NSX for Newbies – Part 13: SSL VPN-Plus

In this post I’m covering:

  • What is SSL VPN-Plus
  • How to configure it
  • How to test it
  • How to troubleshoot issues

What is SSL VPN-Plus

SSL VPN-Plus enables individual remote users to connect securely to private networks behind an NSX Edge gateway. Like any other vendor SSL VPN, the SSL encrypted tunnel is established between the client (pc, mac, laptop) and the NSX Edge.
Two access modes are available:

  • Web Access mode (without a client)
  • Full network access mode (requires a client installation)

Important notes

  • Mobile clients are not supported
  • Support up to 25 users
  • Full tunnel client
  • Authentication through Local, RADIUS or LDAP
  • Windows and Mac OS clients

Use cases

  • Secure remote access without the use of a jump box
  • Secure web access with the thick client
    • Split-tunnel can be enforced
    • Administrator can also direct the traffic to a Web filtering or caching device (proxy).

My topology is the following:

 

The objective to achieve is to be able to connect to web-sv-02a (172.16.40.1) from outside, here represented by the mobile user in the subnet 10.0.10.0/24 who will VPN in.

SSL VPN-Plus Server Configuration

On the Branch ESG, Manage > SSL VPN-Plus > Server Settings > Change
I’m using 192.168.130.4 as primary IPv4 listener and I’ve changed the cipher to AES256-SHA

Configure Authentication

I’m using AD authentication as I’m not a big fan of creating local users. My AD Organisational Unit (OU) where I’m storing all the Groups and Users is called Cloud_Lab

The search base is effectively the OU DN (Distinguished Name) in my case OU=Cloud_Lab,DC=cloudlab,DC=local
Bind DN is the DN of the user you use to login to AD, in my case called labadmin (CLOUDLAB\labadmin) and its DN is CN=Lab Admin,OU=Cloud_Lab,DC=cloudlab,DC=local
Bind password is the password for Bind DN

Create an IP Pool

The pool of IP addresses will be released to the VPN clients with once they authenticate and connect to the network.
This network is segregated from any existing subnet in your NSX environment, does not need to be configured on other devices on the physical networks with the exception of routes that point to it.

Enable the SSL VPN-Plus service from the Dashboard (Dashboard > Enable)

Private Network

Add the Private Network that you want to “expose” via the VPN. All the private networks you add here (and enabled) will effectively be installed in the routing table of the client with a metric = 1

Installation Package

Once that’s done we need to create an installation package for the thick client. I’ve decided to install the client silently so it won’t ask any question to the user.

 

Web Portal

You can customise some elements of the web portal (title, logos) by going to Portal Customization

and this is what it looks like. From here you proceed with logging in and download the client.

Save the package and install it.

Testing

Here I’m initiating the VPN client from client 192.168.110.10 that can’t reach 172.16.40.10/24

Connecting

.

And here we can see the route 172.16.40.0 installed and ping being successful.

Troubleshooting

To check status of SSL VPN:

show service sslvpn-plus

To check various stats for SSL VPN:

show service sslvpn-plus stats

To check VPN Clients that are connected:

show service sslvpn-plus tunnels

To check sessions:

show service sslvpn-plus sessions

Leave a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

2 Trackbacks