How to Configure SSL VPN for Forcepoint NGFW TECHNICAL DOCUMENT

Similar documents
How to Configure SSL VPN Portal for Forcepoint NGFW TECHNICAL DOCUMENT

How to Configure a Route-Based VPN Between Azure and a Forcepoint NGFW TECHNICAL DOCUMENT

How to Configure Mobile VPN for Forcepoint NGFW TECHNICAL DOCUMENT

Using the Terminal Services Gateway Lesson 10

How to Set Up External CA VPN Certificates

Stonesoft VPN Client. for Windows Release Notes Revision B

Stonesoft VPN Client. for Windows Release Notes Revision A

NGFW Security Management Center

Example - Configuring a Site-to-Site IPsec VPN Tunnel

How to configure the UTM Web Application Firewall for Microsoft Remote Desktop Gateway connectivity

Configuring a Zone-Based Firewall on the Cisco ISA500 Security Appliance

Comodo One Software Version 3.8

Stonesoft Management Center. Release Notes Revision A

Stonesoft Management Center. Release Notes Revision A

Remote Access via Cisco VPN Client

VPN Solutions for Zerto Virtual Replication to Azure. IPSec Configuration Guide

NGFW Security Management Center

Chapter 10 Configure AnyConnect Remote Access SSL VPN Using ASDM

SonicOS Enhanced Release Notes

Stonesoft VPN Client. for Windows Release Notes Revision A

NGFW Security Management Center

Lab Guide. Barracuda NextGen Firewall F-Series Microsoft Azure - NGF0501

NGFW Security Management Center

NGFW Security Management Center

Stonesoft Management Center. Release Notes Revision C

Identity Services Engine Guest Portal Local Web Authentication Configuration Example

HOW TO SETUP CFS POLICIES WITH LDAP AND SSO TO RESTRICT INTERNET ACCESS ON CFS 3.0

Viewing System Status, page 404. Backing Up and Restoring a Configuration, page 416. Managing Certificates for Authentication, page 418

Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN. VMware Workspace ONE UEM 1810

Chapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM

Stonesoft Management Center. Release Notes Revision A

SonicOS Enhanced Release Notes

Firepower Threat Defense Remote Access VPNs

Integration Guide. LoginTC

NGFW Security Management Center

SSL Certificate Based VPN

SSL Custom Application

OneLogin Integration User Guide

AT&T Cloud Web Security Service

NGFW Security Management Center

VMware AirWatch Certificate Authentication for Cisco IPSec VPN

NGFW Security Management Center

Stonesoft Management Center. Release Notes Revision B

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the SonicWall Firewall.

VMware AirWatch Integration with F5 Guide Enabling secure connections between mobile applications and your backend resources

Cisco VPN Software Client Installation Guide for RTP2 Beta-Test

How to Configure Forcepoint NGFW Route-Based VPN to AWS with BGP TECHNICAL DOCUMENT

Chapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM

3. In the upper left hand corner, click the Barracuda logo ( ) then click Settings 4. Select the check box for SPoE as default.

Using AD360 as a reverse proxy server

Transport Level Security

3.1 Getting Software and Certificates

Barracuda NextGen Report Creator

Chapter 20 Web VPN/ SSL VPN

vcenter Operations Management Pack for vcns

Cisco Secure Desktop (CSD) on IOS Configuration Example using SDM

Comodo Korugan Software Version 1.8

Revised: 08/02/ Click the Start button at bottom left, enter Server Manager in the search box, and select it in the list to open it.

Stonesoft Management Center. Release Notes Revision B

NGFW Security Management Center

NGFW Security Management Center

The two bullets below provide instructions that will guide you through the process of setting up and connecting to the ILG VPN:

The StrideLinx Remote Access Solution comprises the StrideLinx router, web-based platform, and VPN client.

NGFW Security Management Center

AccessEnforcer Version 4.0 Features List

Enforced Client Policy & Reporting Server (EPRS) 2.3. Administration Guide

NGFW Security Management Center

Cisco VXC VPN. Cisco VXC Requirements. Cisco VXC Firmware

Android Mobile Single Sign-On to VMware Workspace ONE. SEP 2018 VMware Workspace ONE VMware Identity Manager VMware Identity Manager 3.

