How to Configure Mobile VPN for Forcepoint NGFW TECHNICAL DOCUMENT
Table of Contents TABLE OF CONTENTS 1 BACKGROUND 2 WINDOWS SERVER CONFIGURATION STEPS 2 CONFIGURING USER AUTHENTICATION 3 ACTIVE DIRECTORY SERVER 3 LDAP DOMAIN 4 DEFINING THE FIREWALL VPN SETTINGS 6 END-POINTS 6 VPN SITES 7 DHCP SERVER 7 VPN CLIENT SETTINGS 8 CONFIGURING THE VPN 10 VPN PROFILE 10 VPN ELEMENT 12 ENABLE VPN SITE FOR MOBILE VPN 14 ADDING ACCESS RULES TO ALLOW MOBILE VPN USERS CONNECTIONS 15 ACCESS RULE 15 CHECKING THE CONFIGURATION 15 Technical Document 1
Background This document provides a Forcepoint NGFW mobile VPN configuration example. In this example we use Windows Server 2012 R2 for user authentication: Active Directory (AD) was used as directory service, and Network Policy Server (NPS) as authentication service. For VPN client IP addressing virtual adapter it was used the Windows Server 2012 R2 DHCP Server. AD, NPS and DHCP server are included part of Windows Server 2012 R2. An introduction about these features is outside the scope of this document. Consult Microsoft s documentation for further instructions. The following versions (and respective IP Address) were used when writing this document: Security Management Center (SMC) 6.2.0 192.168.1.10 Next Generation Firewall (NGFW) 6.2.0 192.168.1.1 (internal interface), 192.168.254.10 (external interface) VPN client for Windows 6.1.0 192.168.254.121 Windows Server 2012 R2 IP 192.168.1.40 Windows Server Configuration Steps Enable the NPS in Windows Server 2012 R2; Register the NPS in your AD; Add the Forcepoint NGFW engine as a RADIUS client in the NPS; Create a Connection Request Policy; Enable dial-in for the end-users; Add a user account for the SMC components to allow bind access to the AD. In this scenario we are going to use Administrator credentials; For a more detailed reference Network Policy Server has been configured beforehand following instructions from below KB article: https://support.forcepoint.com/kbarticle?id=how-to-configure-active- Directory-NPS-authentication-for-Next-Generation-Firewall. On this setup it is also required to configure DHCP server in Windows Server. It is required to configure a new scope like figure below. Technical Document 2
Configuring User Authentication In this section we go through how to setup user authentication using NPS authentication on Windows Server 2012 R2. On SMC we will need to configure Active Directory server element, and LDAP domain for AD. ACTIVE DIRECTORY SERVER To define external authentication we first need to configure Active Directory server element. 1. Configuration > User Authentication > Servers > New > Active Directory Server 2. In the General tab we define the IP address, port and LDAP settings for Active Directory Server. Object Classes and Attributes are kept with default parameters 3. On the Authentication tab Radius settings used with Network Policy Server were defined. The Shared Secret is the same one used in NPS when defining the NGFW engine as RADIUS client. Technical Document 3
LDAP DOMAIN Next we will configure LDAP Domain for Active Directory Server. 1. Configuration > User Authentication > Users > New > New External LDAP Domain 2. The Active Directory Server element created on previous step is added to Bound Servers. We also enable Default LDAP Domain setting to allow users to use just their username when logging in. Without this option users would need to use <username>@<ldapdomain> syntax on username field. It is possible to configure more domains. In this case users will need to use <ldapdomain> to select the domain he/she wants to authenticate to. 3. Since built-in Network Policy Server authentication method is used we set it as Authentication Method on Default Authentication tab. Technical Document 4
4. Configuration > User Authentication > Users > Configured Domain. You should be able to browse the Windows Server 2012 R2 directory from SMC GUI. Technical Document 5
Defining the firewall VPN settings In this section we will define VPN settings on the firewall properties. This includes VPN end-points, sites, and VPN client settings. END-POINTS VPN end-points define the IP address that VPN clients will connect to when they wish to establish VPN tunnel. 1. Open firewall Properties > VPN > End-Points 2. In this setup we have only one external end-point so we enable that. 3. On this example all types of VPN are enabled to allow users to connect with Forcepoint VPN client using either IPsec or SSL VPN tunnelling, or user browser (SSL VPN Portal) Technical Document 6
