SSL VPN Frequently Asked Questions (FAQ)
Portal Layouts and Authentication
Network, File Settings and Certificate
Virtual Passage Configuration and
My Desktop, Services and Applications
- I can't enter a password when installing AccessPoint
For security reasons, the password does not appear on the screen when it is entered. So, even if the
password does not appear in the installation screen, the information
will be saved correctly.
- My server doesn't seem to recognize or boot from the CD
Be sure to burn the CD as an ISO image, not a standard data CD. Most CD burning products, such as ROXIO Easy CD Creator, will
recognize the ISO file format and burn the software correctly if you simply double-click on the file.
- I cannot complete the CD installation
Most likely, if you cannot complete the CD installation, then there is a hardware compatibility issue. As of the AccessPoint
1.2.2 release (Nov. 3, 2004), AccessPoint does not support all SCSI drives or RAID controllers. Menlo Logic recommends
installing AccessPoint on a standard IDE/ATA hard drive. In addition, check that your Ethernet interface card is supported
in the AccessPoint installation guide.
- How do I change my system password?
An administrator may change the system password by logging in via the system console or via SSH and typing passwd root. Then
enter the password, click Enter, type the confirmation password and click Enter again.
system password is different from the AccessPoint web management interface password, which is configured through the web management interface.
- How can I customize the portal layout?
The portal layout may be customized on the Access » Portal Layout page in the web management interface.
From the portal layout page, you can define what pages, icons and options to display to users. You can create multiple layouts
and apply them to different authentication domains.
- When I create a new domain, I can't see the new domain on the login page
If you created a new domain and you cannot select the domain from the Domain Drop down list on the login page,
then most you are probably not logging in from the correct portal layout URL.
For example, let's say you created a layout named "mylayout" with the virtual host name "mylayout.menlologic.net".
Then you configured a an authentication domain called "myRadius" and selected the new layout "mylayout" for the authentication domain.
Now, if you go to the default AccessPoint layout, you will not see the "myRadius" in the Domain Name drop down menu. To login
using "myRadius", either go to https://[IP_Address_or_domain_name]/portal/mylayout or, if you want to use virtual
hosting, go to https://mylayout.menlologic.net". Then you will be able to see the "myRadius" authentication domain.
- I want my domain to be selected by default on the login page
The list of domains are shown in alphabetical order. If you would like your authentication domain to be selected by default,
then create a new portal layout, configure virtual hosting, and login using the new virtual hostname. Your new authentication
domain will be selected by default.
- How do I create a virtual hostname on the portal layout page?
To create a virtual hostname, enter the full URL of the virtual host--for example, "partners.menlologic.net". Because the web server
needs to learn the new configuration, restart the AccessPoint software on the General » Restart page.
Then make sure that the new domain name resolves to the IP address of the SSL VPN gateway. Login to your organization's
external DNS manager and add a new DNS name or a new alias and configure it to resolve to the AccessPoint SSL VPN gateway IP
- Active Directory configuration isn't working
Confirm that the time is synchronized between your Active Directory server and AccessPoint SSL VPN by configuring NTP on
the General » Date page. If you have added users into custom groups that you have defined on the Active Directory
server, then you
may need to use NT Domain or LDAP authentication in order to authenticate to your Windows authentication server.
See a complete description of Active Directory configuration.
- Can I only allow certain Active Directory groups to log in?
You can create specific rules for Active Directory users and groups by defining the users and groups in AccessPoint and
the configuring access policies for these different users and groups. However, you cannot prevent the users from
logging in altogether.
The only way to do this is to authenticate users based on Active Directory's LDAP directory services. Instead of defining
an authentication domain on the Active Directory page, instead define the domain as an LDAP authentication domain. Then
you can enter the specific LDAP organizational unit information.
- How do I create policies or bookmarks for Active Directory, LDAP or RADIUS users?
If you are using authentication by an external AAA server (LDAP, Active Directory, etc), then you do not need to define
users in AccessPoint. However, you are also unable to create bookmarks or policies by users.
To create individual bookmarks by user or group, you must define the users in AccessPoint. Because the users are
to a AAA server, the users do not require passwords. Once defined, you can add bookmarks or policies per user or per group
to which the user belongs.