Checklist. Version 2.0 October 2015

Configuring an IMAP4 or POP3 Journal Account for Microsoft Exchange Server 2003

DEPLOYMENT GUIDE DEPLOYING F5 WITH ORACLE ACCESS MANAGER

Using Cloud VPN Service

UI-9 OS Installation Guide in SmartCLOUD Director. CITIC Telecom CPC. OS Installation Guide in SmartCLOUD Director

McAfee Next Generation Firewall 5.9.1

Dubai Financial Services Authority DFSA eportal User Guide v1.docx Page 1 of 21

Using Cloud VPN Service

VMware AirWatch Integration with SecureAuth PKI Guide

Agent and Agent Browser. Updated Friday, January 26, Autotask Corporation

Configuring the SMA 500v Virtual Appliance

Digi Application Guide Configure VPN Tunnel with Certificates on Digi Connect WAN 3G

NetExtender for SSL-VPN

Dell SonicWALL SonicOS 6.2

UNT System Campus VPN Guide

Cisco CISCO Securing Networks with ASA Advanced. Practice Test. Version

Setting up a secure VPN Connection between the TS Adapter IE Advanced and Windows 7

VIEVU DOCKING STATION USER GUIDE

Connectra Virtual Appliance Evaluation Guide

Stonesoft Next Generation Firewall. Release Notes Revision B

FAQ about Communication

VMware Horizon View Deployment

HTG XROADS NETWORKS. Network Appliance How To Guide: PPTP Client. How To Guide

Barracuda Firewall Release Notes 6.5.x

Cradlepoint to Palo Alto VPN Example. Summary. Standard IPSec VPN Topology. Global Leader in 4G LTE Network Solutions

About This Document 3. Overview 3. System Requirements 3. Installation & Setup 4

Workspace ONE UEM Integration with RSA PKI. VMware Workspace ONE UEM 1810

NGFW Security Management Center

Workspace ONE UEM Certificate Authority Integration with JCCH. VMware Workspace ONE UEM 1810

Configuring the CSS for Device Management

WhatsUp Gold 2016 Installation and Configuration Guide

Transcription:

How to Configure SSL VPN for Forcepoint NGFW TECHNICAL DOCUMENT

Table of Contents TABLE OF CONTENTS 1 OVERVIEW 2 SSL VPN CASE STUDY 2 CONFIGURE THE NGFW ENGINE 5 ADD SSL VPN USERS 6 ADDING LOCAL USERS THE SMC DATABASE 6 ADDING LOCAL USERS TO A USER GROUP 7 DATABASE REPLICATION TO THE NGFW 8 CONFIGURATION OF SSL VPN POLICIES 9 CONFIGURE SSL VPN PORTAL SERVICES 9 CONFIGURE THE SSL VPN PORTAL POLICIES 11 CONFIGURE THE SSL VPN PORTAL 12 TESTING THE SSL VPN 14 LOGGING IN AND TESTING LINKS 14 SSL VPN TROUBLESHOOTING 16 OVERVIEW 16 DID THE TRAFFIC MAKE IT TO THE CORRECT FIREWALL? 16 DID THE FIREWALL ACCEPT THE TRAFFIC? 16 NOW WHAT? 17 Technical Document 1

Overview The Forcepoint SSL VPN provides a user a method to connect to protected resources using Secure Sockets Layer (SSL) via a web browser. This secure VPN method does not require a client to be installed, so is typically more portable than an IPSEC VPN. The purpose of this document is to provide a sample network, a configuration overview, and troubleshooting steps to aide in simple problem resolution. SSL VPN Case Study SAH Corporate is a global company which manufactures widgets. With today s traveling and worker strategy, SAH needs a method for employees to connect to resources securely and perform day to day task. Users travel and work from remote networks, which are considered insecure. SSL VPN using Forcepoint SSL VPN will allow users to connect to internal resources remotely without creating a tunnel. NETWORK DIAGRAM AND INFORMATION Relevant User Information: USERS DUTY DUTY GROUP JOHN GERO JGERO SECRETARY ACCOUNTING ELSA SMITH ESMITH IT ADMINISTRATOR CORPORATE SECURITY Relevant IP Information: INTERFACE IP ADDRESS WAN 10.100.0.33 DMZ 172.16.20.1 INSIDE 172.16.50.1 HTTP SERVER 1 172.16.50.101 HTTP SERVER 2 172.16.50.130 Technical Document 2

Network Diagram: Technical Document 3

BASIC SSL VPN CONFIGURATION FLOW Basic SSL VPN configuration is comprised of a few simple steps: Configure the NGFW Engine Configure SSL VPN Policies Test the SSL VPN Troubleshoot connectivity issues Technical Document 4

Configure the NGFW Engine The Next Generation Firewall Engine has to two sections that should be reviewed when configuring SSL VPN. To review the Engine configuration, log into the System Management Console (SMC) and follow the steps below: 1. Right click on the Engine that will be configured. Click Properties. 2. Expand VPN > End-Points. Right click the Interface in question and click Properties. 3. Under the VPN Type section, select the radial button for All Types or Selected Types Only. If the latter is selected, select the SSL VPN Portal and Tunnel method. The tunnel mode is not convered in this case study. Click the OK button to close the Properties window. 4. Select the Enable check box. Save and install the policy. Technical Document 5

ADD SSL VPN Users ADDING LOCAL USERS THE SMC DATABASE 1. On the SMC Home Page, clock the Configuration button. 2. Expand the User Authentication policy section. On the InternalDomain pane, right click the stonegate domain, select New > Internal User. 3. On the General tab, enter the user name in the Name field. 4. Select the Authentication tab. 5. Under Authentication Methods, click Add. Select User Password. 6. Under the Password Properties section, enter the password for the user. Repeat the password for the Confirm Password entry. 7. Click OK. 8. Repeat the process for additional Users Technical Document 6

