Microsoft Azure Configuration. Azure Setup for VNS3

Similar documents
VNS3 Configuration. Quick Launch for first time VNS3 users in Azure

CenturyLink Cloud Configuration. CenturyLink Setup for VNS3

VNS3 Configuration. Google Compute Engine

VNS3 Configuration. IaaS Private Cloud Deployments

VNS3 Configuration. ElasticHosts

AWS VPC Cloud Environment Setup

VNS3 version 4. Free and Lite Edition Reset Overlay Subnet

VNS3 IPsec Configuration. Connecting VNS3 Side by Side via IPsec

VNS Administration Guide

Overlay Engine. VNS3 Plugins Guide 2018

VNS3 IPsec Configuration. VNS3 to Cisco ASA ASDM 5.2

VNS3 4.0 Configuration Guide

Logging Container. VNS3 Plugins Guide 2018

VNS3 IPsec Configuration. VNS3 to Cisco ASA ASDM 9.2

DataDog Container. VNS3 Plugins Guide 2018

VNS3 to Windows RRAS Instructions. Windows 2012 R2 RRAS Configuration Guide

Cloud Security Best Practices

Container System Overview

VPN-Cubed 2.x Datacenter Connect ElasticHosts

VPN-Cubed 2.x Cloud Only Lite Edition

VPN-Cubed Datacenter Connect IBM Trial Edition v201102

VPN-Cubed 2.x vpcplus Free Edition

VNS3 3.x Trial Edition Configuration Instructions

VNS3 3.5 Container System Add-Ons

VPN-Cubed 2.x vpcplus Enterprise Edition

VNS3 3.5 Upgrade Instructions

Deploying and Provisioning the Barracuda CloudGen WAF in the Classic Microsoft Azure Management Portal

VPN-Cubed 2.x Datacenter Connect SME Edition

VPN-Cubed 2.1 UL for Terremark Datacenter Connect or Cloud Only

VMware Cloud on AWS Getting Started. 18 DEC 2017 VMware Cloud on AWS

Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN. VMware Workspace ONE UEM 1810

VPN Solutions for Zerto Virtual Replication to Azure. IPSec Configuration Guide

VPN Auto Provisioning

NSX-T Data Center Migration Coordinator Guide. 5 APR 2019 VMware NSX-T Data Center 2.4

How to Configure an IKEv1 IPsec Site-to-Site VPN to the Static Microsoft Azure VPN Gateway

vcloud Director User's Guide 04 OCT 2018 vcloud Director 9.5

VMware Cloud on AWS Networking and Security. 5 September 2018 VMware Cloud on AWS

EdgeConnect for Amazon Web Services (AWS)

Virtual Private Cloud. User Guide. Issue 03 Date

The Balabit s Privileged Session Management 5 F5 Azure Reference Guide

VNS3 Plugin Guide. VSN3:turret NIDS Container

Exam : Implementing Microsoft Azure Infrastructure Solutions

VPN-Cubed 2.x Datacenter Connect Lite Edition

Silver Peak EC-V and Microsoft Azure Deployment Guide

vcloud Director User's Guide

VPN-Cubed 2.x Datacenter Connect SME Edition

vcloud Director User's Guide

Integration Guide. Oracle Bare Metal BOVPN

Installing vrealize Network Insight

EMC Symmetrix VMAX Cloud Edition

VNS3 Plugins. VSN3:turret WAF Container Guide

How to Configure an IPsec Site-to-Site VPN to a Windows Azure VPN Gateway

VMware AirWatch Certificate Authentication for Cisco IPSec VPN

DOCUMENTATION. UVM Appliance Azure. Quick Start Guide

Developing Microsoft Azure Solutions (70-532) Syllabus

VPN Solutions for Zerto Virtual Replication to Azure. SoftEther Installation Guide

vcloud Director User's Guide

SonicOS Release Notes

vrealize Network Insight Installation Guide

Securing VMware NSX MAY 2014

SonicOS Enhanced Release Notes

Dell SonicWALL SonicOS 6.2

Defining IPsec Networks and Customers

Load Balancing Microsoft Remote Desktop Services. Deployment Guide v Copyright Loadbalancer.org

