Jump to:navigation, search
Wiki

Clientless VPN

From Securepoint Wiki

























































De.png
En.png
Fr.png






Clientless VPN setup and settings
Last adaptation to the version: 12.2.5.1
New:
  • Layout updates
notempty
This article refers to a Resellerpreview

11.7.6 11.6.11

Access: UTM-IP:Port or UTM-URL:Port
Port as configured at Network / Appliance Settings / Webserver
Default-Port: 11115
i.e.: https://utm.ttt-point.de:11115
Default: https://192.168.175.1:11115 → VPN →Clientless VPN


Introduction

Clientless VPN provides the ability to connect to an RDP or VNC server on the corporate network via the browser. Users log in to the user interface and are then given the option to connect with a designated server. For this to work, the browser must have HTML5, Java or similar is not necessary.



Configuration of the UTM

Add Clientless Host

Under → VPN →Clientless VPN click the + Add button.
All servers that are to be made available to users via the user interface using Clientless VPN are entered here.


Caption Value Description UTM v12.2.5.1 VPN Clientless VPN hinzufügen-en.png
Create server
Servername: Windows Server 2012 RDP Assign a name for the host
Type: RDPVNC Service through which the host is to be accessed
IP address: 203.0.113.203 IP address of the host
Port: 3389Link= Port that is enabled for access on the host
Resolution: 1024x600 Resolution (selectable from 320x200 to 1920x1080 pixels)
Color depth: 24 Choose color depth (16 or 24 bit)
Security: RDPTLSNLA Choose the security protocol
The resolution and color depth depends on the capabilities of the destination host and the clients from which the destination host is accessed via the browser.
The entries Domain, Username and Password are optional, if these fields are left blank, the username and password will be requested when the host is accessed via Clientless VPN.


Assign the group

Group permissions
  • Click → Authentication →UsersTab Groups Button + Add Group
  • Enable Clientless VPN with the On button in the Permissions Userinterface tab
  • Assign a unique name in the Group name: field.
  • The
    Clientless VPN{{{2}}}
    tab will appear.


Assign server to the group
  • Switch to the Clientless VPN tab.
  • Activate the Clientless VPN with On
  • Apply the changes with Save



Allow access

Group permissions

Now it must be ensured that the clientless VPN user is also allowed to log in to the user web interface via the browser. This can be done either by Implicit Rules or by manually creating a corresponding Port Filter Rule on the interface.
In this case it is sufficient to activate the VPN rules with On in the menu under → Firewall →Implicit RuleTab VPN. 
















































     | }}-->

Login to the user interface

  • The user login to the user interface is called up via the IP address or URL of the UTM, possibly followed by a port specification
  • Depending on the assigned permissions, various functions are made available
  • Click on the corresponding tile to access the desired function

Configured Port Example call with IP Example call with URL
Default 443 i.e. https://192.168.175.1 i.e. https://utm.ttt-point.de
Port changed bei administrator
Menu: Network / Appliance Settings / Appliance Settings / Webserver / User Webinterface Port
   		4443 i.e. https://192.168.175.1:4443 i.e. https://utm.ttt-point.de:4443


The responsible admin must provide the IP address or domain name and, if necessary, the port for the user web interface

After entering the IP address, the user login page of he Securepoint UTM is loaded. The login credentials are entered there.

Value Description UTM-v12.2.3-Benutzer-Login-OTP-en.png
The login window User Login with the two and the optional third input box.
User Username
Password The associated password
OTP Code
Optional		 If this input box is displayed, a one-time password (OTP) must be entered
The one-time password (OTP) is an authentication mechanism that provides additional security when a user logs in.
  
  • The code to create OTPs must be supplied by the administrator
    •  Login You can log in to the user interface by clicking on this button after entering all login data correctly.


    The following tile appears Clientless VPN Windows Server 2012 RDP.png

    The Clientless VPN window

    Clicking on Clientless VPN opens the following dialog.

    UTM116 UI CVPN3.png

    Clicking on the corresponding server establishes the connection to it. If no user name and password are stored in the server settings under Clientless VPN, they will now be requested.



    Hints

    Windows 2012R2 with enabled terminal services

    Group policy dditor

    If a 2012R2 server is to be used as the RDP server for the clientless VPN, the establishment of the RDP connection fails due to the "Authentication at network level".
    When using the terminal services, this function can also no longer be deactivated via the familiar way.

    However, it is possible to force the disabling of ""Authentication at network level"" via the GPO (Group Policy).



    Adjusting the registry

    However, it may also be necessary to adjust a registry entry. This must have a value of 1.
    Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp SecurityLayer

    For Terra-Cloud machines it may be necessary to adjust the registry entry.


    Retrieved from "https://wiki.securepoint.de/index.php?title=UTM/VPN/ClientlessVPN&oldid=84744"