NSX – Configure SSL VPN service to allow remote users to access private networks

SSL VPN-Plus Overview

With SSL VPN-Plus, remote users can connect securely to private networks behind a NSX Edge gateway. Remote users can access servers and applications in the private networks.

Add SSL VPN-Plus Server Settings

1. In the SSL VPN-Plus tab, select Server Settings from the left panel.

 

2. Click Change.

3. Select the IPv4 or IPv6 address.

4. Edit the port number if required. This port number is required to configure the installation package.

5. Select the encryption method.

6. (Optional) From the Server Certificates table, select the server certificate that you want to add.

7. Click OK.

Add an IP Pool

The remote user is assigned a virtual IP address from the IP pool that you add.

1. In the SSL VPN-Plus tab, select IP Pools from the left panel.

2. Click the Add icon.

3. Type the begin and end IP address for the IP pool.

4. Type the netmask of the IP pool.

5. Type the IP address which is to add the routing interface in the NSX Edge gateway.

6. (Optional) Type a description for the IP pool.

7. Select whether to enable or disable the IP pool.

8. (Optional) In the Advanced panel, type the DNS name.

9. (Optional) Type the secondary DNS name.

10. Type the connection-specific DNS suffix for domain based host name resolution.

11. Type the WINS server address.

12. Click OK.

Add a Private Network

Add the network that you want the remote user to be able to access.

1. In the SSL VPN-Plus tab, select Private Networks from the left panel.

2. Click the Add icon

3. Type the private network IP address.

4. Type the netmask of the private network.

5. (Optional) Type a description for the network.

6. Specify whether you want to send private network and internet traffic over the SSL VPN-Plus enabled NSX Edge (Over Tunnel) or directly to the private server by bypassing the NSX Edge (Bypass Tunnel).

7. If you selected Send traffic over the tunnel, select Enable TCP Optimization to optimize the internet speed.

Conventional full-access SSL VPNs tunnel sends TCP/IP data in a second TCP/IP stack for encryption over the internet. This results in application layer data being encapsulated twice in two separate TCP streams. When packet loss occurs (which happens even under optimal internet conditions), a performance degradation effect called TCP-over-TCP meltdown occurs. In essence, two TCP instruments are correcting a single packet of IP data, undermining network throughput and causing connection timeouts. TCP Optimization eliminates this TCP-over-TCP problem, ensuring optimal performance.

8. Type the port numbers that you want to open for the remote user to access the corporate internal  servers/machines like 3389 for RDP, 20/21 for FTP, and 80 for http. If you want to give unrestricted access to the user, you can leave the Ports field blank.

9. Specify whether you want to enable or disable the private network.

10. Click OK.

Add Authentication

Instead of a local user, you can add an external authentication server (AD, LDAP, Radius, or RSA) which is bound to the SSL gateway. All users with accounts on the bound authentication server will be authenticated.

The maximum time to authenticate over SSL VPN is 3 minutes. This is because non-authentication timeout is 3 minutes and is not a configurable property. So in scenarios where AD authentication timeout is set to more than 3 minutes or there are multiple authentication servers in chain authorization and the time taken for user authentication is more than 3 minutes, you will not be authenticated.

1. In the SSL VPN-Plus tab, select Authentication from the left panel.

2. Click the Add icon.

3. Select the type of authentication server.

4. Depending on the type of authentication server you selected, complete the following fields:

AD authentication server

  • Enable SSL: Enabling SSL establishes an encrypted link between a web server and a browser.
  • IP Address: IP address of the authentication server.
  • Port: Displays default port name. Edit if required.
  • Timeout: Period in seconds within which the AD server must respond.
  • Status: Select Enabled or Disabled to indicate whether the server is enabled.
  • Search base: Part of the external directory tree to search. The search base may be something equivalent to the organization, group, or domain name (AD) of external directory.
  • Bind DN: User on the external AD server permitted to search the AD directory within the defined search base. Most of the time, the bind DN is permitted to search the entire directory. The role of the bind DN is to query the directory using the query filter and search base for the DN (distinguished name) for authenticating AD users. When the DN is returned, the DN and password are used to authenticate the AD user.
  • Bind Password: Password to authenticate the AD user.
  • Retype Bind Password: Retype the password.
  • Login Attribute Name: Name against which the user ID entered by the remote user is matched with. For Active Directory, the login attribute name is sAMAccountName.
  • Search Filter: Filter values by which the search is to be limited. The search filter format is attribute operator value.
  • Use this server for secondary authentication: If selected, this AD server is used as the second level of authentication.
  • Terminate Session if authentication fails: When selected, the session is ended if authentication fails.

LDAP authentication server

  • Enable SSL: Enabling SSL establishes an encrypted link between a web server and a browser.
  • IP Address: IP address of the authentication server.
  • Port: Displays default port name. Edit if required.
  • Timeout: Period in seconds within which the AD server must respond.
  • Status: Select Enabled or Disabled to indicate whether the server is enabled.
  • Search base: Part of the external directory tree to search. The search base may be something equivalent to the organization, group, or domain name (AD) of external directory.
  • Bind DN: User on the external AD server permitted to search the AD directory within the defined search base. Most of the time, the bind DN is permitted to search the entire directory. The role of the bind DN is to query the directory using the query filter and search base for the DN (distinguished name) for authenticating AD users. When the DN is returned, the DN and password are used to authenticate the AD user.
  • Bind Password: Password to authenticate the AD user.
  • Retype Bind Password: Retype the password.
  • Login Attribute Name: Name against which the user ID entered by the remote user is matched with. For Active Directory, the login attribute name is sAMAccountName.
  • Search Filter: Filter values by which the search is to be limited. The search filter format is attribute operator value.
  • Use this server for secondary authentication: If selected, this AD server is used as the second level of authentication.
  • Terminate Session if authentication fails: When selected, the session is ended if authentication fails.

