Introduction
The EnGenius SecuPoint VPN client tool simplifies the configuration of complex VPN setups, enabling remote workers to establish secure SSL VPN connections quickly and easily. By simply entering the server hostname or IP address and user credentials, SecuPoint automatically retrieves the VPN server security configurations to establish a secure SSL VPN connection.
Key Features:
Seamless Access:
Enables remote employees to securely access corporate resources via SSL VPN, supporting multiple devices across various platforms.
Automatic Setup:
Automatic push provisioning for hassle-free configuration, ensuring quick and easy VPN access setup.
Agile Authentication:
Utilizes certificate-based authentication (username and password) to enhance security and streamline user access.
Comparison with IPSec VPN
EnGenius SecuPoint offers distinct advantages over IPSec VPNs, particularly in environments requiring high usability and low maintenance:
Simplicity in Configuration: Engineered for easy setup and management, avoiding the complex configurations usually required for IPSec VPNs.
High Compatibility and Interoperability: Unlike IPSec, which may face compatibility issues, such as IKEv2, due to varied vendor implementations, SSLVPN ensures consistent and reliable performance across all supported devices and platforms.
Efficient NAT and Firewall Traversal: Operates smoothly with NAT and firewall settings using standard HTTPS protocols, avoiding the complications seen with IPSec encrypted packet headers.
Optimized Resource Usage: Less demanding on system resources, ensuring faster and more reliable connections even on devices with limited processing capabilities.
Superior Mobility Support: Ideal for highly mobile users, providing stable connections that seamlessly adapt to changing network environments.
Reduced Setup and Maintenance Costs: Streamlined approach reduces both initial setup complexities and ongoing maintenance burdens.
For organizations prioritizing ease of use, flexibility, and cost-efficiency, the EnGenius SecuPoint SSLVPN Client VPN stands out as the preferred solution. Its user-friendly design, combined with robust security features, makes it ideally suited for modern enterprises with a remote workforce. Consider the EnGenius SecuPoint SSLVPN for a reliable and efficient VPN experience that aligns with your strategic IT needs.
Download SecuPoint Client Tool
To download the SecuPoint VPN client Tool, visit EngeniusTech's official website. Alternatively, you can find the download links on the CONFIGURE > Client VPN > SecuPoint page within the ESG for easy access.
Note: SecuPoint is available for Windows, macOS, iOS, and Android.
Configuration of SecuPoint SSLVPN Client Tool
User Connection Profile:
Upon installation of the client software, launch the SecuPoint SSLVPN client application.
Users can create one or multiple profiles, specifying the hostname or IP address of the ESG (SecuPoint server) to which they wish to connect.
Add SecuPoint Connection Profile
Auto-push SecuPoint SSL VPN Configuration Profile:
SecuPoint server will automatically push the SecuPoint SSL VPN configuration profile to the user's device once their credentials (username and password) are verified.
Comment
This automation eliminates the need for manual configuration, saving significant time for IT personnel on daily network maintenance.
Auto push SecuPoint SSL VPN Configuration Profile
Advanced Settings of SecuPoint VPN Client Tool:
Users can access advanced settings to customize their experience, including preferred language, application launch timing, and program window behavior post-connection establishment.
Additionally, a connection timeout setting is provided to mitigate connection failures due to network instability or authentication delays.
Advance Settings
Connection Timeout:
Specifies the duration the SecuPoint Client Tool attempts to connect to a VPN server (ESG) before giving up.
Comment
Adjusting this timeout may help resolve authentication delays caused by server load or slow network responses. The default timeout is set to 15 seconds.
Automatically Launch the SecuPoint VPN Application:
Enables automatic launch of the SecuPoint VPN application by the operating system (OS) upon user login, such as in Windows or macOS environments.
Automatically Minimize Program Window upon VPN Connection:
Upon successful establishment of the SecuPoint VPN connection, the program window of the SecuPoint Client Tool will automatically minimize.
Monitoring SecuPoint VPN Connection Status:
After establishing an SSL VPN connection, users can click on the VPN status to verify the current connection status and routing entries for the VPN's remote subnet.
SecuPoint Client Connection status
Troubleshooting SecuPoint Client VPN Tunnel Connectivity:
SecuPoint VPN Client Tool Logs Page:
Allows users to review log files to diagnose connectivity issues between SecuPoint VPN clients and the SecuPoint Server.
Comment
Users can export logs for analysis and troubleshooting, with a provided clear function to facilitate readability by clearing the log before reproducing the issue.
SecuPoint Connection Log
Configuring ESG SecuPoint SSL VPN Client Server on EnGenius Cloud
1. Enabling SecuPoint Client VPN:
Navigate to Configure > Gateway > Client VPN > SecuPoint page.
