Transcription
KNOWLEDGE BASEHow to Configure a SSL VPN in vCloud DirectorPlease note before proceeding with this Knowledge Base article, your vCloud Organization musthave the Advanced Edge Gateway enabled in vCloud.You can tell if you have an Advanced Gateway or not, by right clicking on your organization’sEdge Gateway and confirming if “Convert to Advanced Gateway” is available. If it is available,please choose “Convert to Advanced Gateway” – this will cause a very short interruption (30Seconds) in connectivity to the servers.Navigate to the SSL-VPN-Plus ScreenProceed to the “Administration” tab:Select (left-click) your Organization’s Virtual Datacenter:HostedBizz Resources Knowledge Base1
Select the “Edge Gateways” tab:Right-click on your Edge Gateway and select “Edge Gateway Service ”A new tab will open in your browser. You can now select the “SSL VPN-Plus” tab:HostedBizz Resources Knowledge Base2
Configure an Authentication ServerBefore other settings can be configured, an Authentication server must be enabled.Select the “Authentication” tab, and then select “ Local”:The password policy is enabled by default, if you wish to keep one, leave the switch toggled andconfigure the specific password policies you would like. If you do not wish to have one, togglethe password policy off. Please note, these passwords will be separate from domain or localcredentials on the user’s machine.HostedBizz Resources Knowledge Base3
Configure the account lockout policy (if you desire one) as you like. If you do not wish to have alockout policy, then toggle it off.The retry duration denotes the number of minutes the retry count will be kept track of. Thelockout duration denotes the number of minutes the user will be locked out if they have toomany unsuccessful attempts during the duration period.Finally select the toggle to enable the Authentication Server, and select “KEEP” to save yourconfiguration.You will now see you have an authserver, the number denoted is generic. Do ensure that it isenabled.HostedBizz Resources Knowledge Base4
Configure the SSL VPN Server SettingsOn the SSL VPN-Plus tab, select “Server Settings”:Toggle the button to enable the server.Then use the drop down to select your desired IP address from the drop-down menu.(Optional) Enter a TCP port number.Please note – The TCP port number is used by the SSL client installation package. By default, thesystem uses port 443, which is the default port for HTTPS/SSL traffic. Even though a port numberis required, you can set any TCP port for communications. As many of our customers use 443 forother traffic, we recommend setting an alternate port.Select the encryption method from the Cipher List. (We recommend no less than AES256).Finally, select “Save Changes”.HostedBizz Resources Knowledge Base5
Create an IP Pool for Use with SSL VPN-Plus on an Edge GatewayThe SSL VPN assigns an IP address to the remote users from the IP pools based on the poolsetup in the following steps.On the SSL VPN-Plus tab, select “IP Pools” and select the “ ” to create a new pool.Input the range you wish to use for the SSL VPN pool, please note, you cannot use the IP rangescurrently in use in vCloud. As an example, if your current Cloud LAN pool is 10.10.1.0/24, youcannot use this, you would use a different range such as 10.10.2.0/24.Here is the range used in the example: 10.20.30.10-10.20.30.250 – This leaves us with 240 freeIPs.You must also input the netmask, gateway, enable the pool. The DNS entries are optional. Onceall fields are filled out, select “Keep”. We will need to make a firewall entry for this pool, thiswill be done in another step.HostedBizz Resources Knowledge Base6
Add a Private Network for Use with the SSL VPN-PlusThe private networks are the ones that the SSL VPN-Plus users will be accessing. So the CloudLAN. You can confirm this network under “Org VDC Networks” back on the main vCloudAdministration page we left behind after accessing the Edge Gateway.In the Edge Gateway, under the SSL VPN-Plus tab, select the “Private Networks” tab:HostedBizz Resources Knowledge Base7
Input the IP range desired (per the Org VDC Network). You can optionally specify if trafficshould be sent over the tunnel or not (it should be) (this is not where you configure splittunnel), and what ports can be used in the tunnel. Leaving the ports blank leaves access unrestricted.After you have select “Keep”, select “Save changes”:HostedBizz Resources Knowledge Base8