Fundamentals of Network Security v1.1 Scope and Sequence

Installing and Configuring vcloud Connector

Realms and Identity Policies

Installing Cisco CMX in a VMware Virtual Machine

How to Deploy a VHD Virtual Test Agent Image in Azure

Establishing secure connectivity between Oracle Ravello and Oracle Cloud Infrastructure Database Cloud ORACLE WHITE PAPER DECEMBER 2017

Paperspace. Deployment Guide. Cloud VDI. 20 Jay St. Suite 312 Brooklyn, NY Technical Whitepaper

vrealize Network Insight Installation Guide

vcloud Director User's Guide

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

Setting Up Resources in VMware Identity Manager (On Premises) Modified on 30 AUG 2017 VMware AirWatch 9.1.1

Use Shrew Soft VPN Client to Connect with IPSec VPN Server on RV130 and RV130W

Installing vrealize Network Insight. VMware vrealize Network Insight 3.3

Checkpoint Vpn Domain Manually Defined

Azure for On-Premises Administrators Practice Exercises

Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance

Setting Up Resources in VMware Identity Manager

Stonesoft Management Center. Release Notes Revision B

Real4Test. Real IT Certification Exam Study materials/braindumps

Horizon DaaS Platform 6.1 Service Provider Installation - vcloud

Securing VMware NSX-T J U N E 2018

SAM 8.0 SP2 Deployment at AWS. Version 1.0

Securing Containers Using a PNSC and a Cisco VSG

Setting Up Resources in VMware Identity Manager (SaaS) Modified 15 SEP 2017 VMware Identity Manager

vrealize Operations Management Pack for NSX for vsphere 2.0

VMware Skyline Collector Installation and Configuration Guide. VMware Skyline 1.4

Yealink VCS Network Deployment Solution

vrealize Operations Management Pack for NSX for vsphere 3.0

Transit Network VPC. AWS Reference Deployment Guide. Last updated: May 10, Aviatrix Systems, Inc. 411 High Street Palo Alto, CA USA

How-to Guide: Tenable.io for Microsoft Azure. Last Updated: November 16, 2018

Pexip Infinity and Google Cloud Platform Deployment Guide

Deploy the ExtraHop Discover Appliance in Azure

LiveNX 8.0 QUICK START GUIDE (QSG) LiveAction, Inc WEST BAYSHORE ROAD PALO ALTO, CA LIVEACTION, INC.

Developing Microsoft Azure Solutions (70-532) Syllabus

Configuring Communication Services

Setting Up Resources in VMware Identity Manager. VMware Identity Manager 2.8

Transcription:

Microsoft Azure Configuration Azure Setup for VNS3 2016

Table of Contents Requirements 3 Create Azure Private VLAN 10 Launch VNS3 Image from Azure Marketplace 15 Deliver and launch VNS3 from Azure 22 VNS3 Configuration Document Links 36 2

Requirements 3

Requirements You have an Azure (for a Free Azure trial, visit http://azure.microsoft.com/en-us/pricing/freetrial). You have the ability to configure a client (whether desktop based or cloud based) to use OpenVPN client software. You have a compliant IPsec firewall/router networking device: Preferred Most models from Cisco Systems*, Juniper, Watchguard, Dell SONICWALL, Netgear, Fortinet, Barracuda Networks, Check Point*, Zyxel USA, McAfee Retail, Citrix Systems, Hewlett Packard, D-Link, WatchGuard, Palo Alto Networks, OpenSwan, pfsense, and Vyatta. Best Effort Any IPsec device that supports: IKE1 or IKE2, AES256 or AES128 or 3DES, SHA1 or MD5. *Known Exclusions Checkpoint R65+ requires native IPSec connections as Checkpoint does not conform to NAT-Traversal Standards and Cisco ASA 8.4(2)-8.4(4) bugs prevent a stable connection from being maintained. 4

