Hi,

I've set up a user account, user group, and SSL web proxy to let me securely access a web page on my LAN from the Internet. I've enabled the https server under 'Allow management from the internet' on the System Maintenance >> Management page. I'm using the default port 443 for this. I can now log in to the admin account remotely (using https), but I can't log in at all using the user credentials I created for the purpose. As far as I can tell, I have followed the procedure in the manual, but no joy. There don't seem to be any application notes on this particular facility, only on the Java client/SSL VPN, which is not what I'm trying to do.

Can anybody help, please?

Max

P.S. firmware version is 3.8.2_VT2

Anything to do with this? http://www.draytek.co.uk/support/guides/kb-forwarding-tcp443

Not that problem. I can reach the router login page, and log in successfully as admin, just not as a web proxy user.

I raised a ticket with Draytek about this, and between Chris and myself we found out the problem:

• It is not necessary to enable Internet management of the router to use SSL VPN, despite what the manual implies. However, if you do enable both functions, they must be on different ports. If not, the management login takes precedence. You get a warning dialog about this, but it is rather erratic, sometimes warning you when there is in fact no clash. The management login page will also show the control to set the user group, even though that is not relevant to router management users


• From VPN and Remote Access >> Remote Access Control Setup, check Enable SSL VPN Service


• From SSL VPN >> General Setup, select the port and certificate you want to use


• From SSL VPN >> SSL Web Proxy, configure the LAN web page(s) you want to access, and the connection method (I used 'SSL')


• From SSL VPN >> Remote Dial-in User, enable the account (and set the idle timeout); check 'SSL Tunnel' as the allowed dial-in type; set the subnet to the subnet where the LAN web page is located; and enter the username and password


• From SSL VPN >> User Group, create and enable a group; check 'SSL Web Proxy', and the web pages you wish the group members to access; check 'Local User DataBase' and add the user account(s) you want to place in the group

And that appears to work. I think I became confused because the master enable for SSL VPN functions is not found in the SSL VPN section of the main menu. I had got hold of the wrong idea that it was enabled by enabling Internet management. Also somehow my dial-in user account had got itself removed from the relevant group. I don't know how that happened, and I haven't been able to duplicate it.

I agree; the whole menu layout for these functions is confusing.

One other thing which wasted my time but (helpfully!) isn't documented anywhere, is that it isn't possible to log onto the SSL VPN locally; it will say wrong username/password. As such, you'll need to test from an external connection.