We spoke with our Tech Support team, which has an awesome reputation both internally and among our customers. Most members of the team have been with Array for over ten years, and we asked them to provide, in their experience, the top five ‘gotchas’ that they see on a regular basis in our customers’ AG Series SSL VPN deployments. In no particular order, they are:
- Keep in mind that you will need a valid SSL certificate and key provided by a Certificate Authority. While this is normally needed later in the configuration process, by ordering early you can avoid delays. Array’s AG Series SSL VPNs do allow you to use a self-generated key for testing, but it is not a substitute for the CA-provided certificate and key that are needed for production operation.
- The best practice is to configure an interface (port1) on the DMZ behind the firewall, and a second interface (port2) on the local area network (LAN). TCP port 443 is only required to be open to the DMZ. You can also enable TCP port 80 on the DMZ in order to redirect HTTP to HTTPS.
- Proper routing will need to be applied for the Layer 3 VPN set-up. For best-practice configuration (see item #2) the default route should point to the DMZ default gateway. Static routes must be created for all traffic destined for the LAN.
- If you’re going to allow users to access Web applications, the AG Series offers two different methods: Web Resource Mapping (WRM) and QuickLink. WRM and QuickLink are clientless methods, and both are relatively easy to configure. QuickLink has advantages in that it unifies the URLs generated by Web applications. The ‘gotcha’ here is that for QuickLink the URLs provided to the AG Series must be absolute and require additional DNS entries. (i.e. https://web-application.yourcompanyname/ rather than https://yourcompanyname/prx/000/web-application/). WRM will meet most requirements and is the simplest to configure; however, QuickLink can provide support for internal Web applications that do not work well using a ‘proxy’ URL.
- Also related to Web application access: If the Web applications are deployed with remote databases, the application needs to have some type of session base to allow remote databases within the domain to recognize client requests coming through the AG Series.
There you have it. In your next SSL VPN installation, keep these tips in mind to help smooth your way to an easier deployment. To learn more about Array’s AG Series SSL VPN appliances, visit our product pages.