Use the Authentication screen on the vCloud Director tenant portal's SSL VPN-Plus tab to set up a local authentication server for the edge gateway's SSL VPN service and optionally enable client certificate authentication. This authentication server is used to authenticate the connecting users. All users configured in the local authentication server will be authenticated.

About this task

You can have only one local SSL VPN-Plus authentication server configured on the edge gateway. If you click + LOCAL and specify additional authentication servers, an error message is displayed when you try to save the configuration.

The maximum time to authenticate over SSL VPN is three (3) minutes. This maximum is determined by the non-authentication timeout, which is 3 minutes by default and is not configurable. As a result, if you have multiple authentication servers in chain authorization and user authentication takes more than 3 minutes, the user will not be authenticated.


Verify you have completed the steps described in Add a Private Network for Use with SSL VPN-Plus on an Edge Gateway.

If you intend to enable client certificate authentication, verify that a CA certificate has been added to the edge gateway. See Add a CA Certificate to the Edge Gateway for SSL Certificate Trust Verification.

Open the tenant portal and browse to the SSL-VPN Plus screen as described in Navigate to the SSL-VPN Plus Screen in the Tenant Portal.


  1. Click the SSL VPN-Plus tab and Authentication.
  2. Click + LOCAL.
  3. In the window that opens, configure the following options for the authentication server.

    To enable the authentication server, turn on the Enabled toggle located in the Status section of the window.

    1. (Optional) Configure the password policy.



      Enable password policy

      Turn on enforcement of the password policy settings you configure here.

      Password Length

      Type the minimum and maximum allowed values for password length.

      Minimum no. of alphabets

      (Optional) Type the minimum number of alphabetic characters, such as A b c D, that are required in the password.

      Minimum no. of digits

      (Optional) Type the minimum number of numeric characters, such as 1 2 3, that are required in the password.

      Minimum no. of special characters

      (Optional) Type the minimum number of special characters, such as & # %, that are required in the password.

      Password should not contain user ID

      (Optional) Turn on this toggle to enforce that the password must not contain the user ID.

      Password expires in

      (Optional) Type the maximum number of days that a password can exist before the user must change it.

      Expiry notification in

      (Optional) Type the number of days prior to the Password expires in value at which the user is notified the password is about to expire.

    2. (Optional) Configure the account lockout policy.



      Enable password policy

      Turn on enforcement of the account lockout policy settings you configure here.

      Retry Count

      Type the number of times a remote user can try to access his or her account after entering an incorrect password.

      Retry Duration

      Type the time period in minutes in which the remote user's account gets locked on unsuccessful login attempts.

      For example, if you specify the Retry Count as 5 and Retry Duration as 1 minute, the remote user's account will be locked if he makes 5 unsuccessful login attempts within 1 minute.

      Lockout Duration

      Type the time period for which the user account remains locked. After this time has elapsed, the account is automatically unlocked.

    3. In the Status section, enable this authentication server by turning on the Enabled toggle.
    4. (Optional) Configure secondary authentication.



      Use this server for secondary authentication

      (Optional) Specify whether to use the server as the second level of authentication.

      Terminate Session if authentication fails

      (Optional) Specify whether to end the VPN session when authentication fails.

    5. Click Keep to add this entry to the on-screen table.
  4. (Optional) To enable client certification authentication, click CHANGE CERTIFICATE, then turn on the enablement toggle, select the CA certificate to use, and click OK.

What to do next

Add local users to the local authentication server so that they can connect with SSL VPN-Plus. See Add SSL VPN-Plus Users to the Local SSL VPN-Plus Authentication Server.

Create an installation package containing the SSL Client so remote users can install it on their local systems. See Add an SSL VPN-Plus Client Installation Package