Getting Help with VNS3 This guide covers a very generic VNS3 setup in the Azure cloud. If you need specific help with project planning, POCs, or audits, contact our professional services team via sales@cohesive.net for details. Please review the VNS3 Support Plans and Contacts before sending support inquiries. 5

Firewall Considerations VNS3 Controller instances use the following TCP and UDP ports. UDP port 1194 For client VPN connections; must be accessible from all servers that will join VNS3 topology as clients. UDP 1195-1203* For tunnels between Controller peers; must be accessible from all peers in a given topology. TCP port 8000 HTTPS admin interface; must be accessible from hosts where you will want to obtain runtime status or configure peering, also needs to be open to and from the Controllers at least for the peering process, and needs to be accessible when downloading credentials for installation on overlay network clients. UDP port 500 UDP port 500 is used the phase 1 or IKE (Internet Key Exchange) component of an IPsec VPN connection. ESP Protocol 50 and possibly UDP port 4500 Protocol 50 is used for phase 2 or ESP (Encapsulated Security Payload) component of an IPsec VPN connection only when negotiating with native IPsec. UDP port 4500** is used for the phase 2 or ESP (Encapsulated Security Payload) component of an IPsec VPN connection when using NAT-Traversal Encapsulation. *VNS3:vpn and VNS3:net Lite Edition will not require UDP ports 1195-1197 access as it is not licensed for Controller Peering. ** Some public cloud providers require IPsec connections to use NAT-Traversal encapsulation on UDP port 4500 6

Sizing Considerations Image Size and Architecture VNS3 Controller Images are available as 64bit images to allow the greatest flexibility for your use-case. We recommend Controller instances be launched with at least 512MB of RAM. Smaller sizes are supported but the performance will depend on the use-case. Clientpack Key Size VNS3 Controllers currently generate 1024 bit keys for connecting the clients to the overlay network via the clientpacks. Smaller or larger encryption keys can be provided upon request (from 64 bit to 2048 bit). Future releases of VNS3 will provide the user control over key size and cipher during initialization and configuration. 7

Address Considerations Restrictions Your VLAN CIDR and Subnets cannot not overlap with the VNS3 Overlay Network Subnet. The Azure public cloud does not currently allow virtual machine instances to act as networks gateways for unencrypted VLAN traffic. As a result when using Azure, you must use the Overlay Network when configuring your cloud servers. 8

Remote Support Note that TCP 22 (ssh) is not required for normal operations. Each VNS3 Controller is running a restricted SSH daemon, with access limited only to Cohesive for debugging purposes controlled by the user via the Remote Support toggle and key exchange generation. In the event Cohesive needs to observe runtime state of a VNS3 Controller in response to a tech support request, we will ask you to open Security Group access to SSH from our support IP range and Enable Remote Support via the Web UI. Cohesive will send you an encrypted passphrase to generate a private key used by Cohesive Support staff to access your Controller. Access to the restricted SSH daemon is completely controlled by the user. Once the support ticket has been closed you can disable remote support access and invalidate the access key. 9

Create Azure Private VLAN 10

Create VLAN Cohesive Networks recommends using a custom Azure Virtual Network or VLAN for all Azure cloud deployments. VLANs provide isolation and additional network configuration settings that may be needed for your use-case. The following VLAN setup is the recommended best practice that uses separate subnets for VNS3 Controller instances and cloud server instances. NOTE: The Azure VLAN CIDR you configure CANNOT overlap with the VNS3 Overlay Network you create during configuration of your VNS3 Controller instance. 11

Create VLAN - Virtual Network Details On the Azure Portal left menu, choose NEW at the bottom, then select NETWORK SERVICES > VIRTUAL NETWORK > CUSTOM CREATE. This will pop up a window allowing you to name your private VLAN. Give the VLAN a name and pick the Azure compute center for it to be created in. NOTE: While Azure VLANs cannot span compute centers, that is one of the key capabilities of VNS3. Create an encrypted VNS3 Overlay Network that spans regions as well as clouds. It can also safely peer Azure VLANs between regions, as well as VLANs between clouds. Click the arrow on the lower right to proceed. 12