Sample User configuration (Authentication): ADDING LOCAL USERS TO A USER GROUP 1. Under the Configuration window, expand User Authentication, Users, and select InternalDomian. 2. Right click on the Stonegate internal domain and select New > Internal User Group. Technical Document 7

3. Specify the Group name and a comment (optional). 4. Click OK. 5. Drag and drop the users previously created to the Portal_Users group. DATABASE REPLICATION TO THE NGFW 1. Go to the SMC home page by clicking the HOME icon in the navigation bar. 2. Right click the firewall, go to Options and enable the User DB replication option. Technical Document 8

Configuration of SSL VPN Policies CONFIGURE SSL VPN PORTAL SERVICES 1. On the SMC Home Page, clock the Configuration button. 2. On the Navigation pane, expand the VPN section and the SSL VPN Portal section. 3. Click on the SSL VPN Portal Services. Right click on the Policy pane (right side) and select New SSL VPN Portal Service. 4. Select the General tab. Enter the data for the Name, External URL Prefix, and Internal URL. Technical Document 9

Select the Look and Feel tab. Enter the value for the Title field. Click OK. 5. Create a second entry for New SSL VPN Portal Service. Select the General tab. Enter the data for the Name, External URL Prefix, and Internal URL. Select the Look and Feel tab. Enter the value for the Title field. Click OK. Technical Document 10

CONFIGURE THE SSL VPN PORTAL POLICIES 1. On the Policy pane, select SSL VPN Portal Policies. Right click on the SSL VPN Portal Policy pane and select New SSL VPN Portal Policy. Populate the General tab and click OK. 2. Right click on the SSL VPN Portal Policies entry that was just created and select Edit SSL VPN Portal Policy <name> 3. Right click on Discall all > Add Rule. 4. Using the Resources pane values, populate the newly created rule with the SSL VPN Portal Service and Authentication values previously configured. Technical Document 11

5. Save the policy by clicking the Save icon in the navigation bar. CONFIGURE THE SSL VPN PORTAL 1. In the policy pane, select SSL VPN Portals. Right click in the SSL VPN Portal Pane (right side) and select New SSL VPN Portal. 2. On the General tab, enter the name, select the SAHPORTAL SSL VPN Portal Policy, enter the hostname that your SSL VPN NGFW will resolve to. This should be the IP Address selected under the NGFW Engine properties previously defined. Upload certificates or select Use Self- Signed Certificate. Technical Document 12

3. Select the Look & Feel tab. Enter the Title for the SSLVPN Portal. 4. Select the Target Engine tab. Click the ADD button. Right click the Target Engine column and select Edit Target Engine. Select the SAH engine and click Select. Click OK. Technical Document 13

TESTING THE SSL VPN LOGGING IN AND TESTING LINKS 1. Open a browser and enter https://10.100.0.33 in the address bar. 2. Log in with John Gero s login info: johngero and the password entered previously. 3. Click on the link to access Http_WebServer1. Technical Document 14

4. Verify the link opens and note the address bar. 5. The address bar appends the name to the URL ( Server1 ). This is the External URL Prefix that was configured in the SSL VPN Portal Services policy. 6. Test the HTTPSERVER 2 connection. Test the SSL VPN with SSO Domains and different policies to limit access and customize SSL VPN users experience! Technical Document 15

SSL VPN Troubleshooting OVERVIEW With troubleshooting, most issues need to go through a process. Below is the overview: 1. Did the traffic make it to the correct Firewall? 2. Did the firewall accept the traffic? 3. Now what? DID THE TRAFFIC MAKE IT TO THE CORRECT FIREWALL? 1. Verify in the logs that the packets are not being dropped. 2. Verify that connectivity is not an issue: ping, traceroute, and other connectivity issues need to be tested. DID THE FIREWALL ACCEPT THE TRAFFIC? 1. If they are, ensure that the correct interface is Enabled in the Endpoints configuration located under the Engine Properties. 2. Ensure that the correct SSL VPN port is correct in the Configuration> VPN> SSL VPN Portal configuration. 3. Review the logs for any related connectivity logs. Technical Document 16

NOW WHAT? 1. Can you login? Verify the password for the end user. 2. Ensure that the IP and Host name specified under: Configuration > VPN > SSL VPN Portal > SSL VPN Portals has the correct hostname or IP. If you are using a public IP address, ensure it does resolve to the hostname in the http header. This issue will manifest will manifest while logging into the portal: 3. Ensure you have the latest firmware installed. This will rule out possible bugs and compatibility issues. (Optional) 4. Verify the TLS version your browser supports. The default TLS entries for the SSL VPN are below: Contact FORCEPOINT Support for issues related to the FORCEPOINT NGFW. We are here to help! Technical Document 17

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback