In this post I’m covering:
- What is SSL VPN-Plus
- How to configure it
- How to test it
- How to troubleshoot issues
What is SSL VPN-Plus
SSL VPN-Plus enables individual remote users to connect securely to private networks behind an NSX Edge gateway. Like any other vendor SSL VPN, the SSL encrypted tunnel is established between the client (pc, mac, laptop) and the NSX Edge.
Two access modes are available:
- Web Access mode (without a client)
- Full network access mode (requires a client installation)
Important notes
- Mobile clients are not supported
- Support up to 25 users
- Full tunnel client
- Authentication through Local, RADIUS or LDAP
- Windows and Mac OS clients
Use cases
- Secure remote access without the use of a jump box
- Secure web access with the thick client
- Split-tunnel can be enforced
- Administrator can also direct the traffic to a Web filtering or caching device (proxy).
My topology is the following:
The objective to achieve is to be able to connect to web-sv-02a (172.16.40.1) from outside, here represented by the mobile user in the subnet 10.0.10.0/24 who will VPN in.
SSL VPN-Plus Server Configuration
On the Branch ESG, Manage > SSL VPN-Plus > Server Settings > Change
I’m using 192.168.130.4 as primary IPv4 listener and I’ve changed the cipher to AES256-SHA
Configure Authentication
I’m using AD authentication as I’m not a big fan of creating local users. My AD Organisational Unit (OU) where I’m storing all the Groups and Users is called Cloud_Lab
The search base is effectively the OU DN (Distinguished Name) in my case OU=Cloud_Lab,DC=cloudlab,DC=local
Bind DN is the DN of the user you use to login to AD, in my case called labadmin (CLOUDLAB\labadmin) and its DN is CN=Lab Admin,OU=Cloud_Lab,DC=cloudlab,DC=local
Bind password is the password for Bind DN
Create an IP Pool
The pool of IP addresses will be released to the VPN clients with once they authenticate and connect to the network.
This network is segregated from any existing subnet in your NSX environment, does not need to be configured on other devices on the physical networks with the exception of routes that point to it.
Enable the SSL VPN-Plus service from the Dashboard (Dashboard > Enable)
Private Network
Add the Private Network that you want to “expose” via the VPN. All the private networks you add here (and enabled) will effectively be installed in the routing table of the client with a metric = 1
Installation Package
Once that’s done we need to create an installation package for the thick client. I’ve decided to install the client silently so it won’t ask any question to the user.
Web Portal
You can customise some elements of the web portal (title, logos) by going to Portal Customization
and this is what it looks like. From here you proceed with logging in and download the client.
Save the package and install it.
Testing
Here I’m initiating the VPN client from client 192.168.110.10 that can’t reach 172.16.40.10/24
Connecting
.
And here we can see the route 172.16.40.0 installed and ping being successful.
Troubleshooting
To check status of SSL VPN:
show service sslvpn-plus
To check various stats for SSL VPN:
show service sslvpn-plus stats
To check VPN Clients that are connected:
show service sslvpn-plus tunnels
To check sessions:
show service sslvpn-plus sessions
2 Trackbacks