How to Configure Mobile VPN for Forcepoint NGFW TECHNICAL DOCUMENT

Similar documents
Use Shrew Soft VPN Client to Connect with IPSec VPN Server on RV130 and RV130W

How to Configure a Route-Based VPN Between Azure and a Forcepoint NGFW TECHNICAL DOCUMENT

Remote Access via Cisco VPN Client

Stonesoft Management Center. Release Notes Revision B

Configuring Dynamic VPN v2.0 Junos 10.4 and above

Stonesoft VPN Client. for Windows Release Notes Revision A

REMOTE ACCESS IPSEC. Course /14/2014 Global Technology Associates, Inc.

NGFW Security Management Center

Remote Support Security Provider Integration: RADIUS Server

Stonesoft Next Generation Firewall. Release Notes Revision B

Configuration of Shrew VPN Client on RV042, RV042G and RV082 VPN Routers through Windows

VPN Auto Provisioning

NetConnect to GlobalProtect Migration Tech Note PAN-OS 4.1

NGFW Security Management Center

NGFW Security Management Center

NGFW Security Management Center

Proxicast IPSec VPN Client Example

Security Provider Integration RADIUS Server

Stonesoft VPN Client. for Windows Product Guide 6.2. Revision A

NGFW Security Management Center

Stonesoft Next Generation Firewall. Release Notes Revision C

How to Configure a Client-to-Site L2TP/IPsec VPN

NE-2277 Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure: Network Services

Stonesoft Management Center. Release Notes for Version 5.6.1

Next Generation Firewall

Stonesoft VPN Client. for Windows Release Notes Revision B

SonicWALL strongly recommends you follow these steps before installing Global VPN Client (GVC) 4.0.0:

How to Configure Authentication and Access Control (AAA)

NGFW Security Management Center

Stonesoft Next Generation Firewall. Release Notes Revision A

StoneGate Management Center. Release Notes for Version 5.3.4

Stonesoft Management Center. Release Notes Revision A

Stonesoft Management Center. Release Notes Revision A

Cisco QuickVPN Installation Tips for Windows Operating Systems

NGFW Security Management Center

Setting up L2TP Over IPSec Server for remote access to LAN

Configuration Guide TL-ER5120/TL-ER6020/TL-ER REV3.0.0

Feature. *1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

Pre-Installation Recommendations... 1 Platform Compatibility... 1 New Features... 2 Known Issues... 2 Resolved Issues... 3 Troubleshooting...

Stonesoft VPN Client. for Windows Release Notes Revision A

Configuring OpenVPN on pfsense

Example - Configuring a Site-to-Site IPsec VPN Tunnel

How to Configure SSL VPN Portal for Forcepoint NGFW TECHNICAL DOCUMENT

DPX8000 Series Deep Service Switching Gateway User Configuration Guide BRAS Service Board Module v1.0

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

*Performance and capacities are measured under ideal testing conditions using PAN-OS.0. Additionally, for VM

Max sessions (IPv4 or IPv6) 500, , ,000

NGFW Security Management Center

Fireware-Essentials. Number: Fireware Essentials Passing Score: 800 Time Limit: 120 min File Version: 7.

Chapter 3 LAN Configuration

Stonesoft Management Center. Release Notes Revision A

How to Configure SSL VPN for Forcepoint NGFW TECHNICAL DOCUMENT

Test - Accredited Configuration Engineer (ACE) Exam - PAN-OS 6.0 Version

*Performance and capacities are measured under ideal testing conditions using PAN-OS 8.0. Additionally, for VM

McAfee Next Generation Firewall 5.9.1

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

Configuration Guide. For Managing EAPs via EAP Controller

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

vcloud Director Tenant Portal Guide vcloud Director 8.20

Setup L2TP/IPsec VPN Server on SoftEther VPN Server

Test Accredited Configuration Engineer (ACE) Exam PAN OS 6.0 Version

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

VPN Tracker for Mac OS X

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

SonicWALL Addendum. A Supplement to the SonicWALL Internet Security Appliance User's Guide

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

Junos Security (JSEC)

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

Monitoring Remote Access VPN Services

AT&T Cloud Web Security Service

Cradlepoint to Palo Alto VPN Example. Summary. Standard IPSec VPN Topology. Global Leader in 4G LTE Network Solutions

User Guide TL-R470T+/TL-R480T REV9.0.2

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

HP Load Balancing Module

Juniper JN Security, Specialist (JNCIS-SEC)

