VNS3 Configuration. Quick Launch for first time VNS3 users in Azure

Similar documents
Microsoft Azure Configuration. Azure Setup for VNS3

VNS3 Configuration. Google Compute Engine

CenturyLink Cloud Configuration. CenturyLink Setup for VNS3

AWS VPC Cloud Environment Setup

VNS3 Configuration. IaaS Private Cloud Deployments

VNS3 Configuration. ElasticHosts

VNS3 version 4. Free and Lite Edition Reset Overlay Subnet

VNS3 IPsec Configuration. Connecting VNS3 Side by Side via IPsec

VNS Administration Guide

VNS3 IPsec Configuration. VNS3 to Cisco ASA ASDM 5.2

VNS3 IPsec Configuration. VNS3 to Cisco ASA ASDM 9.2

Overlay Engine. VNS3 Plugins Guide 2018

VNS3 4.0 Configuration Guide

Cloud Security Best Practices

VNS3 to Windows RRAS Instructions. Windows 2012 R2 RRAS Configuration Guide

Logging Container. VNS3 Plugins Guide 2018

DataDog Container. VNS3 Plugins Guide 2018

How to Configure Azure Route Tables (UDR) using Azure Portal and ARM

VPN-Cubed Datacenter Connect IBM Trial Edition v201102

How to Configure an IKEv1 IPsec Site-to-Site VPN to the Static Microsoft Azure VPN Gateway

VPN-Cubed 2.x vpcplus Free Edition

How to Configure an IPsec Site-to-Site VPN to a Windows Azure VPN Gateway

Container System Overview

VNS3 3.5 Upgrade Instructions

VPN-Cubed 2.x Datacenter Connect ElasticHosts

VPN-Cubed 2.x vpcplus Enterprise Edition

VNS3 3.5 Container System Add-Ons

Virtual Private Network. Network User Guide. Issue 05 Date

How to Configure a Site-To-Site IPsec VPN to the Amazon AWS VPN Gateway

VMware Cloud on AWS Getting Started. 18 DEC 2017 VMware Cloud on AWS

Cradlepoint to Palo Alto VPN Example. Summary. Standard IPSec VPN Topology. Global Leader in 4G LTE Network Solutions

How to Deploy the Barracuda Security Gateway in the New Microsoft Azure Management Portal

VNS3 3.x Trial Edition Configuration Instructions

How-to Guide: Tenable.io for Microsoft Azure. Last Updated: November 16, 2018

VPN-Cubed 2.x Datacenter Connect SME Edition

VPN-Cubed 2.x Cloud Only Lite Edition

Deploying and Provisioning the Barracuda Web Application Firewall in the New Microsoft Azure Management Portal

How-to Guide: Tenable Nessus for Microsoft Azure. Last Updated: April 03, 2018

VMware Cloud on AWS Networking and Security. 5 September 2018 VMware Cloud on AWS

VPN-Cubed 2.1 UL for Terremark Datacenter Connect or Cloud Only

Integration Guide. Oracle Bare Metal BOVPN

Virtual Private Cloud. User Guide. Issue 03 Date

Silver Peak EC-V and Microsoft Azure Deployment Guide

Cisco Asa 8.4 Ipsec Vpn Client Configuration. Example >>>CLICK HERE<<<

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

Configuring VPN from Proventia M Series Appliance to NetScreen Systems

VPN Solutions for Zerto Virtual Replication to Azure. IPSec Configuration Guide

VPN-Cubed 2.x Datacenter Connect Lite Edition

Aviatrix Virtual Appliance

How to Configure Forcepoint NGFW Route-Based VPN to AWS with BGP TECHNICAL DOCUMENT

Amazon Virtual Private Cloud. Network Administrator Guide

How to Deploy the Barracuda NG Firewall in an Amazon Virtual Private Cloud

How to Configure an IPsec VPN to an AWS VPN Gateway with BGP

Establishing secure connectivity between Oracle Ravello and Oracle Cloud Infrastructure Database Cloud ORACLE WHITE PAPER DECEMBER 2017

Deploying and Provisioning the Barracuda CloudGen WAF in the Classic Microsoft Azure Management Portal

Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance

Greenbow VPN Client Example

VPN Auto Provisioning

Configuring VPN from Proventia M Series Appliance to Symantec 5310 Systems

How to Configure a Site-to-Site IPsec IKEv1 VPN Tunnel

Checkpoint Vpn Domain Manually Defined

VPN-Cubed 2.x Datacenter Connect SME Edition

VNS3 Plugins. VSN3:turret WAF Container Guide

vcloud Director User's Guide 04 OCT 2018 vcloud Director 9.5

Configuration of an IPSec VPN Server on RV130 and RV130W

Securing VMware NSX-T J U N E 2018

Integration Guide. Auvik

VPN Solutions for Zerto Virtual Replication to Azure. SoftEther Installation Guide

How to Configure a Site-to-Site IPsec IKEv1 VPN Tunnel

How to Configure BGP over IKEv2 IPsec Site-to- Site VPN to an Google Cloud VPN Gateway

Cisco ASA 5500 LAB Guide

Proxicast IPSec VPN Client Example

How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP

NSX-T Data Center Migration Coordinator Guide. 5 APR 2019 VMware NSX-T Data Center 2.4

Cisco CSR1000V Overview. Cisco CSR 1000V Use Cases in Amazon AWS

VPN Definition SonicWall:

M!DGE/MG102i VPN Configuration

Securing VMware NSX MAY 2014

Virtual Tunnel Interface

How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP

Fundamentals of Network Security v1.1 Scope and Sequence

The Balabit s Privileged Session Management 5 F5 Azure Reference Guide

EdgeConnect for Amazon Web Services (AWS)

LiveNX 8.0 QUICK START GUIDE (QSG) LiveAction, Inc WEST BAYSHORE ROAD PALO ALTO, CA LIVEACTION, INC.

How-to Guide: Tenable Core Web Application Scanner for Microsoft Azure. Last Updated: May 16, 2018

Case 1: VPN direction from Vigor2130 to Vigor2820

vcloud Director User's Guide

Cisco CSR 1000v Deployment Guide for Microsoft Azure

VNS3 Plugin Guide. VSN3:turret NIDS Container

MarkLogic Server. MarkLogic Server on Microsoft Azure Guide. MarkLogic 9 January, 2018

Check Point vsec for Microsoft Azure

Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN. VMware Workspace ONE UEM 1810

vcloud Director User's Guide

Proxy Protocol Support for Sophos UTM on AWS. Sophos XG Firewall How to Configure VPN Connections for Azure

vrealize Operations Management Pack for NSX for vsphere 2.0

Deploying the Cisco CSR 1000v on Amazon Web Services

Configuring a Hub & Spoke VPN in AOS

vmx Getting Started Guide for Microsoft Azure Release 17.4 Modified: Copyright 2018, Juniper Networks, Inc.

Internet. SonicWALL IP Cisco IOS IP IP Network Mask

NSG100 Nebula Cloud Managed Security Gateway

Transcription:

VNS3 Configuration Quick Launch for first time VNS3 users in Azure

Table of Contents Setup 3 Notes 9 Create a Static IP 12 Create a Network Security Group 14 Launch VNS3 from Marketplace 19 VNS3 Unencrypted VLAN Setup 27 Next: Configuration 31 2

Setup 3

Requirements You have an Azure account (for a Free Azure trial, visit http://azure.microsoft.com/en-us/ pricing/free-trial). You have the ability to configure a client (whether desktop based or cloud based) to use the OpenVPN TLS VPN client software. You have a compliant IPsec firewall/router networking device: Preferred Most models from Cisco Systems*, Juniper, Watchguard, Dell SONICWALL, Netgear, Fortinet, Barracuda Networks, Check Point*, Zyxel USA, McAfee Retail, Citrix Systems, Hewlett Packard, D-Link, WatchGuard, Palo Alto Networks, OpenSwan, pfsense, and Vyatta. Best Effort Any IPsec device that supports: IKE1 or IKE2, AES256 or AES128 or 3DES, SHA1 or MD5. *Known Exclusions Checkpoint R65+ requires native IPSec connections as Checkpoint does not conform to NAT- Traversal Standards and Cisco ASA 8.4(2)-8.4(4) bugs prevent a stable connection from being maintained. 4

Getting Help with VNS3 This guide covers a very generic VNS3 setup in the Azure cloud using the latest Resource Manager workflow. Classic Azure portal can be used, but there are some use-case restrictions given the limited controls. If you need specific help with project planning, POCs, or audits, contact our professional services team via sales@cohesive.net for details. Please review the VNS3 Support Plans and Support Site FAQ before opening a ticket. 5

