Showing results for 
Search instead for 
Did you mean: 

ssl vpn setup


ssl vpn setup

Hi all,

I have 2 SA and I would like to set them up in Active/passive clustering mode, both internal and external interfaces traffic will be point toward the firewall ( we have only 1 FW). I also have 2 user groups, Finance and Accounting.

Looking at the active/.passive topology map on this page , it seems like I need to create 4 vlan/subnets?:

vlan1, subnet 1: external interfaces and external cluster vip - using public IPs

vlan 2, subnet 2: internal iinterfaces and intrernal cluster vip - using private IPs

vlan 3, subnet 3: Accounting user group (where do I create the Ip address pool for this group? on external DHCP server ort can it be done on the SA?

vlan 4, subnet 4: Finance user group (same question as above, where do I create the Ip address pool for this group? on external DHCP server ort can it be done on the SA?ance four yur time.

Im stuck at this point and cant proceed before i have a clear picture of the topology map.

Any input is greatly appreciated, Cheers


Re: ssl vpn setup

Hi after1,

didn't get it if you're reffering t oa Layer3 VPN Deployment or some other functionality.

If it's Layer3 VPN

  • Yes you can have a Local DHCP pool on SA (Pulse / NetworkConnect)


Don't forget to secure your administrativ access

  • Strong-Authentication (Two-Factor Auth)
  • If no Strong-Authentication is available use Long Passwords (with different Characters and Signs)
  • Limit the IP Space which can access the Administrative Path




Re: ssl vpn setup


I'm not using layer 3 vpn. Is it best practice to use local dhcp on the SA and says I have 2 groups of users, is that means I need to create 2 dynamic dhcp pool?

How does SA allocating IP addresses when user login?

Not many docks avail on VPN physical setup
Super Contributor

Re: ssl vpn setup

Dear after1 -

If you are not using layer 3 VPN (Network Connect), your 3rd and 4th address ranges are not required, as all traffic for the user (WSAM, TS, web rewriting, etc.) will be sourced from the internal address of the SA.

If you are using Network Connect, you can assign the 3rd and 4th ranges from a DHCP server, or from a range configured on the SA. You want to look under Network Policies >> Network Connect >> NC Connection Profiles. A NC connection profile is also used to set DNS and proxy information for the role. These can be in the same subnet as the internal interface of the SA. If they are not, you will need to create static route entries in the default gateway router for the SA to route these subnets to the internal interface of the SA.

Hope this is helpful.