Integration Guide. SafeNet Authentication Service. Strong Authentication for Juniper Networks SSL VPN

ZyWALL 70. Internet Security Appliance. Quick Start Guide Version 3.62 December 2003

vcloud Director User's Guide

Gigabit SSL VPN Security Router

SonicWALL strongly recommends you follow these steps before installing Global VPN Client (GVC) 4.1.0:

Configuring the VPN Client

Stonesoft Management Center. Release Notes for Version 5.4.6

Stonesoft Management Center. Release Notes Revision B

Configuration Guide SuperStack 3 Firewall L2TP/IPSec VPN Client

High Availability Synchronization PAN-OS 5.0.3

Implementation Guide for protecting Juniper SSL VPN with BlackShield ID

Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance

Client VPN OS Configuration. Android

Wireless LAN Controller Web Authentication Configuration Example

VPN Configuration Guide SonicWALL

Configuring Cisco VPN Concentrator to Support Avaya 96xx Phones Issue 1.0. Issue th October 2009 ABSTRACT

How to Set Up External CA VPN Certificates

NGFW Security Management Center

Configuring L2TP over IPsec

Yamaha Router Configuration Training ~ Web GUI ~

Secure Access Configuration Guide For Wireless Clients

Configuring a VPN Using Easy VPN and an IPSec Tunnel, page 1

Transcription:

How to Configure Mobile VPN for Forcepoint NGFW TECHNICAL DOCUMENT

Table of Contents TABLE OF CONTENTS 1 BACKGROUND 2 WINDOWS SERVER CONFIGURATION STEPS 2 CONFIGURING USER AUTHENTICATION 3 ACTIVE DIRECTORY SERVER 3 LDAP DOMAIN 4 DEFINING THE FIREWALL VPN SETTINGS 6 END-POINTS 6 VPN SITES 7 DHCP SERVER 7 VPN CLIENT SETTINGS 8 CONFIGURING THE VPN 10 VPN PROFILE 10 VPN ELEMENT 12 ENABLE VPN SITE FOR MOBILE VPN 14 ADDING ACCESS RULES TO ALLOW MOBILE VPN USERS CONNECTIONS 15 ACCESS RULE 15 CHECKING THE CONFIGURATION 15 Technical Document 1

Background This document provides a Forcepoint NGFW mobile VPN configuration example. In this example we use Windows Server 2012 R2 for user authentication: Active Directory (AD) was used as directory service, and Network Policy Server (NPS) as authentication service. For VPN client IP addressing virtual adapter it was used the Windows Server 2012 R2 DHCP Server. AD, NPS and DHCP server are included part of Windows Server 2012 R2. An introduction about these features is outside the scope of this document. Consult Microsoft s documentation for further instructions. The following versions (and respective IP Address) were used when writing this document: Security Management Center (SMC) 6.2.0 192.168.1.10 Next Generation Firewall (NGFW) 6.2.0 192.168.1.1 (internal interface), 192.168.254.10 (external interface) VPN client for Windows 6.1.0 192.168.254.121 Windows Server 2012 R2 IP 192.168.1.40 Windows Server Configuration Steps Enable the NPS in Windows Server 2012 R2; Register the NPS in your AD; Add the Forcepoint NGFW engine as a RADIUS client in the NPS; Create a Connection Request Policy; Enable dial-in for the end-users; Add a user account for the SMC components to allow bind access to the AD. In this scenario we are going to use Administrator credentials; For a more detailed reference Network Policy Server has been configured beforehand following instructions from below KB article: https://support.forcepoint.com/kbarticle?id=how-to-configure-active- Directory-NPS-authentication-for-Next-Generation-Firewall. On this setup it is also required to configure DHCP server in Windows Server. It is required to configure a new scope like figure below. Technical Document 2

Configuring User Authentication In this section we go through how to setup user authentication using NPS authentication on Windows Server 2012 R2. On SMC we will need to configure Active Directory server element, and LDAP domain for AD. ACTIVE DIRECTORY SERVER To define external authentication we first need to configure Active Directory server element. 1. Configuration > User Authentication > Servers > New > Active Directory Server 2. In the General tab we define the IP address, port and LDAP settings for Active Directory Server. Object Classes and Attributes are kept with default parameters 3. On the Authentication tab Radius settings used with Network Policy Server were defined. The Shared Secret is the same one used in NPS when defining the NGFW engine as RADIUS client. Technical Document 3