Firewall Considerations VNS3 Controller instances use the following TCP and UDP ports: UDP port 1194 For client VPN connections; must be accessible from all servers that will join VNS3 topology as clients. UDP 1195-1203 For tunnels between Controller peers; must be accessible from all peers in a given topology. VNS3:vpn and VNS3:net Lite Edition will not require UDP ports 1195-1197 access as it is not licensed for Controller Peering. TCP port 8000 HTTPS admin interface; must be accessible from hosts where you will want to obtain runtime status or configure peering, also needs to be open to and from the Controllers at least for the peering process, and needs to be accessible when downloading credentials for installation on overlay network clients. UDP port 500 UDP port 500 is used for the phase 1 or IKE (Internet Key Exchange) component of an IPsec VPN connection. ESP Protocol 50 and possibly UDP port 4500 Protocol 50 is used for the phase 2 or ESP (Encapsulated Security Payload) component of an IPsec VPN connection only when negotiating with native IPsec. UDP port 4500* is used for the phase 2 or ESP (Encapsulated Security Payload) component of an IPsec VPN connection when using NAT-Traversal Encapsulation. *Azure allows Protocol 50 past its edge, but at the time of this document's publication, the network security group configuration requires all protocols to be open between a specific source IP and the VNS3 controller NIC/Subnet. 6

Address Considerations VNS3 requires an Overlay Network subnet to be specified as part of the configuration process. Use of the Overlay Network is optional but provides improvements in security, address mobility, and performance. Your VLAN CIDR and Subnets cannot not overlap with the VNS3 Overlay Network Subnet. The Azure cloud does allow virtual machine instances to act as networks gateways for unencrypted VLAN traffic. Routing traffic from the unencrypted Azure VLAN instead of using the encrypted Overlay Network requires configuring the Azure Route Tables and enabling IP Forwarding. The Route Tables are configurable via Powershell, Azure CLI, and Azure UI. IP Forwarding is configurable via Powershell only. See the VLAN traffic section at the end of the document for more details. 7

Virtual Network Addressing - Don't Overlap with VNS3 Overlay Microsoft Virtual Networks provide an isolated address space within the Azure cloud where you run your VMs. Virtual Networks allow you to define address spaces, and associated Network Security Groups allow control of access control policies via the hypervisor firewall. Cohesive Networks recommends creating a separate Virtual Network Subnet for the VNS3 Controllers that is different from the subnet or subnets defined for the application VMs VNS3 open open open 10.10.10.240/28 10.10.10.224/28 10.10.10.192/27 10.10.10.128/26 NOTE: The Azure VLAN CIDR you configure CANNOT overlap with the VNS3 Overlay Network you create during configuration of your VNS3 Controller VM. Azure Virtual Network 10.10.10.0/24 Cohesive Networks typically recommends configuring a small subnet at the top of the Virtual Network range for the VNS3 Controller(s). You can then logically segment the lower part of the subnet for your application VMs in a single subnet or multiple subnets per VM role (e.g. web server, app server, db, etc.) The diagram at the right shows how we will segment our /24 (255 addresses) Azure Virtual Network for this example deployment. application 10.10.10.0/25 8

Remote Support Note that TCP 22 (ssh) is not required for normal operation. Each VNS3 Controller is running a restricted SSH daemon, with access limited only to Cohesive for debugging purposes controlled by the user via the Remote Support toggle and key exchange generation. In the event Cohesive needs to observe runtime state of a VNS3 Controller in response to a tech support request, we will ask you to open Security Group access to SSH from our support IP range and Enable Remote Support via the Web UI. Cohesive will send you an encrypted passphrase to generate a private key used by Cohesive Support staff to access your Controller. Access to the restricted SSH daemon is completely controlled by the user. Once the support ticket has been closed, you can disable remote support access and invalidate the access key. 9

Launch VNS3 10

From External Azure Marketplace VNS3 Free and Lite Edition virtual machine images are available in the Azure Marketplace. To launch from the Marketplace page: VNS3 3.5 LTS - https://azure.microsoft.com/en-us/ marketplace/partners/cohesive/cohesiveft-vns3-for-azure/ #cohesive-vns3-free VNS3 4.x current version: https:// azuremarketplace.microsoft.com/en-us/marketplace/apps/ cohesive.vns3_4x Click Get it Now. From the popup, select the VNS3 Edition and click Continue. For access to a private unlicensed VNS3 VM, contact our support team. You ll be redirected to the Azure Portal. Click Create. 11

