narbulut

Narbulut ECS SSL VPN Configuration Guide

Narbulut ECS SSL VPN Configuration Guide

Table of Contents
1. Overview, Prerequisites and Configuration Flow
2. Deployment Settings
3. User and Group Management (Local Users)
4. Resource Definition and Role Assignment
5. Login Options, Virtual IP Pool and Authentication
6. Portal Customization and Certificate Management
7. NAT, Client Connection and User Monitoring
8. Best Practices and Troubleshooting

1. Overview, Prerequisites and Configuration Flow

SSL VPN enables remote users to securely access the corporate network over SSL/TLS encryption. Before configuring SSL VPN on Sangfor NGAF, familiarize yourself with the following key concepts:

ConceptDescription
SSL VPNVPN tunnel operating over SSL/TLS protocol
EasyConnectSangfor SSL VPN client software
L3VPN AppFull network tunnel — all protocols and ports
TCP AppProxies specific TCP connections
Web AppBrowser-based access through the portal
Resource GroupLogical unit for grouping resources
RoleMapping between user group and resource group
Virtual IP PoolIP address pool assigned to VPN clients
Gateway ModeSSL VPN deployment mode (Gateway or Single-Arm)
Figure 1 — SSL VPN architecture overview

Figure 1 — SSL VPN architecture overview

Prerequisites

Before starting SSL VPN configuration, ensure the following requirements are met:

  • A valid SSL VPN license
  • NGAF device is active and accessible
  • A valid public IP address on the WAN interface
  • Port 4430 and/or 443 open to external access
  • Sufficient user quota
  • No IP conflict between VPN IP pool and existing network ranges

SSL VPN Configuration Flow

A complete SSL VPN configuration consists of 8 key steps:

  1. Deployment — Gateway/Single-Arm mode and interface selection
  2. Login Options — Portal port and TLS settings
  3. Resources — Define access resources
  4. Local Users — Create users and groups
  5. Roles — Map users to resources
  6. Virtual IP Pool — Configure IP pool
  7. NAT — SNAT rule for VPN traffic
  8. Test — Client connection test

This guide walks through each step sequentially to help you complete a full SSL VPN configuration.

2. Deployment Settings

The SSL VPN deployment mode is determined by the device’s position in the network. There are two main modes:

  • Gateway Mode: NGAF is positioned as the network gateway. All traffic flows through NGAF. This is the most commonly used mode.
  • Single-Arm Mode: NGAF is positioned alongside the existing gateway. Only VPN traffic is routed through NGAF.
Figure 2 — Deployment settings: Gateway/Single-Arm mode

Figure 2 — Deployment settings: Gateway/Single-Arm mode

Configuration steps:

  1. Navigate to SSL VPN > Deployment
  2. Select the deployment mode (Gateway or Single-Arm)
  3. Specify LAN and WAN interfaces
  4. Save the settings

Note: In Gateway mode, NGAF manages all traffic. In Single-Arm mode, you can add VPN service without modifying the existing network topology.

3. User and Group Management (Local Users)

SSL VPN users are managed in groups within the local user database. Each user must belong to a group.

Figure 3 — Local Users page: user and group management

Figure 3 — Local Users page: user and group management

3.1 Creating a Group

  1. Navigate to SSL VPN > Local Users
  2. Click the “+” button in the tree structure on the left panel
  3. Enter the group name (e.g., “Engineering”, “Sales”)
  4. Add a group description (optional)
  5. Click OK to save

3.2 Creating a User

  1. Select the group you created
  2. Click the “New” button
  3. Fill in user details: username, password, description
  4. Set account expiration date (optional)
  5. Click OK to save

Tip: Organize users by department or access level to simplify management.

4. Resource Definition and Role Assignment

Define the resources to be accessed via VPN and map them to user groups.

4.1 Resource Types

TypeDescriptionUsage
L3VPN AppCreates a virtual network adapter, provides full tunnelFull network access (all protocols)
TCP AppProxies specific TCP connectionsRDP, SSH, database access
Web AppProvides web application access through the portalBrowser-based application access
Figure 4 — Resources page: resource definition

Figure 4 — Resources page: resource definition

4.2 Creating a Resource Group

  1. Navigate to SSL VPN > Resources
  2. Click “New” in the Resource Group tab
  3. Enter a group name (e.g., “Server Access”, “Web Applications”)
  4. Click OK to save

4.3 Creating a Resource

  1. Click “New” in the Resource tab
  2. Select the resource type (L3VPN App, TCP App, or Web App)
  3. Fill in resource details (IP, port, URL, etc.)
  4. Assign the resource to a Resource Group
  5. Click OK to save

4.4 Role Assignment (Roles)

Roles define the mapping between user groups and resource groups. Each role determines which users can access which resources.

