specify the port number to connect to the Access Portal or Mobile VPN with SSL. For example, if you specify VPN Portal port 444, and the Firebox IP address is 203.0.113.2:
- To connect to the Access Portal, users must connect to https://203.0.113.2:444.
- To start a Mobile VPN with SSL connection, users must manually type port 444 in the Mobile VPN with SSL connection dialog box. For example, users must type 203.0.113.2:444.
- To download Mobile VPN with SSL client software, users must connect to https://203.0.113.2:444/sslvpn.
Port Precedence
Several Firebox features use SSL/TLS for secure communication and share the same OpenVPN server. The features that share the OpenVPN server, in order of precedence from highest to lowest, are:
- Management Tunnel over SSL on hub devices
- BOVPN over TLS in Server mode
- Mobile VPN with SSL
- Access Portal
Features with lower precedence inherit some SSL/TLS settings from enabled features with higher precedence. The shared settings are not configurable for the features with lower precedence.
You cannot configure the VPN Portal port number in any of these scenarios:
- Management Tunnel with SSL is enabled on your WSM Management Server
- BOVPN over TLS is enabled on your Firebox
- Mobile VPN with SSL is enabled on your Firebox with TCP as the data channel protocol
If Management Tunnel with SSL or BOVPN over TLS are not enabled, you can configure the VPN Portal port number if Mobile VPN with SSL uses UDP for the data channel. For information about the differences between TCP and UDP, see Choose the Port and Protocol for Mobile VPN with SSL.
If the VPN Portal port setting is not configurable, a message appears that indicates another SSL/TLS feature on the Firebox has a port setting that takes precedence.
- Select Subscription Services > Access Portal.
- Select the User Connection Settings tab.
- Click Configure.
The VPN Portal page appears.
- In the VPN Portal Port section, in the VPN Portal Port text box, specify a port number.
- Select Subscription Services > Access Portal.
- Select the User Connection Settings tab.
- Click Configure.
The VPN Portal Settings dialog box appears.
- In the VPN Portal Port section, in the TCP text box, specify a port number.
Timeouts
Timeout settings specify when the Firebox disconnects users from the Access Portal. The Session Timeout setting indicates the maximum amount of time a user can remain connected to the Access Portal. The Idle Timeout setting indicates the maximum amount of time a user can be idle while connected to the Access Portal.
- Select Subscription Services > Access Portal.
- Select the User Connection Settings tab.
- Click Configure.
The VPN Portal page appears. - In the Timeouts section, specify the Session Timeout in hours.
- Specify the Idle Timeout in minutes.
- Select Subscription Services > Access Portal.
- Select the User Connection Settings tab.
- Click Configure.
The VPN Portal Settings dialog box appears. - In the Timeouts section, specify the Session Timeout in hours.
- Specify the Idle Timeout in minutes.
Customization
The design customization options on the Customization tab apply only to the Access Portal. For information about Access Portal customization, see Customize Access Portal Page Elements with CSS.
SAML Single Sign-On (SSO)
To configure single sign-on (SSO) for the Access Portal, you must configure the Security Assertion Markup Language (SAML) settings. SAML settings apply only to the Access Portal.
For information about SAML SSO, see About SAML Single Sign-On (SSO).
See Also
SSL/TLS Settings Precedence and Inheritance
About SAML Single Sign-On (SSO)