Configure the SSL VPN-Plus ClientProceed to “Client Configuration” and ensure you are happy with the settings. The main settinghere is if it’s a “Split” or “Full” tunnel. In split tunnel mode, only the VPN traffic flows throughthe edge gateway. In full tunnel mode, the edge gateway becomes the default gateway for theremote user and all traffic, such as VPN, local, and Internet, flows through the edge gateway.If you select full tunnel mode, enter the IP address for the default gateway used by the clientsof the remote users and, optionally, select whether to exclude local subnet traffic from flowingthrough the VPN tunnel.By default “auto reconnect” is already enabled.In most use cases we see customers use “Split” as the SSL VPN is typically just to access thecloud servers.If you do make a change you must save it:HostedBizz Resources Knowledge Base9
Configure Installation PackagesProceed to the “Installation Packages” tab to setup the SSL VPN-Plus client. Select “ ” toconfigure the package.You will need to input a profile name, input your Gateway IP, and Port (this was seen under“Configure the SSL VPN Server Settings”.Additionally you can configure if the client is available for Mac or Linux users:HostedBizz Resources Knowledge Base10
Further down there are also a number of settings that control how the client behaves on theuser’s machine.Once you have chosen your settings, you will select “Keep” to save them:HostedBizz Resources Knowledge Base11
Create Users for SSL VPN-PlusProceed to the “Users” tab and select “ ” to add a user.Input the user information, including their first password. Depending how you configuresettings here they may need to change their password after first login.HostedBizz Resources Knowledge Base12
You can chose at this step to force them to change the password at next login. Select “Keep” tokeep the user settings.Repeat the above step until all your users are created.HostedBizz Resources Knowledge Base13
Modify the Firewall to Allow Traffic to TraverseFinally, all the SSL VPN-Plus settings are configured. The firewall rules will need to be modifiedto allow traffic to traverse between the IP Pool of the SSL VPN and the Private Network.Other rules would have been created by default and you will see them in the firewall at thistime.Select “ ” to create a new rule.Name the rule, and under “Source” select “IP”Input your IP Pool range here, and select “Keep”:HostedBizz Resources Knowledge Base14
Repeat this step and add the Private IP pool (Cloud LAN). It should look like the below (exceptfor your IPs of course). Next do the same for “Destination”:You can restrict the port to those on your cloud server, or leave it open so any port can beaccesses by an SSL VPN user. In the below example, we’ve left it as “Any”. “Save changes” onceyour rule is complete.HostedBizz Resources Knowledge Base15
Have Users Download and Use the ClientFinally, users can now download and use the client. You will need the download URL for them.This will be https:// gatewayIP : gatewayport that was set during the installation packagesetup. (See below).The webpage will look like the below. Have the user select “Advanced”HostedBizz Resources Knowledge Base16
And then select “Proceed to IP”:They can then login with the credentials you provide them:HostedBizz Resources Knowledge Base17
They can then click to download the client:This will open a pop up window, where the download will either begin, or they can select tostart it manually:HostedBizz Resources Knowledge Base18
Once the client has downloaded, have them run it.If they get a Windows Defender pop up, they will need to select “More info” and “Run anyway”:There will then be a pop up confirming they want to install it, have them select “Yes”.HostedBizz Resources Knowledge Base19
It will install and then it will likely appear in their task tray, have them double click the icon:They can then select “Login”:They will then need to enter their credentials you have provided and select “OK”.They will then receive a pop up notifying them they have successfully connected (or not) theycan acknowledge it:And finally, their SSL VPN icon will have colour:HostedBizz Resources Knowledge Base20
End NotesThis setup while a walk through is also meant to provide a medium level overview of the setupof the SSL VPN-Plus within vCloud Director. There are additional settings and setup methodsthat have not been covered. It is possible to have the SSL VPN-Plus leverage LDAP, as well ashave it use a certificate.For additional setup assistance, please contact [email protected] and one of oursupport staff will reach out to assist further.HostedBizz Resources Knowledge Base21
Create an IP Pool for Use with SSL VPN-Plus on an Edge Gateway The SSL VPN assigns an IP address to the remote users from the IP pools based on the pool setup in the following steps. On the SSL VPN-Plus tab, select "IP Pools" and select the " " to create a new pool. Input the range you wish to use for the SSL VPN pool, please note, you .