Create VLAN - DNS Servers Unless you are setting up specific DNS servers, there are no needed configuration changes on this page. Click the arrow to proceed. 13

Create VLAN - Virtual Network Address Spaces On the next page you can specify any Address Space in the private IP Address ranges set by RFC 1918-10.0.0.0/8, 172.16.0.0/12 or 192.168.0.0/16. NOTE: You cannot create VLANs with Public IPv4 addresses. VNS3 allows this with its encrypted virtual VLANs. You then create one or more subnets within that address space. In this example two were created. VLAN organization is outside the scope of this document, but there are often advantages to putting the VNS3 instance in a separate subnet from the rest of your deployment. Click the checkbox to finish creating your VLAN. 14

Launch VNS3 Image from Azure Marketplace 15

Launch VNS3 - Select VNS3 Image VNS3 Free and Lite Edition virtual machine images are available in the Azure Marketplace: VNS3:vpn Free Edition - https://azure.microsoft.com/ en-us/marketplace/partners/cohesive/cohesiveft-vns3- for-azure/#cohesive-vns3-free VNS3:net Lite Edition - https://azure.microsoft.com/enus/marketplace/partners/cohesive/cohesiveft-vns3-forazure/#cohesive-vns3-lite To launch an instance of either, on the Azure Portal left menu, choose NEW at the bottom, then select COMPUTE > VIRTUAL MACHINE > FROM GALLERY. 16

Launch VNS3 - Select VNS3 Image The FROM GALLERY option pops up a window offering Choose an Image offering default Microsoft and Operating System vendor images. Scroll to the bottom of the Featured Image list and select the VNS3:vpn Free Edition or VNS3:net Lite Edition image. Click the arrow to proceed. 17

Launch VNS3 - Virtual Machine Configuration Give the instance a name, spaces are not allowed, so use hyphens to separate the words of an instance name. Choose your tier of service and instance size. VNS3 should have at least one core and 1.5 gigs of memory, so the A1 instance type is a good place to start. Depending on need, VNS3 can be run as a very large instance to provide more throughput for the virtual network, site-to-site connections, firewall rules, or other network functions. The Azure portal requires a username and a SSH key or password. Regardless of their entry - they will not provide shell access to VNS3 instances which run as appliances. The most straightforward approach would be to leave the default azureuser and enter a meaningless password. After these configuration elements are made use the proceed arrow inthe lower right of the web browser page. 18

Launch VNS3 - Virtual Machine Configuration The next page of configuration for the VNS3 instance sets up the network port access rules, as well as allows you to choose a VLAN for the instance to be launched in. Azure calls this element that holds this information a Cloud Service, allowing you to launch other (subsequent) instances with the same configuration parameters. You can create a new cloud service, naming it, or choose an existing one created previously. The cloud service name must be globally unique as it serves as a DNS name. The next drop town box lets you choose from a number of groups; either one of the Azure Cloud Computing Centers, or an element called an Affinity Group or a pre-defined VLAN. Most customers will want to have defined a virtual network VLAN for placing their instances in. The topic of Availability Sets is beyond the scope of this document. Endpoints are how Azure describes a set of TCP and UDP port rules. Only TCP and UDP are allowed, other protocols cannot be controlled, and as a rule are blocked by Azure. At minimum VNS3 needs port 8000 open for the API and the Administrative UI. When complete select the proceed arrow near the bottom of the web browser page. 19

Launch VNS3 - Virtual Machine Configuration The final page before instance launch should not need modification. Ensure that the VM Agent box is checked. Do NOT check the Chef button. Review the legal terms and summary information, and finalize the launch of the instance by clicking on the check box at the bottom right of the web browser page. 20

