How to setup the Edge Gateway SSL VPN-Plus on Performance Cloud VMware

Summary

This guide will show you one of the ways to configure the SSL VPN-Plus functionality on an edge gateway.

Notes

SSL VPN-Plus Client is not supported on computers that use ARM-based processors.

Please note that this procedure does not apply to the latest Performance Cloud VMware (NSX-T) platform.

Procedure

1. Login to the Performance Cloud VMware portal using your credentials.

 

2. Click on your virtual datacenter.

 

 

3. Go to Networking > Edges

 

 

4. Select your edge gateway and click SERVICES

 


Add a SSL VPN-Plus IP Pool

1. Go to the SSL VPN-Plus tab, then on the IP Pool sub-tab.= and finally on the button.


2.  Define a new dedicated network by filling required fiels, then enable the pool and click on KEEP.


  • New IP address range for the VPN network (10.200.200.100-10.200.200.199 in this example)
  • Subnet mask (255.255.255.0 in this example)
  • VPN network gateway (10.200.200.1 in this example)
  • Description
  • Optional but recommended – DNS Servers (IP Address of the Domain Controller in this example)

 


Add a private network


1. Go to the Private Networks tab and click on the + button.


2. Enter the private network to authorize with SSL VPN-Plus.


Repeat this step as needed if more than one virtual network needs to be allowed for VPN access.


3. Then click on Save Changes.



Authentication configuration

For authentication, several options are possible like local, LDAP, Active Directory, RADIUS and RCA ACE.


For LDAP, Active Directory, RADIUS or RCA ACE authentication servers, those authentication methods require configuration in the backend. Start by implementing the necessary roles and configurations in your virtual machines, then please contact our cloud support team to provide them with the information associated with the authentication server. 


Examples:

Example of required details to provide to our support team for AD authentication:

  • IP address of the AD server
  • Search base (OU containing users that will access SSL VPN, for example)
  • Bind DN (user used to connect to the AD/Service account):
  • Bind password (the bind DN user password):
  • Login attribute name: (if different than sAMAccountName)
  • Search filter: (if different than objectClass=*)

 

Example of required details to provide our support team for RADIUS authentication:

  • IP address of the RADIUS server
  • Port (if different than default port 1812)
  • Secret key

    PCv2 Edge Gateway SSL VPN_15 

 


Otherwise, for a local authentication server (VPN users and passwords managed in the Edge Gateway):

1. Click on Authentication and then on the "+ LOCAL" button.


2. Configure the desired password policy, enable the local authentication server and click on KEEP.




Server Settings


1. Go to the Server Settings tab and configure the following:

  • Enable the SSL VPN server
  • Configure the public IP address of the edge gateway
  • Configure the desired port (60003 in this example, but it could be different)
  • Configure Cipher List (could be different than the example, as per your requirements )
  • The logging policy and server certificate can be left on default (could be different, as per your requirements)

    Then click on Save Changes.



Installation Packages 

 

 1. Go to the Installation Packages tab and click on the + button.


2. Define here the desired options for the installation module.


  • Profile Name: Give it a name
  • Gateway: Configure the external DNS hostname from which people will download the package. It will be necessary to create a DNS entry in the zone of the domain. Otherwise, enter the public IP address configured in the previous step.
  • Create installation packages for: the Windows option is enabled by default and cannot be checked. You also have Linux and Mac options available. However, compatibility may be limited with up-to-date versions of these operating systems.
  • Description: Give a description to the package.
  • Enabled: Enable
  • Installation Parameters for Windows: Enable features according to your requirements



    Repeat this step to create more than one installation package with different parameters.

 


Optional – Client Configuration section


Tunneling mode In split tunnel mode, only the VPN flows through the NSX Edge Gateway. In full tunnel mode, the NSX Edge Gateway becomes the remote user’s default gateway and all traffic (VPN, local, and internet) flows through this gateway. 

Customize as needed.

  • Tunneling mode: Split
  • Enable auto reconnect: Enabled
  • Client upgrade notification: Enabled

Creation of local VPN users 

(Step only necessary if you are using a local authentication server.)

1. Go to the Users tab and click on the + button

 

 
2. Fill in the necessary fields for the creation of your VPN users and click on KEEP.


Repeat this step for each SSL VPN-Plus user to create.



Optional – General Settings section


Go to the General Settings tab.

Settings can be left on default. Customize as per your requirements.




Firewall rules


Go to the Firewall tab and create the necessary firewall rules to allow VPN traffic to access cloud resources. Then click on Save Changes.

Example below to allow all traffic from the VPN to the internal network. It can be more restrictive if required.



Download the SSL VPN-Plus client



1. Connect to your IP gateway (or with the external DNS hostname) using the port specified earlier. You are then automatically redirected to the login page.

 
2. Sign in using your VPN user (Local user created earlier or if another authentication method is used, such as Active Directory or RADIUS, sign in using your Active Directory credentials).


 

3. Click on the SSL-VPN-Plus Package to download the client

 

PCv2 Edge Gateway SSL VPN_35

 

4. Click on "click here" to download the installer

 

PCv2 Edge Gateway SSL VPN_36

 



Install the VPN-Plus SSL client


1. Once the package is downloaded, extract the zip file and double-click the installer

 

PCv2 Edge Gateway SSL VPN_37

 

2. Click Yes to install the client

 

PCv2 Edge Gateway SSL VPN_38


PCv2 Edge Gateway SSL VPN_39

3. You now have a new Ethernet adapter on your machine.


Test the SSL VPN-Plus client connection
 

1. Once installed, double-click the desktop icon (if you decided to enable the desktop icon) and click Login.

Otherwise, you can right-click the client and click Login from the taskbar.

 

PCv2 Edge Gateway SSL VPN_40


PCv2 Edge Gateway SSL VPN_41

 

2. Accept certificate alert

 

PCv2 Edge Gateway SSL VPN_42

 

3. Provide your credentials (Local user created earlier or if another authentication method is used, such as Active Directory or RADIUS, login using your Active Directory credentials).

 

PCv2 Edge Gateway SSL VPN_43


PCv2 Edge Gateway SSL VPN_44

 

4. You have options on the SSL VPN-Plus Client icon at the bottom right of your screen

 

 

You can perform a ping test to your previously configured private network (10.0.1.0/24 in this example):

 

Note: If your ping is unsuccessful, make sure that the firewall on the edge gateway is properly configured. Also make sure the remote machine firewall allows ping traffic.