VPN SITES VPN site elements define the traffic selectors, i.e. what are the IP addresses that can be reached through VPN when the tunnel between VPN client and NGFW engine is up and operational. 1. Open firewall Properties > VPN > Sites 2. VPN site configuration has Add and update IP addresses based on routing option, where SMC will create automatic site based on the routing configuration. Automatic site will include all the networks behind interfaces that do not have default route configured. In this setup we do not use the automatic site option but instead define site manually for internal network 192.168.1.0/24. DHCP SERVER In order to assign IP address to remote clients it is used an external DHCP Server in Windows Servers 2012 R2. DHCP Server defined here will be used during VPN Client Settings. Open Configuration > Network Elements > Servers (right click > New > DHCP Server). Define a Name and IP Address for DHCP Server. Technical Document 7
VPN CLIENT SETTINGS In the VPN Client settings VPN types, client device checks and VPN client IP address related settings are defined. The IP address related settings define which IP addresses VPN clients use in the internal network. The recommendation is to use virtual IP addressing, where VPN client virtual adapters receive IP address from company s DHCP server. Other option is to use NAT pool to translate source IP addresses before sending packets to network, but this option does not allow VPN client to provide internal DNS server IP addresses to Operating System so when user is connected to mobile VPN, he/she cannot get company s internal DNS names resolved unless he/she manually changes the DNS server settings on the OS side. Under Virtual Address settings, there are three options for DHCP Mode: Disabled this option disables use of virtual adapter and you ll need to configure NAT pool in the firewall Advanced VPN settings to dynamically translate the source IP addresses of the connections through the VPN client tunnels. NOTE! This option is available only when VPN Type is set to IPsec VPN, i.e. when firewall supports VPN client connections only from IPsec clients. Allowing SSL VPN clients to connect requires use of virtual IP addressing and DHCP server to assign IP addresses for VPN client virtual adapters. Direct This mode can be used when DHCP server is in directly connected network to firewall. In this mode firewall acts like DHCP client broadcasting the DHCP requests to local network segment through interface defined with Interface setting. If there s more than one DHCP server in the local network, the first DHCP offer is used. Relay When this mode is selected, firewall sends the DHCP requests as unicasts to defined DHCP server(s) through local relay agent. The Interface for DHCP Relay setting allows defining the source interface for these unicast DHCP requests. This setting does not have effect on routing of the DHCP requests but allows selecting requests to be sent from specific interface IP address so that this can be used on DHCP server as criteria for selecting specific DHCP pool. Relay mode also allows option to add user or group information to DHCP requests. This could be used on DHCP server to select specific DHCP pool or IP address to assign to VPN client. When virtual addressing is enabled, Restrict Virtual Address Ranges and Proxy ARP settings can be enabled: Restrict Virtual Address Ranges This option allows defining IP address range(s), that firewall will accept for VPN client virtual adapters. Note that this option does not mean that firewall will tell DHCP server which address range it should assign IP address from. Instead firewall will reject the IP address offered if it is not part of the ranges defined with Restrict Virtual Address Ranges, and VPN negotiation will fail. Thus range(s) defined should match the DHCP pool that DHCP server uses to assign IP addresses to VPN client virtual adapters. Proxy ARP When this option is enabled, the firewall will do proxy ARP for the address range(s) defined. The proxy ARP is done dynamically so firewall will only reply to ARP requests for IP addresses that are currently in use by VPN clients. Proxy ARP range(s) should also be configured to match the DHCP pool that the DHCP server uses for VPN clients. Technical Document 8
In this example configuration we used firewall s internal DHCP server, which can be used with single node firewall installations. With cluster installations external DHCP server has to be used. 1. Open firewall Properties > VPN > VPN Client 2. In the VPN Client settings we enable gateway to support connections from IPsec. In DHCP Server we include the DHCP Server already configured on Windows Server 2012. We also configure Restrict Virtual Address Ranges, and Proxy ARP to match the DHCP pool that internal DHCP server uses. Technical Document 9
