How to set up Edge Gateway SSL VPN-Plus

Synopsis

This guide will show you one of the ways to configure the SSL VPN-Plus functionality on an edge gateway.

Overview

Although this guide uses a local authentication server, SSL VPN-Plus supports other authentication types, such as AD, LDAP, RADIUS and RSA-ACE.

How to

Create an edge gateway

1. Log in to the Performance Cloud portal.

 

2. Click on your virtual datacenter.

 

PCv2 Edge Gateway SSL VPN_1

 

3. Go to Networking Edges

 

PCv2 Edge Gateway SSL VPN_2

 

4. Select your edge gateway and click SERVICES

 

PCv2 Edge Gateway SSL VPN_3

Configure server settings

1. Go to the SSL VPN-Plus tab

 

PCv2 Edge Gateway SSL VPN_4

 

2. Go to the Server Settings tab and configure the following:

  • Enable the SSL VPN server
  • Configure the public IP address of the edge gateway
  • Configure the desired port (443 in this example, but it could be different)
  • Configure Cipher List (could be different than the example, as per your choice)
  • The logging policy and server certificate can be left on default (could be different, as per your choice)

 

PCv2 Edge Gateway SSL VPN_5

 

3. Click Save changes

 

PCv2 Edge Gateway SSL VPN_6

 

4. Go to the IP Pool tab

 

5. Click Create New IP Pool

Note: We are going to use the 192.168.20.0/24 network, but you can choose a different private IP pool according to your requirements. Note that in the example we also decided to use the IP range 192.168.20.5 to 192.168.20.200 and to use OpenDNS servers.

 

PCv2 Edge Gateway SSL VPN_7


PCv2 Edge Gateway SSL VPN_8


PCv2 Edge Gateway SSL VPN_9

 

6. Go to the Private Networks tab

 

7. Create private networks to give access to your Performance Cloud powered by VMware network. In this example, we give access to our VNET-DLapointe (10.0.0.0/24) network:

 

PCv2 Edge Gateway SSL VPN_10

PCv2 Edge Gateway SSL VPN_11

 

  • Click “+” to add a new network
  • Network: Your network in Performance Cloud powered by VMware
  • Description: Virtual network description
  • Send Traffic: Over Tunnel
  • Enable TCP Optimization: Enabled
  • Ports: Leave blank
  • Status: Enabled

 

PCv2 Edge Gateway SSL VPN_12

PCv2 Edge Gateway SSL VPN_13

 

8. We are now ready to configure authentication. In this example, we use the local server authentication (the only possibility in the GUI at this moment).

Note that LDAP, AD, RADIUS and RSA-ACE authentication server can be configured in the backend by our support team. If you would like to use one of these authentication server types, please contact our support team with the information for your authentication server.

 

Example of required details to provide our support team for AD authentication:

  • IP address of the AD server
  • Search base (OU containing users that will access SSL VPN, for example)
  • Bind DN (user used to connect to the AD/Service account):
  • Bind password (the bind DN user password):
  • Login attribute name: (if different than sAMAccountName)
  • Search filter: (if different than objectClass=*)

 

PCv2 Edge Gateway SSL VPN_14

 

Example of required details to provide our support team for RADIUS authentication:

  • IP address of the RADIUS server
  • Port (if different than default port 1812)
  • Secret key

 

PCv2 Edge Gateway SSL VPN_15

 

You can skip the local authentication setup and jump to step 13

 

To configure a local server authentication, go to the Authentication tab.