Because AccessPoint can query Active Directory to find out which group a user belongs to, you can create bookmarks and
policies for Active Directory groups
without defining every Active Directory user name. The way this works is that AccessPoint first verifies with the Active Directory server
that the user is authorized to login. Then AccessPoint checks to see if the user is defined (in any Active Directory group)
in AccessPoint. If the user is defined, then the user and group policies and bookmarks will apply to that user. If no
matching user is defined, AccessPoint will see if the Active Directory group to which the user belongs is defined in AccessPoint.
If so, then the group's bookmarks and policies will apply to the user.
- Can I change the logo?
Yes, you may upload new logos on the General » Company Logo page in the web management interface.
There are 3 logos
to upload. The logos are displayed on the login page, the upper left corner of the portal page and also the upper left corner
of the portal page when the portal is configured in the top menu navigation layout. The sizes of the 3 logos are indicated on the
Company Log page. The logos must be in GIF format.
Once the logos are uploaded, be sure to select Use Company Logo from the drop down menu and click Submit
for the change to take effect. Be sure to refresh your browser window, in case the Menlo Logic logo is cached.
- What is the Home Page and how do I modify it?
The Home Page is an optional SSL VPN portal page that allows the administrator to provide information,
contact information or news to SSL VPN users.
To edit the SSL VPN portal Home Page, go to Access » Edit Portal Layout, then click on the Home Page link.
You may configure the Home page from this web page. Note that a unique Home Page may be configured per Portal Layout.
You may also enter dynamic
content or provide links to externally hosted image files. View Home Page templates at
To disable the Home page, uncheck the Home Page checkbox on the Access » Edit Portal Layout page and click Submit.
- What network information do I need to configure?
The required network information includes the SSL VPN gateway IP address, gateway address and DNS settings. The IP address
is configured when you first install the software, but may be modified on the Network » Interfaces page. The DNS
server addresses are configured on the Network » DNS Settings page and the default gateway (route) address is
configured on the Network » Routes page. Until these parameters are configured, the portal will not function properly!
In addition, if you use WINS (Windows Internet Naming Service) on your local network, it recommended that you also configure
WINS settings on the Network » DNS Setting page. WINS is important for network file sharing and for name resolution
for Virtual Passage clients. In addition, you should include at least one local network DNS server in your list of DNS settings
so that Virtual Passage clients can resolve domain names--like your mail server name--to private IP addresses.
- What is host resolution?
Host resolution is similar to the LMHOST file in Windows machines or the /etc/hosts file in Linux and UNIX machines. Host
resolution can be used to map names to IP addresses. This can be helpful for a myriad of reasons. For example, you can partially
obscure your network's IP address scheme from SSL VPN users by creating hostnames for local servers. Then when you create
bookmarks, you can use the hostnames you have created rather than IP addresses.
- How do I upgrade from a demo to a full license?
Once you have purchased a full license from Menlo Logic, you will receive a license key specific to your SSL VPN hardware.
Then you can upload the license key by clicking License on the General » File Settings page. Once uploaded,
you will have a full license that will never expire.
- I have a valid certificate from a CA. How do I import it?
You do not need your own SSL certificate to set up and test the AccessPoint SSL VPN software. However, Menlo Logic strongly
recommends that you install a valid certificate from a recognized Certificate Authority (CA) before deploying SSL VPN in production.
To upload the SSL Certificate and Key, create a zipped file containing the two files. Name the certificate file "server.crt"
and the certificate key "server.key". Then upload the files on the General » SSL Certificate page. Once uploaded, you
should see the new certificate in the list of available certificates. Click View,
and then enter the SSL Certificate password and click Submit. Then return to the SSL Certificate page, select the radio
button to the left of the new certificate, and click Enable Cert. The AccessPoint software will restart, using the new,
valid SSL certificate.
- How does Virtual Passage work?
Virtual Passage creates a full network connection between the SSL VPN user's machine and the AccessPoint SSL VPN server.
So remote users become a virtual member of the local area network and can access resources as if they were located on the LAN.
Virtual Passage consists of two ActiveX components: an installer and a connector program. The installer creates a network driver on the
client machine and the connector initiates the Virtual Passage connection. When the Virtual Passage tunnel is established,
a Virtual Passage PPP interface will be activated. All VPN traffic will be sent through the PPP interface, encrypted using SSL
and sent across the Internet to the AccessPoint SSL VPN server.