Toggle the "Enable" option to enabled to activate the SecuPoint Client VPN.
Figure 6. SecuPoint Client VPN
2. Configurable Client VPN Options:
Hostname:
Specifies the EnGenius Gateway hostname for client VPN connections.
If DDNS service is enabled in the WAN settings, the registered DDNS FQDN hostname is displayed, resolving to the Primary WAN public IP address. Otherwise, the Primary WAN public IP address is shown.
Note: EnGenius provide in-house DDNS service by default, users can use the DDNS hostname for VPN client to access.
Protocol Type/Server Port:
Defines the transport protocol (TCP or UDP) and corresponding port number (default settings: TCP on port 443 or UDP on port 1194) for SecuPoint SSLVPN communication.
VPN Client Subnet:
Specifies the private subnet exclusively for client VPN connections, with the EnGenius Gateway serving as the default gateway.
DNS Server:
Determines the DNS server used by VPN clients for hostname resolution, offering the choice between Google Public DNS or custom DNS servers specified by IP address.
Client Routing:
Defines routing rules for SecuPoint client devices, allowing selection between full tunneling (Send all traffic routed through VPN: Send all cleint traffic through VPN) or split tunneling (only specified traffic routed through VPN: Only send traffic to ESG LAN through VPN).
Authentication Type:
Provides options for authenticating Client VPN users using either the local ESG VPN User database or external RADIUS servers.
3. SecuPoint VPN Client Tool:
Provides access to download the SecuPoint VPN client Tool for users' devices.
4. Split Tunneling & Full Tunneling for SecuPoint Client VPN:
Full Tunneling:
Routes all client internet traffic through the VPN tunnel to the VPN server, ensuring security and encryption for all data transmitted.
Advantages:
Enhanced security and privacy.
Uniform application of network policies.
Disadvantages:
Increased bandwidth usage on the VPN gateway.
Potential slowdown in internet speeds.
Full Tunneling
Split Tunneling:
Allows users to choose which traffic passes through the VPN tunnel and which connects directly to the internet.
Advantages:
Reduced bandwidth load on the VPN gateway.
Faster access to the internet for non-sensitive activities.
Disadvantages:
Potential security risks if not properly configured.
Requires careful configuration for secure data routing.
Split Tunneling
Usage Scenarios:
Full Tunneling:
Preferred in environments prioritizing security and data privacy, such as governmental or financial institutions.
Split Tunneling:
Suitable for optimizing bandwidth and performance in scenarios where VPN security is not required for all activities, or simultaneous access to local network resources and the internet is necessary.
Both methods should align with organizational needs and security policies.
SecuPoint VPN Connection and Licensing
Each active SecuPoint VPN connection uses one SecuPoint VPN user license. EnGenius gateway (ESG/XG-60) come with permanently 2 free SecuPoint VPN users by default. If additional VPN users are needed, more SecuPoint licenses can be purchased to expand capacity.
License Options:
SPC-1YR-LIC: 1-Year License per user.
SPC-3YR-LIC: 3-Year License per user.
Key License Features:
License is per user
On-device license
7-day grace period
90-day window for activation after purchase
Example Usage:
Suppose your company has 50 employees and expects to need 12 VPN users through SecuPoint connections over the next year. Since each ESG device includes 2 permanently free SecuPoint VPN user connections, you only need to purchase an SPC-1YR-LIC to expand by 10 VPN users, meeting the total requirement of 12 VPN users.
Once this license is activated on the ESG device, it will support up to 10 additional concurrent VPN users on SecuPoint for one year, enabling secure access to the ESG’s LAN network.
How to expand the number of SecuPoint VPN users
Note
When a VPN user establishes multiple VPN connections using different devices, each connection is treated as a separate VPN user connection. This will consume 2 VPN user seats.
Monitoring VPN Users
How to Calculate Available VPN Users on ESG
The maximum total number of SecuPoint VPN user connections supported on a gateway at any given moment is determined by the combined count of VPN users from all bound SecuPoint Client VPN licenses, in addition to the 2 free VPN users included with the device.
Maximum Total Number of Supported SecuPoint VPN Users =
Sum of VPN users from each active SecuPoint Client VPN license bound to the device
+2 free VPN users.
Example:
Consider an ESG appliance bound to two SPC VPN client licenses: SPC-1YR-LIC for 20 users and SPC-3YR-LIC for 10 users. These licenses have different activation and expiration dates.
