With SSL VPN-Plus, you can connect to private networks behind a NSX edge gateway. A user can then access applications and servers on the private network. Since this is a SSL VPN, a user can access the private networks by use of a web browser or a client that is installed on the local machine. Below is a diagram taken from the NSX Admin Guide of the clients connect to the private network and also the support operating systems for the SSL VPN client:
In network access mode, a remote user installs a client on their machine. After the install, the user is able to access the assigned private networks. The SSL VPN requires that port 443 is accessible from the external networks and the SSL VPN client requires the NSX edge IP and port 443 to be reachable from the client system.
To configure network access SSL VPN-Plus:
Navigate to Networking & Security > NSX Edges > Double click the NSX edge > Manage > SSL VPN-Plus > Server Settings. Click Change
Select the appropriate information. Click OK.
Next we need to add an IP Pool. A IP Pool is a range of virtual IP addresses that are assigned to remote users with they connect to the VPN. Under IP Pools click the green +.
Enter in the needed information. Click OK.
Now we want to add the private networks that we want the remote users to access. Under Private Networks click the green +
Type the private network IP address.
Explanation of options:
The Send Traffic Over Tunnel options, specifies whether you want to send private network and internet traffic over the VPN tunnel or to bypass the tunnel and sent traffic directly to the private server/network. If you select Send Traffic Over Tunnel, select Enable TCP Optimization. From the NSX Admin Guide:
Conventional full-access SSL VPNs tunnel sends TCP/IP data in a second TCP/IP stack for
encryption over the internet. This results in application layer data being encapsulated twice in two separate TCP streams. When packet loss occurs (which happens even under optimal internet conditions), a performance degradation effect called TCP-over-TCP meltdown occurs. In essence, two TCP instruments are correcting a single packet of IP data, undermining network throughput and causing connection timeouts. TCP Optimization eliminates this TCP-over-TCP problem, ensuring optimal performance.
When optimization is enabled, specify the port numbers for which traffic should be optimized. Traffic for the remaining ports for that specific network will not be optimized. If no ports numbers are specified, traffic for all ports is optimized.
When TCP traffic is optimized, the TCP connection is opened by the SSL VPN server on behalf of the client. Because the TCP connection is opened by the SSLVPN server, the first automatically generated rule is applied, which allows all connections opened from the Edge to get passed. Traffic that is not optimized will be evaluated by the regular Edge firewall rules. The default rule is allow any any.
Under Authentication is where you decide how the users will authenticate to the VPN tunnel. SSL VPN supports local, AD, LDAP, Radius, or RSA authentication types. The maximum time to authenticate over SSL VPN is 3 minutes. This is because non-authentication timeout is 3 minutes and is not something that you can configure. So in a situation where AD authentication timeout is set to more than 3 minutes or there are multiple authentication servers in chain authorization and the time take for the user authentication is more than 3 minutes, you will not be authenticated. Click the green +
For this lab situation, I chose local authentication. Configure the parameters as needed. Click OK.
Next we need to create a installation package for the SSL VPN client for the remote user. Under Installation Package click the green +
First we want to type in a profile name. In the Gateway section, enter in the IP or FQDN of the public IP address of the NSX Edge. Enter in the port number that you specified in the Server Settings section earlier. Click OK.
From the NSX Admin Guide, here are a list of the what each Installation Parameter means:
Next, since we are using local authentication, we want to add a remote user to the local database. Click OK.
Now we need to enable the SSL VPN server. Simple navigate to Dashboard and click Start next to Service.
And click Yes to start the service
Now in order to test things out, I’m going to go over to a VM that I have on a different network and navigate to the external IP of my NSX edge and login there. Enter in the credentials for a created user. Click Login.
Click the VPN profile name to download the VPN client
Click the hyperlink to being the download. Once downloaded, double click the Installer.exe file.
Click Yes to continue
The client should pull up automatically but if not, look on the desktop and double click it to run it. The VPN profile should be selected. Click Login.
Accept the security alert
Enter in the creds for one of the VPN users you created. Click OK.
Now the VPN connection has been established. You can also check the system tray to see the VPN icon with the status as connected.
Now we see that we can communicate with a VM on private network that we allowed on our VPN.