Virtual Passage is supported on Microsoft Windows 2000, Windows XP (Professional and Home Edition), Windows 2000 Server,
Windows 2003 Server and MacOS X. Windows users must use Internet Explorer with ActiveX enabled. Both Windows and Mac users must have administrative
privileges to install Virtual Passage, although standard users can launch Virtual Passage once it has been installed.
- How do I configure Virtual Passage?
As an administrator, you can configure the Virtual Passage settings on the Virtual Passage » Client Addresses page.
You can either configure an address range in the same subnet as your local area network or you can configure a range in a different subnet and
then use client routes. If you use addresses in the same subnet, be sure that the range does not conflict with addresses on
your local network. Be sure to allocate enough IP addresses in the client address range for all of your remote users. Each remote user will require two addresses:
the Virtual Passage PPP address and the corresponding AccessPoint SSL VPN server PPP address.
If you configure client routes, you must also be sure that you configure a static route in your corporate network router or firewall
that directs traffic from the Virtual Passage clients to the AccessPoint SSL VPN server. This is defined in more detail in the
Also note that the class of the subnet is based on the PPP address. For the 3 private address ranges, 10.0.0.0 - 10.255.255.255 is
a Class A subnet, 172.16.0.0 - 172.16.255.255 is a Class B subnet and 192.168.0.0 - 192.168.255.255 is a Class C subnet. What
this means is that if you configure the Virtual client address range 10.1.0.1 - 10.1.0.254, then the Virtual Passage client will
the Virtual Passage client will assume that all IP addresses from
10.0.0.0 - 10.255.255.255 are located across the SSL VPN tunnel.
- I created client routes, but my Virtual Passage clients cannot connect to network machines
If a Virtual Passage client can connect and receive a Virtual Passage PPP address, but cannot access network resources,
then you may need to check your network and client settings. The most likely problem is that you need to add a static route on
you local network.
If your client address range is in a different subnet then your local area network, you need to configure client routes to
inform your Virtual Passage clients that they need to go through the Virtual Passage tunnel in order to access your local
network. If you have done this correctly and you can see the client routes on the client machines (you can verify client
routes by typing route
print from a MSDOS prompt) then your clients can probably connect to machines on your local network. However, machines
on your local network will see the Virtual Passage client addresses as being on a different subnet, and will send data out to the Internet rather than back to the AccessPoint SSL VPN
server. For example, if a Virtual Passage client with PPP address 192.168.1.1 pings a local mail server at 10.0.0.10, the
server may receive the ping and send the ping echo out to the Internet, rather than back to the AccessPoint SSL VPN server,
where the ping response can be forwarded on to the Virtual Passage client.
The easiest way to solve this issue is to add a static route on the local network firewall or router that forwards all data
sent to the Virtual Passage address range to the AccessPoint SSL VPN server. In our example, the network administrator could
create a static route on the corporate firewall for the network 192.168.1.0 and mask 255.255.255.0 to the AccessPoint SSL VPN
server address, 10.0.0.25.
- What is the maximum throughput speed of the Virtual Passage client?
The maximum throughput speed of each Virtual Passage client can exceed 10 Mbps, depending on network conditions, the performance of
the Virtual Passage client machine and the AccessPoint SSL VPN server, and the number of active SSL VPN users. In
most situations, the actual performance will be limited by the Internet connection speed of the client.
Although a message will be displayed in the Windows taskbar indicating "Menlo is now connected. Speed: 64.0 Kbps" when
the connection is established, the
message is a default Windows message for PPP interfaces and the connection speed may be ignored.
- Remote users are not able to connect to servers by host or domain name
If remote users are not able to access local resources by domain name or host name, then check the DNS settings and WINS settings
in the AccessPoint web management interface. WINS and DNS settings are sent down to the Virtual Passage clients. So, make sure
that you add the IP addresses of your local WINS and DNS servers in the AccessPoint Network » DNS Settings page.
Then the Virtual Passage will query your local WINS and DNS servers to resolve host names and domain names.
- The Virtual Passage page takes a long time to load
Many pages, including the Virtual Passage page, require that the AccessPoint SSL VPN server can resolve the URL that is used to access the SSL VPN portal.
Because of NAT, the public address that is seen by remote users may be different from the actual IP address of the AccessPoint
SSL VPN server. To resolve the issue, add a new host resolution entry resolving the SSL VPN server domain name to the
private IP address AccessPoint SSL VPN server. The host entry can be added on the Network » Host Resolution page.