LDAP DOMAIN Next we will configure LDAP Domain for Active Directory Server. 1. Configuration > User Authentication > Users > New > New External LDAP Domain 2. The Active Directory Server element created on previous step is added to Bound Servers. We also enable Default LDAP Domain setting to allow users to use just their username when logging in. Without this option users would need to use <username>@<ldapdomain> syntax on username field. It is possible to configure more domains. In this case users will need to use <ldapdomain> to select the domain he/she wants to authenticate to. 3. Since built-in Network Policy Server authentication method is used we set it as Authentication Method on Default Authentication tab. Technical Document 4

4. Configuration > User Authentication > Users > Configured Domain. You should be able to browse the Windows Server 2012 R2 directory from SMC GUI. Technical Document 5

Defining the firewall VPN settings In this section we will define VPN settings on the firewall properties. This includes VPN end-points, sites, and VPN client settings. END-POINTS VPN end-points define the IP address that VPN clients will connect to when they wish to establish VPN tunnel. 1. Open firewall Properties > VPN > End-Points 2. In this setup we have only one external end-point so we enable that. 3. On this example all types of VPN are enabled to allow users to connect with Forcepoint VPN client using either IPsec or SSL VPN tunnelling, or user browser (SSL VPN Portal) Technical Document 6

VPN SITES VPN site elements define the traffic selectors, i.e. what are the IP addresses that can be reached through VPN when the tunnel between VPN client and NGFW engine is up and operational. 1. Open firewall Properties > VPN > Sites 2. VPN site configuration has Add and update IP addresses based on routing option, where SMC will create automatic site based on the routing configuration. Automatic site will include all the networks behind interfaces that do not have default route configured. In this setup we do not use the automatic site option but instead define site manually for internal network 192.168.1.0/24. DHCP SERVER In order to assign IP address to remote clients it is used an external DHCP Server in Windows Servers 2012 R2. DHCP Server defined here will be used during VPN Client Settings. Open Configuration > Network Elements > Servers (right click > New > DHCP Server). Define a Name and IP Address for DHCP Server. Technical Document 7

VPN CLIENT SETTINGS In the VPN Client settings VPN types, client device checks and VPN client IP address related settings are defined. The IP address related settings define which IP addresses VPN clients use in the internal network. The recommendation is to use virtual IP addressing, where VPN client virtual adapters receive IP address from company s DHCP server. Other option is to use NAT pool to translate source IP addresses before sending packets to network, but this option does not allow VPN client to provide internal DNS server IP addresses to Operating System so when user is connected to mobile VPN, he/she cannot get company s internal DNS names resolved unless he/she manually changes the DNS server settings on the OS side. Under Virtual Address settings, there are three options for DHCP Mode: Disabled this option disables use of virtual adapter and you ll need to configure NAT pool in the firewall Advanced VPN settings to dynamically translate the source IP addresses of the connections through the VPN client tunnels. NOTE! This option is available only when VPN Type is set to IPsec VPN, i.e. when firewall supports VPN client connections only from IPsec clients. Allowing SSL VPN clients to connect requires use of virtual IP addressing and DHCP server to assign IP addresses for VPN client virtual adapters. Direct This mode can be used when DHCP server is in directly connected network to firewall. In this mode firewall acts like DHCP client broadcasting the DHCP requests to local network segment through interface defined with Interface setting. If there s more than one DHCP server in the local network, the first DHCP offer is used. Relay When this mode is selected, firewall sends the DHCP requests as unicasts to defined DHCP server(s) through local relay agent. The Interface for DHCP Relay setting allows defining the source interface for these unicast DHCP requests. This setting does not have effect on routing of the DHCP requests but allows selecting requests to be sent from specific interface IP address so that this can be used on DHCP server as criteria for selecting specific DHCP pool. Relay mode also allows option to add user or group information to DHCP requests. This could be used on DHCP server to select specific DHCP pool or IP address to assign to VPN client. When virtual addressing is enabled, Restrict Virtual Address Ranges and Proxy ARP settings can be enabled: Restrict Virtual Address Ranges This option allows defining IP address range(s), that firewall will accept for VPN client virtual adapters. Note that this option does not mean that firewall will tell DHCP server which address range it should assign IP address from. Instead firewall will reject the IP address offered if it is not part of the ranges defined with Restrict Virtual Address Ranges, and VPN negotiation will fail. Thus range(s) defined should match the DHCP pool that DHCP server uses to assign IP addresses to VPN client virtual adapters. Proxy ARP When this option is enabled, the firewall will do proxy ARP for the address range(s) defined. The proxy ARP is done dynamically so firewall will only reply to ARP requests for IP addresses that are currently in use by VPN clients. Proxy ARP range(s) should also be configured to match the DHCP pool that the DHCP server uses for VPN clients. Technical Document 8

