How to Configure SSL VPN for Forcepoint NGFW TECHNICAL DOCUMENT

Transcription

1 How to Configure SSL VPN for Forcepoint NGFW TECHNICAL DOCUMENT

2 Table of Contents TABLE OF CONTENTS 1 OVERVIEW 2 SSL VPN CASE STUDY 2 CONFIGURE THE NGFW ENGINE 5 ADD SSL VPN USERS 6 ADDING LOCAL USERS THE SMC DATABASE 6 ADDING LOCAL USERS TO A USER GROUP 7 DATABASE REPLICATION TO THE NGFW 8 CONFIGURATION OF SSL VPN POLICIES 9 CONFIGURE SSL VPN PORTAL SERVICES 9 CONFIGURE THE SSL VPN PORTAL POLICIES 11 CONFIGURE THE SSL VPN PORTAL 12 TESTING THE SSL VPN 14 LOGGING IN AND TESTING LINKS 14 SSL VPN TROUBLESHOOTING 16 OVERVIEW 16 DID THE TRAFFIC MAKE IT TO THE CORRECT FIREWALL? 16 DID THE FIREWALL ACCEPT THE TRAFFIC? 16 NOW WHAT? 17 Technical Document 1

3 Overview The Forcepoint SSL VPN provides a user a method to connect to protected resources using Secure Sockets Layer (SSL) via a web browser. This secure VPN method does not require a client to be installed, so is typically more portable than an IPSEC VPN. The purpose of this document is to provide a sample network, a configuration overview, and troubleshooting steps to aide in simple problem resolution. SSL VPN Case Study SAH Corporate is a global company which manufactures widgets. With today s traveling and worker strategy, SAH needs a method for employees to connect to resources securely and perform day to day task. Users travel and work from remote networks, which are considered insecure. SSL VPN using Forcepoint SSL VPN will allow users to connect to internal resources remotely without creating a tunnel. NETWORK DIAGRAM AND INFORMATION Relevant User Information: USERS DUTY DUTY GROUP JOHN GERO JGERO SECRETARY ACCOUNTING ELSA SMITH ESMITH IT ADMINISTRATOR CORPORATE SECURITY Relevant IP Information: INTERFACE IP ADDRESS WAN DMZ INSIDE HTTP SERVER HTTP SERVER Technical Document 2

4 Network Diagram: Technical Document 3

5 BASIC SSL VPN CONFIGURATION FLOW Basic SSL VPN configuration is comprised of a few simple steps: Configure the NGFW Engine Configure SSL VPN Policies Test the SSL VPN Troubleshoot connectivity issues Technical Document 4

6 Configure the NGFW Engine The Next Generation Firewall Engine has to two sections that should be reviewed when configuring SSL VPN. To review the Engine configuration, log into the System Management Console (SMC) and follow the steps below: 1. Right click on the Engine that will be configured. Click Properties. 2. Expand VPN > End-Points. Right click the Interface in question and click Properties. 3. Under the VPN Type section, select the radial button for All Types or Selected Types Only. If the latter is selected, select the SSL VPN Portal and Tunnel method. The tunnel mode is not convered in this case study. Click the OK button to close the Properties window. 4. Select the Enable check box. Save and install the policy. Technical Document 5

7 ADD SSL VPN Users ADDING LOCAL USERS THE SMC DATABASE 1. On the SMC Home Page, clock the Configuration button. 2. Expand the User Authentication policy section. On the InternalDomain pane, right click the stonegate domain, select New > Internal User. 3. On the General tab, enter the user name in the Name field. 4. Select the Authentication tab. 5. Under Authentication Methods, click Add. Select User Password. 6. Under the Password Properties section, enter the password for the user. Repeat the password for the Confirm Password entry. 7. Click OK. 8. Repeat the process for additional Users Technical Document 6

8 Sample User configuration (Authentication): ADDING LOCAL USERS TO A USER GROUP 1. Under the Configuration window, expand User Authentication, Users, and select InternalDomian. 2. Right click on the Stonegate internal domain and select New > Internal User Group. Technical Document 7

9 3. Specify the Group name and a comment (optional). 4. Click OK. 5. Drag and drop the users previously created to the Portal_Users group. DATABASE REPLICATION TO THE NGFW 1. Go to the SMC home page by clicking the HOME icon in the navigation bar. 2. Right click the firewall, go to Options and enable the User DB replication option. Technical Document 8