From Inside Azure Portal VNS3 Free and Lite Edition virtual machine images are available in the Azure Marketplace. To launch from the Marketplace page: VNS3 3.5 LTS - https://azure.microsoft.com/en-us/ marketplace/partners/cohesive/cohesiveft-vns3-for-azure/ #cohesive-vns3-free VNS3 4.x current version: https:// azuremarketplace.microsoft.com/en-us/marketplace/apps/ cohesive.vns3_4x Click Add. In the resulting window pane, type VNS3 to see all VNS3 Marketplace offerings. For access to a private unlicensed VNS3 VM, contact our support team. Click on the VNS3 Edition and click Create. 12

Confirm VNS3 Image On the resulting product description window pane, there is information about the VNS3 product line, benefits, and resources. Make sure the Resource Manager is selected for the deployment model (this option is not available for new Azure accounts - they are all Resource Manager accounts). click Create. 13

1- Configure Basics On the resulting Basics window pane, name your VNS3 VM. Spaces are not allowed, so use hyphens to separate the words of an instance name. Choose Standard (HDD) or Premium (SSD) disk type. This is impact your size and storage costs on Azure. We recommend HDD. The Azure portal requires a username and an SSH key or password. Regardless of your entry, Cohesive Networks does not provide shell access to customers for VNS3 appliances. These entries are required, but will not be used. Add the the VM to your existing Resource Group. Click OK 14

2 - Configure Size On the resulting Size window pane, choose disk size. VNS3 should have at least one core and 1.5GB of memory, so the A2 Basic instance type is a good place to start. Depending on need, VNS3 can be run as a very large instance to provide more throughput for the virtual network, site-to-site connections, firewall rules, or other network functions. Click Select 15

3 - Configure Settings On the Settings widow pane, edit: Storage Choose managed disk or not. Choose No to manage storage yourself and create a new storage account. Network Create a new Virtual Network, here we use 10.10.10.0/24 Also create new Subnet, here we use 10.10.10.240/28 Click OK Next, create a new Public IP address. Select Static. Click OK. Create a new Network Security group. 2 defaults may appear: - Edit and keep TCP 8000 from Internet - Delete SSH 22 access from all - Add other optional rules. See page 6 for rules and details. Skip Extensions and High Availability. Click Ok. 16

4 - Summary Review the settings on the Summary window pane. Click OK. 17

5 - Buy Review the Purchase price and details on the resulting Purchase window pane. Click Buy. 18

Next: Configuration 19

VNS3 Configuration Document Links VNS3 Product Resources - Documentation Add-ons VNS3 Configuration Instructions (Free & Lite Editions BYOL) Instructions and screenshots for configuring a VNS3 Controller in a single or multiple Controller topology. Specific steps include, initializing a new Controller, generating clientpack keys, setting up peering, building IPsec tunnels, and connecting client servers to the Overlay Network. VNS3 Administration Document Covers the administration and operation of a configured VNS3 Controller. Additional detail is provided around the VNS3 Firewall, all administration menu items, upgrade licenses, other routes and SNMP traps. VNS3 Troubleshooting Troubleshooting document that provides explanation issues that are more commonly experienced with VNS3. 20

Optional Set Up: VNS3 Unencrypted VLAN Setup 21

Unencrypted VLAN Setup In the event you choose to not use the Overlay Network, there are some additional steps required to allow VNS3 to act as the gateway for the Azure Virtual Network subnet(s). Remember even if you decide not to use the Overlay Network, you still need to define an Overlay Network address space as part of the initialization. Be sure to choose an address space that DOES NOT overlap with the Azure Virtual Network CIDR or remote network you plan on connecting to via IPsec VPN. You will need to create a Azure Route Table and enable IP Forwarding for the VNS3 controller VM. 22

Create a Route Table Click Route Tables in the Left Column Menu and click Add. In the resulting Create route table window pane, enter a name and select the resource group previously created. Click Create. Once created click on the Route Table, then All Settings. Click on Routes. On the resulting Routes window pane, click Add. In the resulting Add route window pane, enter a Route Name, Address prefix (the remote network you will connect to via VNS3 IPsec tunnel), Set Next hop type as Virtual appliance, and enter the VNS3 controller Azure private IP address as the Next hop address. Click Save. 23

Enable IP Forwarding for the VNS3 VM Enabling IP Forwarding allows the VNS3 controller VM to pass traffic where it is neither the source or the destination of the packet. It allows VNS3 to act as a gateway. At the time of this document's publication, IP Forwarding is only controllable via PowerShell. The link to the Azure documentation for IP Forwarding is below. https://azure.microsoft.com/en-us/ documentation/articles/virtual-networksudr-how-to/#how-to-manage-routes 24

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback