How to setup the Edge Gateway SSL VPN-Plus on Performance Cloud VMware
- Add a SSL VPN-Plus IP Pool
- Add a private network
- Authentication configuration
- Server Settings
- Installation Packages
- Optional – Client Configuration section
- Creation of local VPN users
- Optional – General Settings section
- Firewall rules
- Download the SSL VPN-Plus client
- Install the VPN-Plus SSL client
- Test the SSL VPN-Plus client connection
This guide will show you one of the ways to configure the SSL VPN-Plus functionality on an edge gateway.
SSL VPN-Plus Client is not supported on computers that use ARM-based processors.
1. Login to the Performance Cloud VMware portal using your credentials.
2. Click on your virtual datacenter.
3. Go to Networking > Edges
4. Select your edge gateway and click SERVICES
Add a SSL VPN-Plus IP Pool
1. Go to the SSL VPN-Plus tab, then on the IP Pool sub-tab.= and finally on the + button.
2. Define a new dedicated network by filling required fiels, then enable the pool and click on KEEP.
- New IP address range for the VPN network (10.200.200.100-10.200.200.199 in this example)
- Subnet mask (255.255.255.0 in this example)
- VPN network gateway (10.200.200.1 in this example)
- Optional but recommended – DNS Servers (IP Address of the Domain Controller in this example)
Add a private network
1. Go to the Private Networks tab and click on the + button.
2. Enter the private network to authorize with SSL VPN-Plus.
Repeat this step as needed if more than one virtual network needs to be allowed for VPN access.
3. Then click on Save Changes.
For authentication, several options are possible like local, LDAP, Active Directory, RADIUS and RCA ACE.
For LDAP, Active Directory, RADIUS or RCA ACE authentication servers, those authentication methods require configuration in the backend. Start by implementing the necessary roles and configurations in your virtual machines, then please contact our cloud support team to provide them with the information associated with the authentication server.
Example of required details to provide to our support team for AD authentication:
- IP address of the AD server
- Search base (OU containing users that will access SSL VPN, for example)
- Bind DN (user used to connect to the AD/Service account):
- Bind password (the bind DN user password):
- Login attribute name: (if different than sAMAccountName)
- Search filter: (if different than objectClass=*)
Example of required details to provide our support team for RADIUS authentication:
- IP address of the RADIUS server
- Port (if different than default port 1812)
- Secret key
Otherwise, for a local authentication server (VPN users and passwords managed in the Edge Gateway):
1. Click on Authentication and then on the "+ LOCAL" button.
2. Configure the desired password policy, enable the local authentication server and click on KEEP.
1. Go to the Server Settings tab and configure the following:
- Enable the SSL VPN server
- Configure the public IP address of the edge gateway
- Configure the desired port (60003 in this example, but it could be different)
- Configure Cipher List (could be different than the example, as per your requirements )
- The logging policy and server certificate can be left on default (could be different, as per your requirements)
Then click on Save Changes.
1. Go to the Installation Packages tab and click on the + button.
2. Define here the desired options for the installation module.
- Profile Name: Give it a name
- Gateway: Configure the external DNS hostname from which people will download the package. It will be necessary to create a DNS entry in the zone of the domain. Otherwise, enter the public IP address configured in the previous step.
- Create installation packages for: the Windows option is enabled by default and cannot be checked. You also have Linux and Mac options available. However, compatibility may be limited with up-to-date versions of these operating systems.
- Description: Give a description to the package.
- Enabled: Enable
- Installation Parameters for Windows: Enable features according to your requirements
Repeat this step to create more than one installation package with different parameters.
Optional – Client Configuration section
Tunneling mode In split tunnel mode, only the VPN flows through the NSX Edge Gateway. In full tunnel mode, the NSX Edge Gateway becomes the remote user’s default gateway and all traffic (VPN, local, and internet) flows through this gateway.
Customize as needed.
- Tunneling mode: Split
- Enable auto reconnect: Enabled
- Client upgrade notification: Enabled
Creation of local VPN users
(Step only necessary if you are using a local authentication server.)
1. Go to the Users tab and click on the + button
2. Fill in the necessary fields for the creation of your VPN users and click on KEEP.
Repeat this step for each SSL VPN-Plus user to create.
Optional – General Settings section
Go to the General Settings tab.
Settings can be left on default. Customize as per your requirements.
Go to the Firewall tab and create the necessary firewall rules to allow VPN traffic to access cloud resources. Then click on Save Changes.
Example below to allow all traffic from the VPN to the internal network. It can be more restrictive if required.
Download the SSL VPN-Plus client
1. Connect to your IP gateway (or with the external DNS hostname) using the port specified earlier. You are then automatically redirected to the login page.
2. Sign in using your VPN user (Local user created earlier or if another authentication method is used, such as Active Directory or RADIUS, sign in using your Active Directory credentials).
3. Click on the SSL-VPN-Plus Package to download the client
4. Click on "click here" to download the installer
Install the VPN-Plus SSL client
1. Once the package is downloaded, extract the zip file and double-click the installer
2. Click Yes to install the client
3. You now have a new Ethernet adapter on your machine.
Test the SSL VPN-Plus client connection
1. Once installed, double-click the desktop icon (if you decided to enable the desktop icon) and click Login.
Otherwise, you can right-click the client and click Login from the taskbar.
2. Accept certificate alert
3. Provide your credentials (Local user created earlier or if another authentication method is used, such as Active Directory or RADIUS, login using your Active Directory credentials).
4. You have options on the SSL VPN-Plus Client icon at the bottom right of your screen
You can perform a ping test to your previously configured private network (10.0.1.0/24 in this example):
Note: If your ping is unsuccessful, make sure that the firewall on the edge gateway is properly configured. Also make sure the remote machine firewall allows ping traffic.