Clientless VPN

notempty

Dieser Artikel bezieht sich auf eine nicht mehr aktuelle Version!

notempty

Der Artikel für die neueste Version steht hier

notempty

Zu diesem Artikel gibt es bereits eine neuere Version, die sich allerdings auf eine Beta-Version bezieht

Clientless VPN setup and settings

Last adaptation to the version: 12.7.0

New:

Layout updates

notempty

This article refers to a Beta version

12.2.5 11.7.6 11.6.11

Introduction

Clientless VPN provides the ability to connect to an RDP or VNC server on the corporate network via the browser. Users log in to the user interface and are then given the option to connect with a designated server. For this to work, the browser must have HTML5, Java or similar is not necessary.

Configuration of the UTM

Add Clientless Host

Under VPN Clientless VPN click the + Add button.
All servers that are to be made available to users via the user interface using Clientless VPN are entered here.

Caption	Value	Description	Clientless VPN UTMuser@firewall.name.fqdnVPN Create server
Servername:	Windows Server 2012 RDP	Assign a name for the host
Type:	RDPVNC	Service through which the host is to be accessed
Type:	notempty VNC is an unencrypted protocol. We also recommend a VPN connection between the server and the UTM. In general, even when using RDP, it is recommended to protect the connection with a VPN to ensure authenticity.
IP address:	203.0.113.203	IP address of the host
Port:	3389	Port that is enabled for access on the host
Video resolution:	1024x600	Resolution (selectable from 320x200 to 1920x1080 pixels)
Color depth:	24	Choose color depth (16 or 24 bit)
Security:	RDPTLSNLA	Choose the security protocol
The resolution and color depth depends on the capabilities of the destination host and the clients from which the destination host is accessed via the browser. The entries Domain, Username and Password are optional, if these fields are left blank, the username and password will be requested when the host is accessed via Clientless VPN.

Assign the group

Add group UTMuser@firewall.name.fqdnAuthenticationUser Group permissions

Click Authentication Users Area Groups button + Add Group
Enable Clientless VPN with the On button in the Permissions Userinterface tab
Assign a unique name in the Group name: field.
The
Clientless VPN {{{2}}}
tab will appear.

Assign server to the group

Switch to the Clientless VPN tab.
Activate the Clientless VPN with On
Apply the changes with

Allow access

Implicit rules UTMuser@firewall.name.fqdnFirewall Group permissions

Now it must be ensured that the clientless VPN user is also allowed to log in to the user web interface via the browser. This can be done either by Implicit Rules or by manually creating a corresponding Packetfilter Rule on the interface.
In this case it is sufficient to activate the VPN rules with On in the menu under Firewall Implicit Rule Area VPN.

     | }}-->

Login to the user interface

The user login to the user interface is called up via the IP address or URL of the UTM, possibly followed by a port specification
Depending on the assigned permissions, various functions are made available
Click on the corresponding tile to access the desired function

Configured	Port	Example call with IP	Example call with URL
Default	443	i.e. https://192.168.175.1	i.e. https://utm.ttt-point.de
Port changed bei administrator Menu: Network / Appliance Settings / Appliance Settings / Webserver / User Webinterface Port	4443	i.e. https://192.168.175.1:4443	i.e. https://utm.ttt-point.de:4443

notempty

The responsible admin must provide the IP address or domain name and, if necessary, the port for the user web interface

After entering the IP address, the user login page of he Securepoint UTM is loaded. The login credentials are entered there.

Value	Description	The login window User Login with the two and the optional third input box.
User	Username
Password	The associated password
OTP Code Optional	If this input box is displayed, a one-time password (OTP) must be entered The one-time password (OTP) is an authentication mechanism that provides additional security when a user logs in. The code to create OTPs must be supplied by the administrator
Login	You can log in to the user interface by clicking on this button after entering all login data correctly.

The Clientless VPN window

Clicking on Clientless VPN opens the following dialog.

Clicking on the corresponding server establishes the connection to it. If no user name and password are stored in the server settings under Clientless VPN, they will now be requested.

Hints

Windows 2012R2 with enabled terminal services

Group policy dditor

If a 2012R2 server is to be used as the RDP server for the clientless VPN, the establishment of the RDP connection fails due to the "Authentication at network level".
When using the terminal services, this function can also no longer be deactivated via the familiar way.

However, it is possible to force the disabling of ""Authentication at network level"" via the GPO (Group Policy).

Adjusting the registry

However, it may also be necessary to adjust a registry entry. This must have a value of 1.
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp SecurityLayer

notempty

For Terra-Cloud machines it may be necessary to adjust the registry entry.