 

PCv2 Edge Gateway SSL VPN_16

 

  • Click on “+ Local
  • Configure PASSWORD POLICY

 

PCv2 Edge Gateway SSL VPN_17

 

  • Configure ACCOUNT LOCKOUT POLICY

 

PCv2 Edge Gateway SSL VPN_18

 

  • STATUS: Enabled
  • SECONDARY AUTHENTICATION: Disabled

 

PCv2 Edge Gateway SSL VPN_19

PCv2 Edge Gateway SSL VPN_20

 

9. Go to the Installation Packages tab.

 

PCv2 Edge Gateway SSL VPN_21

 

10. Click “+” to create a new installation package:

  • Profile Name: Give it a name
  • Gateway: Configure your gateway from where people will download the package. It can even be an external DNS host name.
  • Create installation packages for: Windows is enabled by default and can’t be checked. You have the options for Linux and Mac.
  • Description: Give a description to the package.
  • Enabled: Enable
  • Installation Parameters for Windows: Enable feature according to your requirements

 

PCv2 Edge Gateway SSL VPN_22


PCv2 Edge Gateway SSL VPN_23


PCv2 Edge Gateway SSL VPN_24

 

11. Go to the Client Configuration tab

Tunneling mode In split tunnel mode, only the VPN flows through the NSX Edge Gateway. In full tunnel mode, the NSX Edge Gateway becomes the remote user’s default gateway and all traffic (VPN, local, and internet) flows through this gateway.

  • Tunneling mode: Split
  • Enable auto reconnect: Enabled
  • Client upgrade notification: Enabled

 

PCv2 Edge Gateway SSL VPN_25

 

12. Go to the Users tab (only required if you are using Local Authentication)

 

PCv2 Edge Gateway SSL VPN_26

 

13. Create your users (only required if you are using Local Authentication):

  • Click “+
  • Enter user information

 

PCv2 Edge Gateway SSL VPN_27


PCv2 Edge Gateway SSL VPN_28


PCv2 Edge Gateway SSL VPN_29

 

14. Go to the General Settings tab

 

15. Settings can be left on default (customize as per your requirements)

 

PCv2 Edge Gateway SSL VPN_30

 

16. Go to the Firewall tab and make sure the firewall rule was automatically added to permit the Installation Package to be downloaded.

 

PCv2 Edge Gateway SSL VPN_31

 

17. If not done already, make sure you have a firewall rule that permits the traffic of the chosen IP pool (192.168.20.0/24). For this example, we configured it so it can’t reach any destination. It can, however, be more restrictive, if required.

 

PCv2 Edge Gateway SSL VPN_32

Test the SSL VPN-Plus

1. Log in to your gateway IP with the specified port. In this example, we used default 443. You will automatically get redirected to the login page.

 

PCv2 Edge Gateway SSL VPN_33

 

2. Log in with your user (local user for this example, but if another authentication method such as AD is used, log in using your AD credentials).

 

PCv2 Edge Gateway SSL VPN_34

 

3. Click on the SSL-VPN-Plus Package to download the client

 

PCv2 Edge Gateway SSL VPN_35

 

4. Click on "click here" to download the installer

 

PCv2 Edge Gateway SSL VPN_36

 

5. Once the package is downloaded, extract the zip file and double-click the installer

 

PCv2 Edge Gateway SSL VPN_37

 

6. Click Yes to install the client

 

PCv2 Edge Gateway SSL VPN_38


PCv2 Edge Gateway SSL VPN_39

 

7. Once installed, double-click the desktop icon (if you decided to enable the desktop icon). Otherwise, you can right-click the client and click Login from the taskbar.

 

PCv2 Edge Gateway SSL VPN_40


PCv2 Edge Gateway SSL VPN_41

 

  • Click Login
  • Accept certificate alert

 

PCv2 Edge Gateway SSL VPN_42

 

  • Enter your credentials

 

PCv2 Edge Gateway SSL VPN_43


PCv2 Edge Gateway SSL VPN_44

 

  • You have options on the SSL VPN-Plus Client icon at the bottom right of your screen

 

PCv2 Edge Gateway SSL VPN_45

 

8. You now have a new Ethernet adapter on your machine.

 

PCv2 Edge Gateway SSL VPN_46

 

9. You can perform a ping test to your previously configured private network (10.0.0.0/24 in this example):

 

PCv2 Edge Gateway SSL VPN_47

 

Note: If your ping is unsuccessful, make sure that the firewall on the edge gateway is properly configured. Also make sure the remote machine firewall allows ping traffic.