- How do I upgrade the Virtual Passage SSL VPN client software (Windows)?
To upgrade the Virtual Passage client software, reinstall the Virtual Passage installer (network driver) and the Virtual passage connector.
To reinstall the driver, just click the Installer Toolbox icon and accept the new driver installation. The installation
program will detect the driver has already been installed and will uninstall the old driver and reinstall the new one.
To upgrade the Connector ActiveX program, go to the Downloaded Program Files in your
default system folder, typically "C:\Windows\Downloaded Program Files". Delete the XTunnel Control file. Now, when you connect
via Virtual Passage, you will be prompted to download the new XTunnel control file.
When you first install the Virtual Passage software, you can begin using it immediately. Depending on the upgrade,
you may need to reboot your machine after installing
a new Virtual Passage network driver. This is because the old driver may still be running in your temporary memory
after you upgrade the software. If you see an error message such as "Failed to connect" after upgrading, then try rebooting your
Windows client machine.
- I can't add bookmarks on the bookmark page
If you see the Add Bookmark button on the Desktop or Services page in the SSL VPN portal
but you are unable to create bookmarks, then you may be logged in as an Active Directory, LDAP, NT or RADIUS user and a
corresponding user may not be defined in AccessPoint.
It is recommended that the AccessPoint administrator either define the Active Directory, LDAP, NT or RADIUS user names on the
Access » Users and Groups page or that the administrator hides the Add Bookmark buttons in the SSL VPN portal.
The Add Bookmark buttons may be configured on the Access » Edit Portal Layout page.
- I don't want users to see the bookmark IP address in the bookmark table
To hide bookmark names or IP addresses from users, you can hide the Services and Desktop pages from users and
only allow them to access the Home page, which doe not show the bookmark IP address.
Or you can add host entries on the Network » Host Resolution page that resolve names to local IP addresses. Then, when
you create bookmarks, add the new host name rather than the IP address. SSL VPN users will only see the host name, not the IP
address, in the Bookmarks table.
- When I connect to Telnet or SSH, I am not able to type anything
If you are using the Microsoft Java plug-in, then you will need to click on the Telnet or SSH window near the cursor prompt
before you can
begin typing data.
- I cannot connect to Intranet web sites; I see the message "Host cannot be resolved".
If you cannot connect to Intranet web sites, then either DNS is not properly configured on the AccessPoint SSL VPN server or
the user is not entering the web site host name properly. Note: do not add the http:// or https:// prefix when accessing
an Intranet web site.
- Terminal Services 5.0 ActiveX does not work in Windows XP SP2
With Windows XP SP2, Microsoft disabled the 127.0.0.2 loopback address used by the AccessPoint Terminal Services client.
So users will need to install the Windows XP SP2 loopback update (KB884020). Instructions to download and install the update
are provided below.
This only affects the ActiveX Terminal Services client. The Java Terminal Services client does not require the SP2 update (KB884020).
If you try to connect to a Terminal Server from Windows XP SP2 and you see an error stating that the server cannot connect, but the Java-based Terminal Services client works fine, then you need to install the Windows update patch.
Download the patch at:
After you download and install the patch, you may need to restart Internet Explorer or reboot your machine before you can access the application.
- How do I set up applications for the Applications page?
Applications displayed on the portal Applications page are Terminal Services applications and are hosted on a Windows Terminal Server.
You can define the applications on the Access » Edit Portal Layout page in the web management interface. You must define a path where
the Terminal Services application is hosted. You can optionally define the Terminal Server IP address or name. If no IP address
is defined, then the users can enter the Terminal Server address after clicking the application icon on the Applications
For instructions on installing applications on a Windows Terminal Server, please see the
Installing Windows Terminal Services Applications document.
- How do I set up VNC? What is VNC?
VNC, or Virtual Network Computing, provides remote access to desktop computers by exporting the monitor, keyboard, and
data over a network or the Internet. VNC is the underlying technology used in many commercial remote desktop computing
To use VNC, you must install VNC server software on a local server or desktop on your corporate network. There are several
free VNC server applications available, including RealVNC and
TightVNC. You can download and install the server software on Windows, Linux, and UNIX servers or desktops. Be sure to run
the software in server mode--you should see the VNC icon in your Windows taskbar. Run the VNC server on the default 5900 port.
Also, configure a VNC server password for enhanced security.