Figure 5 — Roles configuration: user-resource mapping

Figure 5 — Roles configuration: user-resource mapping

  1. Navigate to SSL VPN > Roles
  2. Click the “New” button
  3. Enter a role name
  4. Select the relevant user group in the User Group field
  5. Select the relevant resource group in the Resource Group field
  6. Click OK to save

Important: Multiple resource groups can be assigned to a single user group. Apply the principle of least privilege to enhance security.

5. Login Options, Virtual IP Pool and Authentication

5.1 Login Options

The portal port and TLS settings must be configured for SSL VPN portal access.

Figure 6 — Login Options: portal port and TLS settings

Figure 6 — Login Options: portal port and TLS settings

  1. Navigate to SSL VPN > Login Options
  2. Set the Portal Port (default: 4430)
  3. Select the TLS version (TLS 1.2 or higher recommended)
  4. Configure the encryption algorithm
  5. Click OK to save

5.2 Virtual IP Pool

Define the IP address pool to be assigned to VPN clients. This IP range must not conflict with your existing LAN network.

Figure 7 — Virtual IP Pool configuration

Figure 7 — Virtual IP Pool configuration

  1. Navigate to SSL VPN > Virtual IP Pool
  2. Click the “New” button
  3. Enter an IP pool name
  4. Specify the start and end IP addresses
  5. Set the subnet mask
  6. Click OK to save

Note: The Virtual IP Pool range must not overlap with DHCP or static IP ranges in your existing network. Using a separate /24 subnet is recommended (e.g., 10.251.251.0/24).

5.3 Authentication

Configure the user authentication method and settings.

Figure 8 — Authentication settings

Figure 8 — Authentication settings

  • Local Authentication: Uses the NGAF local user database
  • LDAP/AD Authentication: Integration with Active Directory or LDAP server
  • RADIUS Authentication: Authentication via RADIUS server
  • Certificate Authentication: Digital certificate-based authentication

Tip: Enabling multi-factor authentication (MFA) is recommended to enhance security.

6. Portal Customization and Certificate Management

6.1 Portal Customization

Customize the SSL VPN login portal appearance to match your corporate identity:

  • Logo: Upload your company logo
  • Title: Change the portal title
  • Background: Set the login page background image
  • Announcement: Add informational text to be displayed to users

6.2 Certificate Management

Complete the certificate configuration for SSL VPN connection security:

  1. Default Certificate: NGAF automatically generates a self-signed certificate. Suitable for test environments.
  2. Custom Certificate: Upload a certificate obtained from a trusted CA for production environments.
  3. Let’s Encrypt: Supported for free certificate automation.

Important: Using a self-signed certificate in production environments causes browser security warnings. Using a trusted CA certificate is strongly recommended.

7. NAT, Client Connection and User Monitoring

7.1 NAT Configuration

An SNAT rule must be created to allow VPN clients to access internal network resources:

Figure 9 — NAT configuration: SNAT rule for VPN traffic

Figure 9 — NAT configuration: SNAT rule for VPN traffic

  1. Navigate to Network > NAT
  2. Click the “New” button
  3. Source Zone: Select the SSL VPN zone
  4. Destination Zone: Select the LAN zone
  5. Source IP: Enter the Virtual IP Pool range
  6. Translation: Select Outgoing Interface Address
  7. Click OK to save

Note: Without the NAT rule, VPN clients cannot access internal network resources. This is a frequently missed critical configuration step.

7.2 Client Connection (EasyConnect)

After configuration is complete, test the client connection:

Figure 10 — EasyConnect client connection and online users

Figure 10 — EasyConnect client connection and online users

  1. Download and install the EasyConnect application on the client computer
  2. Enter the server address: https://<WAN-IP>:4430
  3. Enter the username and password
  4. Click Connect
  5. Verify the connection status shows “Connected”
  6. Test access to internal network resources (ping, RDP, web, etc.)