RADIUS authentication server

  • IP Address: IP address of the external server.
  • Port: Displays default port name. Edit if required.
  • Timeout: Period in seconds within which the AD server must respond.
  • Status: Select Enabled or Disabled to indicate whether the server is enabled.
  • Secret: Shared secret specified while adding the authentication agent in the RSA security console.
  • Retype secret: Retype the shared secret.
  • NAS IP Address: IP address to be configured and used as RADIUS attribute 4, NAS-IP-Address, without changing the source IP address in the IP header of the RADIUS packets.
  • Retry Count: Number of times the RADIUS server is to be contacted if it does not respond before the authentication fails.
  • Use this server for secondary authentication: If selected, this server is used as the second level of authentication.
  • Terminate Session if authentication fails: when selected, the session is ended if authentication fails.

RSA-ACE authentication server

  • Timeout: Period in seconds within which the AD server must respond.
  • Configuration File: Click Browse to select the sdconf.rec file that you downloaded from the RSA Authentication Manager.
  • Status: Select Enabled or Disabled to indicate whether the server is enabled.
  • Source IP Address: IP address of the NSX Edge interface through which the RSA server is accessible.
  • Use this server for secondary authentication: If selected, this server is used as the second level of authentication.
  • Terminate Session if authentication fails: When selected, the session is ended if authentication fails.

Local authentication server

  • Enable password policy: If selected, defines a password policy. Specify the required values.
  • Enable account lockout policy: If selected, defines an account lockout policy. Specify the required values.
    • a. In Retry Count, type the number of times a remote user can try to access his or her account after entering an incorrect password.
    • b. In Retry Duration, type the time period in which the remote user’s account gets locked on unsuccessful login attempts.
    • c. In Lockout Duration, type the time period for which the user account remains locked. After this time, the account is automatically unlocked.
  • Status: Select Enabled or Disabled to indicate whether the server is enabled.
  • Use this server for secondary authentication: If selected, this server is used as the second level of authentication.
  • Terminate Session if authentication fails: When selected, the session is ended if authentication fails.

This is what I will be using!!

Add Installation Package

Create an installation package of the SSL VPN-Plus client for the remote user.

1. In the SSL VPN-Plus tab, select Installation Package from the left panel.

2. Click the Add icon.

3. Type a profile name for the installation package.

4. In Gateway, type the IP address or FQDN of the public interface of NSX Edge.  This IP address or FQDN is binded to the SSL client. When the client is installed, this IP address or FQDN is displayed on the SSL client.

5. Type the port number that you specified in the server settings for SSL VPN-Plus. See Add SSL VPN-Plus Server Settings.

6. (Optional) To bind additional NSX Edge uplink interfaces to the SSL client,

  • a. Click the Add () icon.
  • b. Type the IP address and port number.
  • c. Click OK.

7. The installation package is created for Windows operating system by default. Select Linux or Mac to create an installation package for Linux or Mac operating systems as well.

8. (Optional) Enter a description for the installation package.

9. Select Enable to display the installation package on the Installation Package page.

10. Select the following options as appropriate.

  • Start client on logon: The SSL VPN client is started when the remote user logs on to his system.
  • Allow remember password: Enables the option.
  • Enable silent mode installation: Hides installation commands from remote user.
  • Hide SSL client network adapter: Hides the VMware SSL VPN-Plus Adapter, which is installed on the remote user’s computer along with the SSL VPN installation package.
  • Hide client system tray icon: Hides the SSL VPN tray icon which indicates whether the VPN connection is active or not.
  • Create desktop icon: Creates an icon to invoke the SSL client on the user’s desktop.
  • Enable silent mode operation: Hides the pop-up that indicates that installation is complete.
  • Server security certificate validation: The SSL VPN client validates the SSL VPN server certificate before establishing the secure connection.

11. Click OK.

Add a User

Add a remote user to the local database.

1. In the SSL VPN-Plus tab, select Users from the left panel.

 

2. Click the Add icon.

3. Type the user ID.

4. Type the password.

5. Retype the password.

6. (Optional) Type the first and last name of the user.

7. (Optional) Type a description for the user.

8. In Password Details, select Password never expires to always keep the same password for the user.

9. Select Allow change password to let the user change the password.

10. Select Change password on next login if you want the user to change the password the next time he logs in.

11. Set the user status.

12. Click OK.

Enable the SSL VPN-Plus Service

After configuring the SSL VPN-Plus service, enable the service for remote users to begin accessing private networks.

1. In the SSL Vpn-Plus tab, select Dashboard from the left panel.

2. Click the “Enable” button.

The dashboard displays the status of the service, number of active SSL VPN sessions, and session statistics and data flow details. Click Details next to Number of Active Sessions to view information about the concurrent connections to private networks behind the NSX Edge gateway.

Leave a Reply

Your email address will not be published. Required fields are marked *