In this example configuration we used firewall s internal DHCP server, which can be used with single node firewall installations. With cluster installations external DHCP server has to be used. 1. Open firewall Properties > VPN > VPN Client 2. In the VPN Client settings we enable gateway to support connections from IPsec. In DHCP Server we include the DHCP Server already configured on Windows Server 2012. We also configure Restrict Virtual Address Ranges, and Proxy ARP to match the DHCP pool that internal DHCP server uses. Technical Document 9

Configuring the VPN Now that we have defined the VPN settings in the firewall properties we can create the VPN profile and VPN elements. VPN PROFILE VPN Profile contains settings related to authentication, integrity checking, and encryption of the IPsec VPN tunnel. In this example configuration we used customized version of built-in ios Suite profile. 1. Configuration > VPN > Other Elements > Profiles > VPN Profiles > right-click ios Suite profile element > New > Duplicate 2. On the IKE SA settings we used settings shown in below picture. Technical Document 10

3. For IPsec SA below settings were used 4. On the IPsec Client tab following settings were used to allow hybrid authentication where firewall authenticates to VPN client using RSA certificate, and user (VPN client) authenticates to firewall using AD username and password. Technical Document 11

VPN ELEMENT Next we create VPN element that will be used in the access rule that allows mobile VPN connections. 1. Configuration > VPN > Policy-Based VPNs > New > Policy-Based VPN 2. On Policy-Based VPN Properties we define the name for the VPN element, and select the VPN profile that we created above. 3. On Site-to-Site tab we add our VPN gateway under Central Gateways Technical Document 12

4. On the Mobile VPN tab we can use Only Central Gateways from overall topology setting. 5. On the Tunnels tab check the validity marked as green Technical Document 13

ENABLE VPN SITE FOR MOBILE VPN Now that VPN element is created we need to make sure that VPN site we created earlier is enabled for newly create mobile VPN. 1. Open firewall properties > VPN > Sites 2. On the VPN site element properties on the VPN References tab (on the right, right click the site > properties > VPN References tab) verify that the site is enabled for mobile VPN just created, and it s set to Normal mode. Technical Document 14

Adding access rules to allow mobile VPN users connections The last step is to define the access rules that allow connections through the mobile VPN tunnels. It is important to keep in mind when creating access rule for mobile VPN traffic, that the Users and Authentication Methods tab definitions in the Authentication cell will be used as additional matching criteria. However also other rules that match the connections based on the source and destination IP address and the service can match connections coming through mobile VPN tunnel thus possibly allowing or discarding traffic incorrectly. If you have rules for internal network host traffic that also match the VPN client connections based on IP address and service information, you can use the Source VPN cell to prevent these rules from matching connections from VPN clients by enabling Match traffic based on source VPN setting and selecting Rule does not match traffic from any VPN option. ACCESS RULE In our example setup we allow all traffic from mobile VPN clients to Internal Zone (Internal network on NGFW Engine) network when user has been authenticated using Network Policy Server authentication method and used belongs to Mobile VPN Users Active Directory group. 1. Configuration > NGFW > Policies > Firewall Policies > open the firewall policy for editing 2. Following access rule was added to allow mobile VPN users accessing internal network, when connection comes through Mobile_VPN_01 tunnel, user is part of VPN_Users AD group, and user was authenticated using Network Policy Server authentication method. 3. Checking the Configuration We assume the VPN Client is already installed on the host we are going to test the connection. From the client on external network launch the VPN Client ensuring there is a gateways configured, the external interface of NGFW Engine. Click the Connection button and enter the user credentials (username and password) of a user already configured in Windows server 2012 R2 AD. Technical Document 15

The steps of connection should be fine like the following screen. By clicking details it is possible to see parameters and information related to Virtual Interface (IP address assigned by internal DHCP server, etc..) as well as IPSec SA related parameters. By using SMC it is possible to monitor IPSec SA by right click the NGFW engine then Monitoring > VPN SAs. Technical Document 16

By checking the content of /proc/stonegate/auth/usertable it is possible to check the logged in users in NGFW. So here user account is user1, and this account is part of VPN_Users groups in AD using IP address 192.168.1.190. Technical Document 17

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback