Configure the SSL VPN on the VMware Edge Gateway

Overview

This Knowledgebase (KB) article covers the high-level process of configuring the SSL-VPN Plus function of the VMware vCloud Edge Gateway provided by Hosted Network.

Please keep in mind this guide assumes you already have an Edge Gateway configured and in production prior to trying to configure the VPN.

The SSL VPN-Plus functionality on the Advanced Edge Gateway allows users to connect to an internal VPN managed by the Edge. In this way, end users can connect directly to the edge gateway’s external IP in order to access their servers. This gives users a secure method by which they can remotely manage and connect to their Hosted Network IaaS environment.

Requirements

In order to complete this KB, you will need the below information, and have a few items preconfigured:

• Optional, configure a hostname to point to the WAN IP of the Edge Gateway (if multiple are available for use you can define which one to use in a later step)

• Optional, A valid SSL Certificate (if you want to set it up securely)

• An IP Pool for the SSL-VPN to use, it can be part of an existing subnet or a new subnet

• A free port if port 443 is already in use

Process

Quick Links:

Advance Edge SSL VPN-Plus Setup

Login to your vCloud Director account and navigate to the Edge Gateway. In order to begin SSL VPN-Plus configuration, navigate to the Edge Gateway, then select the assigned edge gateway to your vDC then click "Services". A new window will popup.

1. Configure Authentication Service

On the SSL VPN-Plus, click the Authentication tab. To add a new server, click the "+ LOCAL" and configure all of your required settings, (you can leave everything as default if you like). Click "Keep" once done.

1. Enable and Configure SSL Server

Navigate to the SSL VPN-Plus tab, then the Server Settings sub-tab.

Click the "Enable" switch to turn on the SSL VPN service, and select the external IPv4 address and port for external access to the VPN. Select one or more Ciphers, the save the settings. This will automatically populate a Firewall rule which can be verified below.

1. Verify Firewall Rule

Enabling the server from the SSL VPN Server Settings should automatically populate a Firewall rule as shown below. This rule should correspond to the external IP for the VPN and should allow TCP traffic on the specified port.

1. Configure IP Pools

Once the SSL VPN Server has been enabled, select the IP Pools tab to create a range of internal IPs for use by the VPN. Click on the "+" symbol in the upper left to create a new pool. This pool will be the set of internal IPs which are mapped to each remote user when they connect to the VPN. These IPs will need to be on the subnet which has access to the existing environment. This IP Pool should not correspond to the Org VDC Network. It needs to have a Gateway address configured, which will be the Edge Gateway's IP on that subnet. DNS options are not required.

Once the IP Pool has been created, verify that the pool appears in the list and that the information is correct.

1. Configure Private Networks

Select the Private Networks tab and click the "+" symbol in the upper left to add VPN access to an internal network. This subnet should include addresses for any servers which should be accessible to users connected to the VPN.

After adding the Private Network, verify that the network appears in the Private Networks list and that the information appears correct.

1. Configure Users

Select the Users tab to add user accounts to the VPN. Any users should be added manually here before attempting to download the client and join the VPN. Forcing users to reset their password on login can be enforced at this screen as well.

1. Configure Installation Package

Select the Installation Packages tab to configure the package users will receive when joining the VPN. Add the Gateway IP and the Port for VPN Access (as configured at the VPN Server tab above). Please note that if the Gateway IP or Port changes for any reason, the Installation Package profile needs to be deleted and re-created. Enable any necessary installation parameters (such as silent mode, or starting the client at login) and save the configuration.

Once the installation Package is configured and saved, it will appear in the list of packages. Verify that the Gateway and Port are correct.

1. Configure Client Tunneling

Under the SSL VPN-Plus tab, select Client Configuration. The tunnel should be configured to Split mode to enable simultaneous external communication, but can be set to Full mode if application demands it. Any subnet exclusion can be configured here as well.

At this point, the VPN tunnel is configured. Users can navigate to the access point IP, download the installer, install the VPN client, and connect to the network.

1. Download and Install Client

For each end user, navigate in a web browser to https://###.###.###.###:####/, the access address configured in the Server Settings tab. If the server is properly configured, the following login prompt will appear.

Enter the credentials for that user and select "Login". After logging in, the link to download the VPN client will appear under "List". Click the name of the installer Package configured in the Installer Package tab. The download will begin automatically per the instructions of the following page.

1. Connect and Log In

After installing the VPn client, run the program. A login window will appear. Click "Login" to prompt the user for credentials.

If the login process is successful, the VPN client will minimize to the tray and the VPN will establish automatically. To verify, double click on the arrow icon in the tray as show below to open Statistics.

In the Statistics window, select the Advance tab to verify the assigned addresses and connection information.

Upload and configure the SSL Certificate

You can upload a valid SSL to use with the SSL VPN to avoid security/certificate warnings when connecting. To do this follow the steps below.

Step 1. In the Edge Gateway services click on 'Certificates'.

Step 2. Click '+ SERVICE CERTIFICATE'.

Step 3. Upload the SSL and SSL Key (it asks for PEM format, but a .crt file is also accepted) and click 'KEEP' saving the SSL.

Step 4. Click on the 'SSL VPN-Plus' tab and then click 'Server Settings'.

Step 5. At the bottom of the page click the 'CHANGE SERVER CERTIFICATE' button, this should bring up a window.

Step 6. Select the SSL you uploaded and tick the slider next to 'Configure Service Certificate' and then click 'OK' to save it

The SSL will now be used for inbound connections to the SSL VPN