VNS3 Virtual Machine Details After clicking on the check box you will be returned to the virtual machines page, which shows the instance running in your account. In this example there is only one instance vns3- free. Click in the Name column on the vns3-free row to be taken to its detail page. If it is the first instance you have launched you will be taken to the summary Quick Start page with useful links to Azure APIs, SDKs and Documentation. Click on the Skip Quick Start the next time I visit to go straight to the instance detail page in future. 21

Deliver and launch VNS3 from your Azure Account 22

Azure Configuration: Create Storage for Template Delivery Step 1 Create a Microsoft Azure storage account in order to have a destination used by Cohesive Networks to deliver the VNS3 template disk. One can have many storage accounts in Azure. This is the where containers (folders sort of) and disks for images and instances are stored. You will be creating a dedicated storage account for Cohesive Networks to use to deliver the VNS3 template. To create a storage account: - Login to the Azure portal. - At the bottom of the All Items left side menu, click New. - Select DataServices > Storage> Quick Create. URL Type a unique storage name. This name must be globally unique across all Azure customers, so do not be surprised if some simple names like mystorage are not accepted. Location/Affinity Group Select an Azure location. Replication Select the level of redundancy for the storage account; locally redundant (copy kept in that cloud center), geo-redundant (a copy moved to another cloud center). 3. Click Create Storage Account. 23

Azure Configuration: Get Storage Access Keys Once you see the onscreen notification that the storage account was successfully created, you then need to retrieve the storage access keys. At the bottom of the screen you will see a menu item for Manage Access Keys. When you click on it a pop up window is created as shown here to the right. Copy the Secondary Access Key and keep it available for sharing with Cohesive Networks so the appropriate VNS3 template can be delivered to your account. (Ideally you paste it into a plain text editor to avoid any changes to characters which might occur in Word, Pages, or OpenOffice.) 24

Azure Configuration: Create Container for Template The next step is to create a Container in the Storage account for storing the VNS3 Image Template. Return to the left menu All Items and choose Storage. You will see at list the storage account created in the previous steps. Click on Containers to see existing containers, and to create a new container for storing the template. The next screen shows a list of existing containers and the option to Add a Container, or if there are no existing containers the choice says Create A Container. 25

Azure Configuration: Create Container for Template After clicking Add A Container or Create A Container a window pops up prompting you to create the new container. Provide a descriptive name for the container. This name does not have to globally unique and the dash - character is allowed. Choose an Access setting of Private (versus Public or Public Blob). Your contractual relationship with Cohesive Networks does not allow sharing the VNS3 template image outside of your company, so the setting should be Private. In this example the container is named vns3-templates. 26

Azure Configuration: Provide Storage Credentials to Cohesive Networks Now provide the name of the Storage Account, the Container name, and the Storage Account Secondary Key to Cohesive Networks to enable delivery of a VNS3 template to your account. In our example this would be: Storage Account Name: myuniquename23487 Container Name: vns3-templates Secondary Access Key: CoR7Keonnzt1s+MqSm6wkXw2KMDs5fkdtwt7QTE/ YZVGuCeObnWqYx1rL1wkVZFD7xrxGiyZ9O2PE2JoN7XdBQ== Cohesive Networks will use these credentials along with the Azure Cross Platform command line tool to transfer the template from the CFT account to your shared storage account. This will be done with the azure vm upload command which allows the asynchronous transfer of objects in Azure storage between accounts. When the transfer is complete Cohesive Networks will prompt you to review the delivered VHD in the shared storage container. When the delivery operation is complete you can regenerate the storage account secondary key to remove Cohesive Networks s access to that storage account. 27

Azure Configuration: Create VNS3 Image from Storage In the Azure Portal left menu bar select Virtual Machines This display defaults to Instances and shows any running instances in your account. To make the needed Image, so you can create VNS3 Instances, you will need to click on the word Images, next to Instances. This screen shows images that have already been created. Below that display, click on the option CREATE AN IMAGE. 28