License | VPN users | Activation Date | Expiration Date |
SPC-1YR-LIC | 20 | 01/01/2024 | 12/31/2024 |
SPC-3YR-LIC | 10 | 06/01/2024 | 05/31/2027 |
During the period from 6/1/2024 to 12/31/2024, the ESG holds both VPN client licenses simultaneously. The maximum total number of supported VPN users for ESG1 is 32, calculated as follows: 20 (SPC-1YR-LIC) +10 (SPC-3YR-LIC) +2 (free VPN users) =32
During the period from 1/1/2024 to 5/31/2024, the ESG only holds the SPC-1YR-LIC for 20 users. The maximum total number of supported VPN users for ESG1 is 22, calculated as follows: 20 (SPC-1YR-LIC) }+ 2 (free VPN users) = 22
During the period from 1/1/2025 to 5/31/2027, the ESG only holds the SPC-3YR-LIC for 10 users. The maximum total number of supported VPN users for ESG1 is 12, calculated as follows: 10 (SPC-3YR-LIC) + 2 (free VPN users) = 12
Monitoring SecuPoint VPN user Status
To monitor the current number of VPN user connections for each gateway, navigate to MANAGE > Gateway. Here, you can view the SecuPoint Users field for each gateway.
For more detailed information, follow these steps:
Go to MANAGE > Gateway and select a gateway.
Click the Detail button.
If the SecuPoint VPN server is enabled, the value of the SecuPoint VPN client will be displayed as follows:
The number on the left represents the current number of VPN user connections (e.g., 2).
The number on the right represents the maximum number of VPN users allowed on the gateway (e.g., 102). This total includes the sum of VPN users from each bound SecuPoint VPN License plus 2 free users.
If the SecuPoint VPN server is disabled, the SecuPoint VPN client value will be displayed as disabled.
To check the expiration date of each bound SecuPoint VPN Client License, navigate to Inventory & License > Licenses > Client VPN.
Share VPN Users
In larger enterprises, when the VPN connection scale exceeds 100, it can be challenging for MIS to allocate specific users to designated devices effectively. To address this, a mechanism allows sharing VPN users across up to 3 devices within the same organization when the VPN user count associated with the SecuPoint VPN Client License exceeds 100.
For example, if a SecuPoint VPN license with 100 VPN users enables the sharing feature and is bound to three devices (ESG-1, ESG-2, and ESG-4), these three devices can simultaneously share 100 VPN users.
Activattion - How to Share VPN Users
Add a SecuPoint VPN client license with more than 100 VPN users (Primary) and associate it with a gateway.
Activate the "Sharing VPN users" feature by clicking the "Share" button on the license.
Upon clicking the "Share" button:
A replica license will be created and associated with your selected gateway.
A primary license can generate up to 2 replica licenses, allowing the association of an additional 2 gateways.
The VPN users from the primary license are shared across up to 3 gateways.
The values of all fields in the Replica License, such as activation date, expiration date, and number of users, are identical to those of the Primary License. The only difference lies in the license key, which appends "-1" or "-2" to the end of the Primary license key.
Undo Behavior
Undo Behavior of the Primary License:
The primary license has an Undo Action with a Grace Period.
Comment
Undo Behavior of the Replica License:
This undo action does not have a grace period. The Undo Action will continuously appear, and when Undo is pressed, the device will be unbound from the Replica license, and the Replica license will automatically disappear.
SecuPoint Client VPN License FAQ
How to Associate a SecuPoint VPN License with a Gateway
The purpose of binding a SecuPoint Client VPN License to a device is to expand the number of VPN users available on that gateway. When users select multiple licenses and click the "Add License" button, these licenses will be simultaneously bound to the specified gateway. The total number of VPN users on that gateway is calculated as the sum of VPN users from all bound and active licenses.
Example:
Select two SecuPoint Client VPN Licenses and bind them to a specific gateway to expand the number of available VPN users.
How to manage and monitor SecuPoint VPN Licenses
Users can add SecuPoint Licenses or bind licenses to Gateway (ESG) via the "Inventory & Licenses > License > VPN Clients" page. This page provides details on the activation date, expiration date, duration, number of VPN users, and other relevant information for each license, allowing users to monitor the current status of their licenses.
What Happens to the SPC License When De-registering a Gateway Bound to an Active SecuPoint Client VPN License from the Organization?
When a user deregisters a gateway bound to an active SecuPoint Client VPN license from an organization, the device will disappear from the organization. However, since the SecuPoint VPN license is an on-device license, the device will continue to remain bound to the license. As long as the license has not expired, the device will still be able to expand the VPN user count.
Here is the De-Register Device Warning Popup window.
What Happens to the SPC License when Removing a Gateway Associated with a SecuPoint VPN License from a Network
When a user unbinds a gateway device from the network, the gateway will continue to remain bound to the SecuPoint VPN license, as it is an on-device license. As long as the license has not expired, the device will still be able to expand the VPN user count.