How to set up Edge Gateway SSL VPN-Plus
This guide will show you one of the ways to configure the SSL VPN-Plus functionality on an edge gateway.
Although this guide uses a local authentication server, SSL VPN-Plus supports other authentication types, such as AD, LDAP, RADIUS and RSA-ACE.
Create an edge gateway
1. Log in to the Performance Cloud portal.
2. Click on your virtual datacenter.
3. Go to Networking > Edges
4. Select your edge gateway and click SERVICES
Configure server settings
1. Go to the SSL VPN-Plus tab
2. Go to the Server Settings tab and configure the following:
- Enable the SSL VPN server
- Configure the public IP address of the edge gateway
- Configure the desired port (443 in this example, but it could be different)
- Configure Cipher List (could be different than the example, as per your choice)
- The logging policy and server certificate can be left on default (could be different, as per your choice)
3. Click Save changes
4. Go to the IP Pool tab
5. Click Create New IP Pool
Note: We are going to use the 192.168.20.0/24 network, but you can choose a different private IP pool according to your requirements. Note that in the example we also decided to use the IP range 192.168.20.5 to 192.168.20.200 and to use OpenDNS servers.
6. Go to the Private Networks tab
7. Create private networks to give access to your Performance Cloud powered by VMware network. In this example, we give access to our VNET-DLapointe (10.0.0.0/24) network:
- Click “+” to add a new network
- Network: Your network in Performance Cloud powered by VMware
- Description: Virtual network description
- Send Traffic: Over Tunnel
- Enable TCP Optimization: Enabled
- Ports: Leave blank
- Status: Enabled
8. We are now ready to configure authentication. In this example, we use the local server authentication (the only possibility in the GUI at this moment).
Note that LDAP, AD, RADIUS and RSA-ACE authentication server can be configured in the backend by our support team. If you would like to use one of these authentication server types, please contact our support team with the information for your authentication server.
Example of required details to provide our support team for AD authentication:
- IP address of the AD server
- Search base (OU containing users that will access SSL VPN, for example)
- Bind DN (user used to connect to the AD/Service account):
- Bind password (the bind DN user password):
- Login attribute name: (if different than sAMAccountName)
- Search filter: (if different than objectClass=*)
Example of required details to provide our support team for RADIUS authentication:
- IP address of the RADIUS server
- Port (if different than default port 1812)
- Secret key
You can skip the local authentication setup and jump to step 13
To configure a local server authentication, go to the Authentication tab.
- Click on “+ Local”
- Configure PASSWORD POLICY
- Configure ACCOUNT LOCKOUT POLICY
- STATUS: Enabled
- SECONDARY AUTHENTICATION: Disabled
9. Go to the Installation Packages tab.
10. Click “+” to create a new installation package:
- Profile Name: Give it a name
- Gateway: Configure your gateway from where people will download the package. It can even be an external DNS host name.
- Create installation packages for: Windows is enabled by default and can’t be checked. You have the options for Linux and Mac.
- Description: Give a description to the package.
- Enabled: Enable
- Installation Parameters for Windows: Enable feature according to your requirements
11. Go to the Client Configuration tab
Tunneling mode In split tunnel mode, only the VPN flows through the NSX Edge Gateway. In full tunnel mode, the NSX Edge Gateway becomes the remote user’s default gateway and all traffic (VPN, local, and internet) flows through this gateway.
- Tunneling mode: Split
- Enable auto reconnect: Enabled
- Client upgrade notification: Enabled
12. Go to the Users tab (only required if you are using Local Authentication)
13. Create your users (only required if you are using Local Authentication):
- Click “+”
- Enter user information
14. Go to the General Settings tab
15. Settings can be left on default (customize as per your requirements)
16. Go to the Firewall tab and make sure the firewall rule was automatically added to permit the Installation Package to be downloaded.
17. If not done already, make sure you have a firewall rule that permits the traffic of the chosen IP pool (192.168.20.0/24). For this example, we configured it so it can’t reach any destination. It can, however, be more restrictive, if required.
Test the SSL VPN-Plus
1. Log in to your gateway IP with the specified port. In this example, we used default 443. You will automatically get redirected to the login page.
2. Log in with your user (local user for this example, but if another authentication method such as AD is used, log in using your AD credentials).
3. Click on the SSL-VPN-Plus Package to download the client
4. Click on "click here" to download the installer
5. Once the package is downloaded, extract the zip file and double-click the installer
6. Click Yes to install the client
7. Once installed, double-click the desktop icon (if you decided to enable the desktop icon). Otherwise, you can right-click the client and click Login from the taskbar.
- Click Login
- Accept certificate alert
- Enter your credentials
- You have options on the SSL VPN-Plus Client icon at the bottom right of your screen
8. You now have a new Ethernet adapter on your machine.
9. You can perform a ping test to your previously configured private network (10.0.0.0/24 in this example):
Note: If your ping is unsuccessful, make sure that the firewall on the edge gateway is properly configured. Also make sure the remote machine firewall allows ping traffic.