Azure Configuration: Create VNS3 Image from Storage Click on CREATE AN IMAGE pops up the window shown to the right. Fill in an Image name identical to the template delivered to the storage container. Select Linux as the Operating System Family, and select the checkbox for I have run waagent -deprovision on the virtual machine. Then click on VHD URL to browse to the template disk in the storage container (in our example vns3-templates" Select the VNS3 template from the storage container, then click on the Check Mark on the Create an image from a VHD pop up window. When that process completes you will be able to create instances of VNS3 from the image created. 29

Launch VNS3 - Select VNS3 Image To launch an VM of of the image shared by Cohesive Networks, on the Azure Portal left menu, choose NEW at the bottom, then select COMPUTE > VIRTUAL MACHINE > FROM GALLERY. 30

Launch VNS3 - Select VNS3 Image The FROM GALLERY option pops up a window offering Choose an Image offering default Microsoft and Operating System vendor images. Select My Images then select the VNS3 image created on page 22. Click the arrow to proceed. 31

Launch VNS3 - Virtual Machine Configuration Give the instance a name, spaces are not allowed, so use hyphens to separate the words of an instance name. Choose your tier of service and instance size. VNS3 should have at least one core and 1.5 gigs of memory, so the A1 instance type is a good place to start. Depending on need, VNS3 can be run as a very large instance to provide more throughput for the virtual network, site-to-site connections, firewall rules, or other network functions. The Azure portal requires a username and a SSH key or password. Regardless of their entry - they will not provide shell access to VNS3 instances which run as appliances. The most straightforward approach would be to leave the default azureuser and enter a meaningless password. After these configuration elements are made use the proceed arrow inthe lower right of the web browser page. 32

Launch VNS3 - Virtual Machine Configuration The next page of configuration for the VNS3 instance sets up the network port access rules, as well as allows you to choose a VLAN for the instance to be launched in. Azure calls this element that holds this information a Cloud Service, allowing you to launch other (subsequent) instances with the same configuration parameters. You can create a new cloud service, naming it, or choose an existing one created previously. The cloud service name must be globally unique as it serves as a DNS name. The next drop town box lets you choose from a number of groups; either one of the Azure Cloud Computing Centers, or an element called an Affinity Group or a pre-defined VLAN. Most customers will want to have defined a virtual network VLAN for placing their instances in. The topic of Availability Sets is beyond the scope of this document. Endpoints are how Azure describes a set of TCP and UDP port rules. Only TCP and UDP are allowed, other protocols cannot be controlled, and as a rule are blocked by Azure. At minimum VNS3 needs port 8000 open for the API and the Administrative UI. When complete select the proceed arrow near the bottom of the web browser page. 33

Launch VNS3 - Virtual Machine Configuration The final page before instance launch should not need modification. Ensure that the VM Agent box is checked. Do NOT check the Chef button. Review the legal terms and summary information, and finalize the launch of the instance by clicking on the check box at the bottom right of the web browser page. 34

VNS3 Virtual Machine Details After clicking on the check box you will be returned to the virtual machines page, which shows the instance running in your account. In this example there is only one instance vns3- free. Click in the Name column on the vns3-free row to be taken to its detail page. If it is the first instance you have launched you will be taken to the summary Quick Start page with useful links to Azure APIs, SDKs and Documentation. Click on the Skip Quick Start the next time I visit to go straight to the instance detail page in future. 35

VNS3 Configuration Document Links 36

VNS3 Configuration Document Links VNS3 Product Resources - Documentation Add-ons VNS3 Configuration Instructions Instructions and screenshots for configuring a VNS3 Controller in a single or multiple Controller topology. Specific steps include, initializing a new Controller, generating clientpack keys, setting up peering, building IPsec tunnels, and connecting client servers to the Overlay Network. VNS3 Administration Document Covers the administration and operation of a configured VNS3 Controller. Additional detail is provided around the VNS3 Firewall, all administration menu items, upgrade licenses, other routes and SNMP traps. VNS3 Docker Instructions Explains the value of the VNS3 3.5 Docker integration and covers uploading, allocating and exporting application containers. VNS3 Troubleshooting Troubleshooting document that provides explanation issues that are more commonly experienced with VNS3. 37

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback