TOTPRadius VPN Portal - Security

VPN Portal is a subcomponent of TOTPRadius appliance and is required  to implement several features, such as LDAP-based self-service enrollment, FIDO2/Passwordless or Azure AD (Microsoft Entra ID) Oauth2/SSO VPN access for your users (available starting from v0.2.5).

The principle behind VPN Portal is that it has to be accessible from the public internet, so there is an additional configuration required in your network layout. The web portal is running as a separate web server on the same virtual appliance, instead of standard https port (443) used for admin interface, the VPN web portal responds on port 9443. This port cannot be used directly for technical reasons, so has to be NATted to port 443.

The recommended network layout is displayed below

Approved Security Label

For obvious reasons, this portal has to be exposed to the public network. We understand the potential risks and hesitations of making a web application accessible to the whole planet, therefore to ensure the security of the VPN Portal is at the highest level, we have contracted an independent security company, SySS GmbH , to conduct a full penetration testing against this web application and produce a report. 

The team from SySS GmbH has completed the penetration testing and produced a security certificate available below:
 

TOTPRadius VPN Portal Certificate of Penetration Test

The TOTPRadius VPN Portal component is currently labeled as "Certified Website - Approved Security" by SySS Gmbh