7.3 Online User Monitoring

To monitor and manage active VPN sessions:

  • Navigate to SSL VPN > Online Users
  • View connected users, assigned IPs, session duration, and bandwidth usage
  • Terminate user sessions when needed (Kick)

8. Best Practices and Troubleshooting

Best Practices

  • Principle of least privilege: Grant users access only to the resources they need
  • Strong password policy: Minimum 8 characters with uppercase, lowercase, numbers, and special characters required
  • Enable MFA: Enhance security with multi-factor authentication
  • Regular auditing: Periodically review online users and access logs
  • Certificate management: Use a trusted CA certificate and monitor expiration dates
  • IP pool planning: Allocate a separate subnet that does not conflict with the existing network
  • Firmware updates: Keep NGAF firmware up to date to apply security patches

Troubleshooting

IssuePossible CauseSolution
Portal page not loadingPort blocked or service disabledCheck firewall rules and SSL VPN service status
Connection timeoutWrong WAN IP or portVerify server address and port number
Authentication failedIncorrect username/passwordCheck user credentials and account status
Cannot access internal networkMissing NAT ruleCreate the SNAT rule and verify zone settings
DNS resolution failedMissing DNS settingsAssign internal DNS server address to VPN client
Slow connectionBandwidth limitationCheck QoS settings and concurrent user count

Related Guides

For network configuration, refer to the ECS Network Management Guide. For user management, refer to the ECS User Management Guide.

Technical support: destek@narbulut.com  |  www.narbulut.com

Narbulut Product Analysis

Step 1/12
What area of technological improvement are you planning for your company?
Data Security & BackupRansomware, deleted files and disaster recovery.
Cloud Server (IaaS)Website, ERP, CRM or application hosting.
Team CollaborationSecure file sharing and remote work.
Object Storage (S3)Object Storage for developers.
What industry does your company operate in?
Healthcare / MedicalPatient data (GDPR critical).
Finance / AccountingSensitive financial data.
Manufacturing / EngineeringCAD drawings and production plans.
Other / General ServicesOffice documents and general data.
What type of devices need to be protected?
Employee ComputersLaptop and desktop end-user devices.
Physical / Virtual ServersDatabase, Active Directory or File Server.
What should your backup strategy be?
File & Folder BasedOnly important business files (XLS, PDF, SQL) should be backed up.
Full Disk ImageBack up "Everything" including the operating system.
What is your upload speed for cloud backup?
Fiber / High SpeedI can send large data quickly.
Standard / ADSLMy speed is limited, compression is important.
Is ransomware a threat?
Yes, Very CriticalWe have experienced it before or are at risk.
Standard Protection is SufficientBasic backup measures are enough.
How long would you like to keep versions?
90
30 - 90 DaysTo fix recent errors.
365+
1 Year and AboveLegal requirements or archiving.
What will be the primary purpose of the server?
E-Commerce / WebsiteHigh uptime and speed required.
ERP / Accounting SoftwareDatabase performance is important.
Software DevelopmentFlexible resource management.
What infrastructure do you need?
Windows ServerASP.NET, MSSQL, RDP.
Linux (Ubuntu/CentOS)PHP, Python, MySQL, Docker.
What is the estimated user traffic?
Low / MediumEntry level or new project.
High TrafficHeavy campaigns or many users.
Who will manage the server?
I Will Manage ItI have a technical team, root access is enough.
I Need SupportManaged Services required.
How many people will work in the shared workspace?
1 - 10 UsersSmall teams.
10 - 50+ UsersDepartment-based permissions required.
Is remote access required?
Yes, DefinitelyField team needs to upload files from mobile.
No, Office OnlyAccess only from company computers.
Analyzing Your Responses...
BEST SOLUTION FOR YOU

Product Title

Description

Explore Product Now

Product Information Request

Fill out the form so our solution experts can contact you.

Size uygun Narbulut Cloud Server planlarına göz atın

Narbulut Cloud Server ile ihtiyaçlarınıza en uygun sunucuları yapılandırın.

    SUNUCU TEKLİF & YAPILANDIRMA FORMU

    1. KURUMSAL KİMLİK & İLETİŞİM
    2. TEKNİK GEREKSİNİMLER
    3. LİSANS YÖNETİMİ

    Check out Narbulut Cloud Server plans that suit you

    Configure the servers that best fit your needs with Narbulut Cloud Server.

      SERVER QUOTE & CONFIGURATION FORM

      1. CORPORATE IDENTITY & CONTACT
      2. TECHNICAL REQUIREMENTS
      3. LICENSE MANAGEMENT

      Narbulut Mobile’ı İndirin

      Uygulamayı indirmek istediğiniz platformu seçin

      Google Play
      App Store
      AppGallery

      Download Narbulut Mobile

      Select the platform you want to download the app

      Google Play
      App Store
      AppGallery
      ×