Web Portal (SSL VPN)

The web portal allows you to provide access to the company's internal web resources, terminal servers, and SSH servers for remote or mobile users by using only the HTTPS protocol. This technology does not require a special VPN client to be installed; a regular browser will suffice.

Note If Kerberos or NTLM authentication is configured on the target HTTP resources, NGFW can perform authentication using the SSO technology (a configured LDAP connector loaded with a keytab file is required).

To configure the web portal, follow these steps:

Name

Description

Step 1. Enable and configure the web portal.

In the General settings ➜ Web portal section, enable the portal and configure its settings. The values of the settings are described in more detail later in this chapter.

Step 2. Enable access to the web portal service in the desired zones.

In the Network ➜ Zones section, allow the web portal service for the selected zones (usually the Untrusted zone). This will grant access to the service port specified in the web portal settings in the previous step.

Step 3. Add internal resources to the web portal.

In the Global portal ➜ Web portal section, add the URLs of the internal resources which the users need to access. The values of the settings are described in more detail later in this chapter.

When configuring the web portal (using the General settings ➜ Web portal section), fill in these fields:

Name

Description

Enabled

Enables or disables the web portal.

Hostname

The host name that the users will use to connect to the web portal service. This name should be resolved by the DNS services to the IP address of a NGFW interface belonging to the zone where the web portal service is allowed.

Port

The TCP port that the web portal service will use. The port and the host name together form the URL for user connections that looks like this:

https://host_name:port.

Auth profile

The user authentication profile that will be used to authenticate the users who connect to the web portal. The authentication profile determines the authentication method, such as AD connector or local user. In addition, in the authentication profile you can require that multi-factor authentication be used for web portal access.

For more details on authentication profiles, see the Authentication Profiles section.

Auth page template

Select the auth page template that will be used to display the login and password entry form. You can create your own auth page in the Response Pages section.

Portal template

Select the web portal template that will be used to display the resources available via the web portal. You can create your own auth page in the Response Pages section.

Show AD/LDAP domain selector on auth page

Show a domain selector on the web portal's auth page.

Protect with CAPTCHA

If enabled, the user will be asked to enter a code shown to them on the web portal's auth page. This is recommended to protect against bots that guess user passwords.

SSL profile

Select an SSL profile to build a secure web portal access link. For more details on SSL profiles, see the SSL Profiles chapter.

Certificate

The certificate that will be used to establish an HTTPS connection. If Automatic mode is selected, the certificate issued using the SSL decryption certificate for the captive portal SSL role will be used. For more details on certificate roles, see the Certificate Management section.

Authentication by certificate

If enabled, the browser will be required to present a user certificate. To that end, the user certificate must be added to the NGFW's certificate list, assigned the User certificate role, and assigned to the corresponding NGFW user. For more details on user certificates, see the Certificate Management section.

Configuring the web portal (using the Global portal ➜ Web portal section) amounts to creating publishing records for internal resource URLs. For each URL, create a bookmark and fill in the following fields:

Name

Description

Enabled

Enables or disables the bookmark.

Name

The name of the bookmark.

Description

A description of the bookmark.

URL

The URL of the resource to be published via the web portal. Specify the full URL, starting with http://, https://, ftp://, ssh://, or rdp://.

Important! To publish terminal servers, make sure to disable the Network Level Authentication requirement in the RDP access properties on the terminal access servers. In this case, user authentication for server access will be done by the web portal according to its settings.

Direct domain

Direct domain is an optional field, which allows access to the published resource from the Internet directly via specified domain name. The protocol (HTTP or HTTPS) and domain must be specified.

Check authorization for RDP sessions

Terminate the RDP session upon completion of authentication on the web portal on the server side.

Enable transparent authentication

Transparent authentication allows you to authenticate a user to an application published for them. The same data that the user entered when entering the web portal will be used for authentication. For this option to work successfully, the published application must support transparent authentication.

SSL profile

Select an SSL profile to build a secure web portal access link. For more details on SSL profiles, see the SSL Profiles chapter.

Certificate

The certificate that will be used to establish an HTTPS connection between UserGate and the server. If the Select certificate mode is selected, then the certificate issued by the SSL decryption certificate for the SSL Captive portal role is used. For more information about certificate roles, see the Certificate Management section.

Icon

Icon to display on the web portal for this bookmark. You can select one of the predefined icons, specify an external URL at which the icon is available, or upload a custom icon.

Supporting URLs

Supporting URLs necessary for the main URL to work (but not needed to be published to users). For example, the main URL http://www.example.com may get a part of its media content from the supporting URL http://cdn.example.com.

Users

The list of users and/or user groups which are allowed to have a bookmark displayed on the web portal and to access the main and supporting URLs.

The order of the bookmarks on the web portal determines the order in which they are displayed for the user. The administrator can reorder the bookmarks by using the Up/Down and Top/Bottom buttons or dragging and dropping them with the mouse.