In this post, we will cover following topics of Objective 3.2 of VCAP6-NV Deploy Exam
Objective 3.2 – Configure and Manage Logical Virtual Private Networks (VPNs)
- Configure IPSec VPN service to enable site to site communication
- Configure SSL VPN service to allow remote users to access private networks
- Configure L2 VPN service to stretch multiple logical networks across geographical sites
Configure SSL VPN Service to Allow Remote Users to Access Private Networks
In NSX, VMware call this feature SSL VPN Plus. Obviously it can only be configured on the Edge Services Gateway (ESG) as this is Internet facing.
SSL VPN on NSX Edge Gateway allows end-user to connect to a private network through a SSL-VPN tunnel so that the end-user can access the application/services which are hosted on remote site, on their local network. As this service is consumed via HTTPS, it will be accessible from nearly anywhere the user has an Internet connection via web-based SSL client or a regular client.
Below image taken from NSX Administration Guide demonstrates the process of connecting to private network via SSL-VPN
The Edge Services Gateway (ESG) external IP address and TCP port 443 must be accessible to remote clients to be able to connect to the SSL VPN.
SSL VPN Plus supports the following remote client operating systems:
- Windows XP and above (Windows 8 is supported).
- Mac OS X Tiger, Leopard, Snow Leopard, Lion, Mountain Lion, Maverick, and Yosemite. These can be installed either manually or using the Java installer.
- Linux – TCL-TK is required for UI to work. If not present, Linux client can be used using CLI.
There are two ways that SSL VPN Plus can be consumed.
- By downloading, installing and launching the client SSL VPN Plus software. This is called Network Access Mode.
- By accessing the SSL VPN Plus service from a web browser. This is called Web Access Mode.
Network Access Mode
Add SSL VPN Plus Server Settings
This configures the IPv4 or IPv6 address and TCP port (default 443) that the SSL VPN will listen on. You can also configure the encryption method and any server certificates. By default, it uses a ‘Default Certificate’. If you wish to configure a self-signed or CA certificate you will need to import these, see Objective 3.1 that contains a section on how to create a certificate for your NSX Edge
Log into the vSphere Web Client.
Click Networking and Security, then NSX Edges.
Double-click the ESG that SSL VPN Plus will be configured on.
Click Manage, then SSL VPN-Plus.
Click Server Settings, then click Change.
Enter the details relevant to your environment.
I have selected my Uplink (184.108.40.206), TCP port 443, AES-128 encryption and selected the option to use the default certificate.
Next add an IP Pool.
Add an IP Pool
The IP Pool is a range of virtual IP addresses that remote clients are assigned when connected. It also includes the net mask, default gateway and DNS servers.
Click IP Pool, then click the green + sign to Add an IP Pool.
Enter the details relevant to your environment.
Next configure the Private Networks.
Configure Private Networks
This allows you to configure one or more networks that remote users can access. The option Send Traffic, make sure Over Tunnel is selected to send Private Network and Internet traffic over the SSL VPN enabled ESG.
The option Enable TCP Optimisation should be enabled to eliminate the TCP-Over-TCP-Meltdown condition which you can read more of here. From the VMware Administration guide they offer this information:
Conventional full-access SSL VPNs tunnel sends TCP/IP data in a second TCP/IP stack for encryption over the internet. This results in application layer data being encapsulated twice in two separate TCP streams. When packet loss occurs (which happens even under optimal internet conditions), a performance degradation effect called TCP-over-TCP meltdown occurs. In essence, two TCP instruments are correcting a single packet of IP data, undermining network throughput and causing connection timeouts. TCP Optimization eliminates this TCP-over-TCP problem, ensuring optimal performance.
Click Private Networks, then click the green + sign to Add a Private Network.
Enter the details for the Private Network. Repeat if you have more than one.
If the Edge Firewall is enabled you will need to add a rule to allow traffic to the destination Private Network/s (north-south FW rule). The Source will be the virtual IP range you configured in the IP pool.
Next step is to configure an authentication server.
This is where you configure an authentication server that will authenticate users connecting to the SSL VPN. There are various authentication methods available that can be configured such as:
- Active Directory
Each method has different options to configure. I am going to configure the Localoption, where users will be authenticated locally by the ESG SSL VPN. You can have more than one authentication server.
When you configure the Local authentication method you are basically creating a password and lockout policy as shown below. There are numerous options available.
To Configure Local Authentication
Click Authentication, then click the green + sign to Add an Authentication Server.
I selected the Authentication Server Type as Local. I left all settings as default and clicked OK. (in production I would want to change some settings if using Local Authentication – such as password length etc).
I can now see this has been configured:
Next I need to add an installation package.
Add an Installation Package
This step creates a customised client installer package. When a remote user connects to the URL or IP of the SSL VPN it will prompt them to download the package. The remote user must install this to connect to the SSL VPN. Once installed, the user launches the SSL VPN client to connect.
There are a quite a few simple options that can be configured. By default the package is created for Windows, with Linux and Mac also available.
Click Installation Package, then click the green + sign to Add an Installation Package.
Enter the Profile Name, the Gateway and the port. The Gateway can either be the IP address or external DNS name for the public facing interface. Both the Gateway and the Port will be what you set when configuring the SSL VPN Plus Server Settings.
All I have configured is the Profile Name and Gateway.
I can now see the Installation package has been created:
Next we need to add some users to be allowed to connect to the SSL VPN.
If you are using the Local Authentication method, you will need to add users to the local database.
Click Users, then click the green + sign to Add Users.
Add the information of the user.
I can now see the user has been added.
That pretty much is the entire configuration done apart from enabling the SSL VPN-Plus service.
Enable the SSL VPN-Plus Service
Click Dashboard, then click the button.
Click Yes to enable the service.
Make sure the service status changes to Enabled.
The configuration is now live.
These settings are not required but offer further customisation.
You can also configure SSL VPN-Plus web access via a browser so remote end users do not need to install the client. I am not going to configure this, but here is a screenshot of the configuration options.
Testing the Configuration.
I have a VM that can hit the external IP address of my lab ESG that is running the SSL VPN-Plus service configured above. The IP address is 220.127.116.11:443.
I enter the credentials for the local user I created and click Login.
I am presented with a package that can be downloaded.
I click the package and select Install.
Once the client package has installed the following VMwareTray icon appears on the Desktop.
Launch the VMwareTray icon to launch the SSL VPN-Plus client software.
Click Login and enter the user credentials, then click OK.
The connection is established.
In the SSL VPN configuration I allowed remote connections to access the internal private network 172.16.10.0/24.
I can ping a VM (172.16.10.100) that I have sitting on this private network.
That’s all for this post. I recommend you to read the below reference documents.
In Next post we will cover: Objective 3.2c – Configure L2 VPN service to stretch multiple logical networks across geographical sites
I hope this has been informative and thank you for reading! Be social and share it on social media, if you feel worth sharing it…!!!
I am Rahul Sharma, I am currently working as Subject Matter Expert for SDDC and Cloud Infrastructure Services, Mainly on VMware Virtualization Platform.
I have 9 Year’s of IT experience and have expertise in Designing and Deploying of VMware vSphere, vSAN, vCloud Director, vRealize Automation, SRM, NSX and modern data center technologies like vBlock, Cisco UCS, DELL, HPE C7000, HPE Synergy HCI etc.
I am vExpert, VCIX6-DCV, Dual VCP – DCV & NV, MSCE – Cloud, CCNA, ITIL v3 Certified.