Configuring the VPN Now that we have defined the VPN settings in the firewall properties we can create the VPN profile and VPN elements. VPN PROFILE VPN Profile contains settings related to authentication, integrity checking, and encryption of the IPsec VPN tunnel. In this example configuration we used customized version of built-in ios Suite profile. 1. Configuration > VPN > Other Elements > Profiles > VPN Profiles > right-click ios Suite profile element > New > Duplicate 2. On the IKE SA settings we used settings shown in below picture. Technical Document 10
3. For IPsec SA below settings were used 4. On the IPsec Client tab following settings were used to allow hybrid authentication where firewall authenticates to VPN client using RSA certificate, and user (VPN client) authenticates to firewall using AD username and password. Technical Document 11
VPN ELEMENT Next we create VPN element that will be used in the access rule that allows mobile VPN connections. 1. Configuration > VPN > Policy-Based VPNs > New > Policy-Based VPN 2. On Policy-Based VPN Properties we define the name for the VPN element, and select the VPN profile that we created above. 3. On Site-to-Site tab we add our VPN gateway under Central Gateways Technical Document 12
4. On the Mobile VPN tab we can use Only Central Gateways from overall topology setting. 5. On the Tunnels tab check the validity marked as green Technical Document 13
ENABLE VPN SITE FOR MOBILE VPN Now that VPN element is created we need to make sure that VPN site we created earlier is enabled for newly create mobile VPN. 1. Open firewall properties > VPN > Sites 2. On the VPN site element properties on the VPN References tab (on the right, right click the site > properties > VPN References tab) verify that the site is enabled for mobile VPN just created, and it s set to Normal mode. Technical Document 14
Adding access rules to allow mobile VPN users connections The last step is to define the access rules that allow connections through the mobile VPN tunnels. It is important to keep in mind when creating access rule for mobile VPN traffic, that the Users and Authentication Methods tab definitions in the Authentication cell will be used as additional matching criteria. However also other rules that match the connections based on the source and destination IP address and the service can match connections coming through mobile VPN tunnel thus possibly allowing or discarding traffic incorrectly. If you have rules for internal network host traffic that also match the VPN client connections based on IP address and service information, you can use the Source VPN cell to prevent these rules from matching connections from VPN clients by enabling Match traffic based on source VPN setting and selecting Rule does not match traffic from any VPN option. ACCESS RULE In our example setup we allow all traffic from mobile VPN clients to Internal Zone (Internal network on NGFW Engine) network when user has been authenticated using Network Policy Server authentication method and used belongs to Mobile VPN Users Active Directory group. 1. Configuration > NGFW > Policies > Firewall Policies > open the firewall policy for editing 2. Following access rule was added to allow mobile VPN users accessing internal network, when connection comes through Mobile_VPN_01 tunnel, user is part of VPN_Users AD group, and user was authenticated using Network Policy Server authentication method. 3. Checking the Configuration We assume the VPN Client is already installed on the host we are going to test the connection. From the client on external network launch the VPN Client ensuring there is a gateways configured, the external interface of NGFW Engine. Click the Connection button and enter the user credentials (username and password) of a user already configured in Windows server 2012 R2 AD. Technical Document 15
The steps of connection should be fine like the following screen. By clicking details it is possible to see parameters and information related to Virtual Interface (IP address assigned by internal DHCP server, etc..) as well as IPSec SA related parameters. By using SMC it is possible to monitor IPSec SA by right click the NGFW engine then Monitoring > VPN SAs. Technical Document 16
By checking the content of /proc/stonegate/auth/usertable it is possible to check the logged in users in NGFW. So here user account is user1, and this account is part of VPN_Users groups in AD using IP address 192.168.1.190. Technical Document 17