How to Configure SSL VPN Portal for Forcepoint NGFW TECHNICAL DOCUMENT Ta Table of Contents
Table of Contents TA TABLE OF CONTENTS 1 TABLE OF CONTENTS 1 BACKGROUND 2 CONFIGURATION STEPS 2 Create a SSL Portal Services 2 Configure a SSL VPN Portal Policy 5 Configure the SSL VPN Portal 6 Configure Engine Specific SSL Portal Settings 9 Checking the Configuration 10 Monitoring and Logging 11 Technical Document 1
Background This document provides Forcepoint NGFW SSL VPN Portal configuration example. SSL VPN Portal was enhanced recently and provides the following benefits for users and NGFW administrators: Quick setup of portal and access to users without client installation ; Give external access to wider intranet URL without need of individual client configuration; Support for JavaScript and common Web applications like Sharepoint, Office365; Self-signed certificates for easy initial setup; The main use case behind of SSL VPN is allow remote access solution with standard browser i.e. Firefox and Chrome. The SSL VPN Portal proxies end-user connections to HTTP-based services in the protected network. The end user is never directly connected to the back-end services. The following versions were used when writing this document: Security Management Center (SMC) 6.2.0; Next Generation Firewall (NGFW) 6.2.0; Windows Server 2012 R2; A web browser for client access We assume that the integration between SMC and Microsoft AD is up and running for user authentication purposes. Configuration Steps CREATE A SSL PORTAL SERVICES SSL VPN Portal Services map external URLs to HTTP-based services in the protected network. On SMC use the path Configuration > VPN > SSL VPN Portal > SSL VPN Portal Services (right click and define New SSL VPN Portal Service) to create a new SSL Portal Service. Technical Document 2
In General tab enter a Name for the new Portal Service. Basically there are three methods available for Link Translation: URL Rewrite A URL prefix that corresponds to a service in the protected network is added to the URL. This option does not requires additional DNS entries; DNS Mapping Incoming connections to the SSL VPN Portal are translated to an internal host running on a specific port. This option does requires additional DNS entries; Freeform URL Users can manually enter a URL in the SSL VPN Portal in addition to selecting a predefined service. We are going to use URL Rewrite on this document. The Profile contains settings for SSO/Authentication and cookie protection. It can be Authentication based on HTTP (Basic, Digest, NT LAN Manager -NTLM or NTLMv2) or Form (when web browser redirects to a custom logon webpage that has a customizable logon form). Define your profile before configuring the SSL Portal Services or use one of default ones. We are going to use Full Cookie Protection. External URL Prefix determines the URL Prefix seem by user when accessing this portal and the internal URL. The Internal URL specifies the URL of the service in the protected network. Alternative Hosts specifies additional host names or IP addresses at which the web server (Internal URL) can be contacted. For a given Portal Services setup, users can use SSO for all services that share credentials as part of the same SSO Domain. If you plan to use SSO Domain configure it before the Portal Service setup. Client Trust specifies which certificate authorities (CA) are trusted for client connections to the service. Clients trust the CA that you select from the drop-down list. To allow the client to trust any CA, select Trust All CAs. The Client-Side Rewrite improves compatibility when JavaScript is used to dynamically construct URLs. Client-side URL rewrite must be enabled to connect to some services like Sharepoint and Office365, through the SSL VPN Portal. Going to Look & Feel tab of SSL Portal Services. Technical Document 3
A link to the service appears on the SSL VPN Portal webpage when Visible in Portal is selected. The Title that is displayed for the service (available for user to click) on the SSL VPN Portal webpage is specified in Title field while the Start page specifies the path to initial page that user sees when clicking the icon, connecting to the service. Optionally the Icon can be changed by another.png file. The Description determines the text the user sees when positioning the move over the icon. For each different service in the protected network that you want to make available to users, you can configure a different Portal Service with different parameters for each of them (link translation method, authentication, icons, etc ). Click OK Technical Document 4
CONFIGURE A SSL VPN PORTAL POLICY The SSL VPN Portal Policy defines which services are available in the SSL VPN Portal and which users can access the services. The Policy can provide access to many different services configured in SSL Portal Service. In our case we are going to include two services already configured. In order to configure a new policy use the path Configuration > VPN > SSL VPN Portal. By editing a new one you will be able to add the SSL VPN Portal Service and the users (or groups) who will be able to access the services. Select the Services to be applied to the Policy Select the Groups Save your configuration. Technical Document 5
CONFIGURE THE SSL VPN PORTAL Create and enable the SSL VPN Portal to make the SSL VPN Portal available through one or more security engines. Use the path Configuration > VPN > SSL VPN Portals and right click selecting New SSL VPN Portal. On the General tab enter a Name for this portal, the SSL VPN Portal Policy (already configured) associated to this portal, on Hostnames enter the domain name or IP address that the user enters in their web browser to access the SSL VPN Portal. In this case we are going to use self-signed certificate. Technical Document 6
The Look and Feel tab determines how the screen is presented to user just after login. It is possible to customize the portal (colours, logos, ) and see the preview. Change the Look & Feel to Forcepoint. In the Target Engine tab choose the NGFW engines that will be accepting the SSL Portal access requests as well as the TCP port. Technical Document 7
In Advanced tab enter the parameters related to Timeout (Idle and Session timeouts) and the log level associated to SSL Portal Services. In case Allow Persistent User Sessions is selected, users remain logged on to the SSL VPN Portal even after closing the browser until the defined session timeout is reached. When Allow Empty Referrer in HTTP Headers is selected web browsers are not required to include referrer information in HTTP headers. The referrer indicates the last page the user was on (the one where they clicked the link). Technical Document 8
CONFIGURE ENGINE SPECIFIC SSL PORTAL SETTINGS On the engine specific configuration click SSL VPN Portal under VPN settings. In the SSL VPN Portal field select the Portal already configured on Management Server as well as TCP port that will accept the user connections. Select the SSL/TLS versions which will be available to users and the TLS Cryptography Suite Set that will be used. Save the configuration Technical Document 9
CHECKING THE CONFIGURATION From the browser installed on the host on the external network we enter the IP address of external firewall interface (same IP address configured on Hostname field of SSL VPN Portals configuration page). Enter the credentials the user credentials, using an account already configured on AD. The browser then shows the page defined on the Look & Feel tab of SSL VPN Portals. Technical Document 10
By clicking Access to App1 it is possible to see the following screen (there is a basic html page hosted in an Apache web server) and the parameters configured before on SSL Portal Services settings. On this specific case the SMC is installed on internal network so you should be able to browse the SMC Management Client. MONITORING AND LOGGING It is possible to monitor logged in users on a single engine via Server Management. In order to check the them go to Configuration, right click the target engine, Monitoring > SSL VPN In case it is need additional information for troubleshooting you can use the diagnostics logging by right click the security engine, select Options > Diagnostics. It is possible to enable additional logging information by enabling SSL VPN Portal, SSL VPN Session Manager and SSL VPN Tunnel. It will be possible to track SSL VPN Portal HTTP transactions. Technical Document 11