These server settings configure the SSL VPN server, such as the IP address and port the service listens on, the cipher list of the service, and its service certificate. When connecting to the NSX Data Center for vSphere edge gateway, remote users specify the same IP address and port you set in these server settings.
If your edge gateway is configured with multiple, overlay IP address networks on its external interface, the IP address you select for the SSL VPN server can be different than the default external interface of the edge gateway.
While configuring the SSL VPN server settings, you must choose which encryption algorithms to use for the SSL VPN tunnel. You can choose one or more ciphers. Carefully choose the ciphers according to the strengths and weaknesses of your selections.
By default, the system uses the default, self-signed certificate that the system generates for each edge gateway as the default server identity certificate for the SSL VPN tunnel. Instead of this default, you can choose to use a digital certificate that you have added to the system on the Certificates screen.
- Verify that you have met the prerequisites described in Configure SSL VPN-Plus.
- If you choose to use a service certificate different than the default one, import the required certificate into the system. See Add a Service Certificate to the Edge Gateway.
- Navigate to the SSL-VPN Plus Screen.
- On the SSL VPN-Plus screen, click Server Settings.
- Click Enabled.
- Select an IP address from the drop-down menu.
- (Optional) Enter a TCP port number.
The TCP port number is used by the SSL client installation package. By default, the system uses port 443, which is the default port for HTTPS/SSL traffic. Even though a port number is required, you can set any TCP port for communications.Note: The SSL VPN client requires the IP address and port configured here to be reachable from the client systems of your remote users. If you change the port number from the default, ensure that the IP address and port combination are reachable from the systems of your intended users.
- Select an encryption method from the cipher list.
- Configure the service Syslog logging policy.
Logging is activated by default. You can change the level of messages to log or deactivate logging.
- (Optional) If you want to use a service certificate instead of the default system-generated self-signed certificate, click Change server certificate, selection a certificate, and click OK.
- Click Save changes.
What to do next
Add an IP pool so that remote users are assigned IP addresses when they connect using SSL VPN-Plus. See Create an IP Pool for Use with SSL VPN-Plus on an NSX Data Center for vSphere Edge Gateway.