10 Configuration of SSL VPN Policies CONFIGURE SSL VPN PORTAL SERVICES 1. On the SMC Home Page, clock the Configuration button. 2. On the Navigation pane, expand the VPN section and the SSL VPN Portal section. 3. Click on the SSL VPN Portal Services. Right click on the Policy pane (right side) and select New SSL VPN Portal Service. 4. Select the General tab. Enter the data for the Name, External URL Prefix, and Internal URL. Technical Document 9

11 Select the Look and Feel tab. Enter the value for the Title field. Click OK. 5. Create a second entry for New SSL VPN Portal Service. Select the General tab. Enter the data for the Name, External URL Prefix, and Internal URL. Select the Look and Feel tab. Enter the value for the Title field. Click OK. Technical Document 10

12 CONFIGURE THE SSL VPN PORTAL POLICIES 1. On the Policy pane, select SSL VPN Portal Policies. Right click on the SSL VPN Portal Policy pane and select New SSL VPN Portal Policy. Populate the General tab and click OK. 2. Right click on the SSL VPN Portal Policies entry that was just created and select Edit SSL VPN Portal Policy <name> 3. Right click on Discall all > Add Rule. 4. Using the Resources pane values, populate the newly created rule with the SSL VPN Portal Service and Authentication values previously configured. Technical Document 11

13 5. Save the policy by clicking the Save icon in the navigation bar. CONFIGURE THE SSL VPN PORTAL 1. In the policy pane, select SSL VPN Portals. Right click in the SSL VPN Portal Pane (right side) and select New SSL VPN Portal. 2. On the General tab, enter the name, select the SAHPORTAL SSL VPN Portal Policy, enter the hostname that your SSL VPN NGFW will resolve to. This should be the IP Address selected under the NGFW Engine properties previously defined. Upload certificates or select Use Self- Signed Certificate. Technical Document 12

14 3. Select the Look & Feel tab. Enter the Title for the SSLVPN Portal. 4. Select the Target Engine tab. Click the ADD button. Right click the Target Engine column and select Edit Target Engine. Select the SAH engine and click Select. Click OK. Technical Document 13

15 TESTING THE SSL VPN LOGGING IN AND TESTING LINKS 1. Open a browser and enter in the address bar. 2. Log in with John Gero s login info: johngero and the password entered previously. 3. Click on the link to access Http_WebServer1. Technical Document 14

16 4. Verify the link opens and note the address bar. 5. The address bar appends the name to the URL ( Server1 ). This is the External URL Prefix that was configured in the SSL VPN Portal Services policy. 6. Test the HTTPSERVER 2 connection. Test the SSL VPN with SSO Domains and different policies to limit access and customize SSL VPN users experience! Technical Document 15

17 SSL VPN Troubleshooting OVERVIEW With troubleshooting, most issues need to go through a process. Below is the overview: 1. Did the traffic make it to the correct Firewall? 2. Did the firewall accept the traffic? 3. Now what? DID THE TRAFFIC MAKE IT TO THE CORRECT FIREWALL? 1. Verify in the logs that the packets are not being dropped. 2. Verify that connectivity is not an issue: ping, traceroute, and other connectivity issues need to be tested. DID THE FIREWALL ACCEPT THE TRAFFIC? 1. If they are, ensure that the correct interface is Enabled in the Endpoints configuration located under the Engine Properties. 2. Ensure that the correct SSL VPN port is correct in the Configuration> VPN> SSL VPN Portal configuration. 3. Review the logs for any related connectivity logs. Technical Document 16

18 NOW WHAT? 1. Can you login? Verify the password for the end user. 2. Ensure that the IP and Host name specified under: Configuration > VPN > SSL VPN Portal > SSL VPN Portals has the correct hostname or IP. If you are using a public IP address, ensure it does resolve to the hostname in the http header. This issue will manifest will manifest while logging into the portal: 3. Ensure you have the latest firmware installed. This will rule out possible bugs and compatibility issues. (Optional) 4. Verify the TLS version your browser supports. The default TLS entries for the SSL VPN are below: Contact FORCEPOINT Support for issues related to the FORCEPOINT NGFW. We are here to help! Technical Document 17