Use the Authentication screen on the SSL VPN-Plus tab to set up a local authentication server for the edge gateway SSL VPN service and optionally enable client certificate authentication. This authentication server is used to authenticate the connecting users. All users configured in the local authentication server will be authenticated.
You can have only one local SSL VPN-Plus authentication server configured on the edge gateway. If you click + LOCAL and specify additional authentication servers, an error message is displayed when you try to save the configuration.
The maximum time to authenticate over SSL VPN is three (3) minutes. This maximum is determined by the non-authentication timeout, which is 3 minutes by default and is not configurable. As a result, if you have multiple authentication servers in chain authorization and user authentication takes more than 3 minutes, the user will not be authenticated.
Prerequisites
- Navigate to the SSL-VPN Plus Screen.
- Add a Private Network for Use with SSL VPN-Plus on an NSX Data Center for vSphere Edge Gateway.
- If you intend to enable client certificate authentication, verify that a CA certificate has been added to the edge gateway. See Add a CA Certificate to the Edge Gateway for SSL Certificate Trust Verification.
Procedure
- Click the SSL VPN-Plus tab and Authentication.
- Click Local.
- Configure the authentication server settings.
- (Optional) Enable and configure the password policy.
Option Description Enable password policy Turn on enforcement of the password policy settings you configure here. Password Length Enter the minimum and maximum allowed number of characters for password length. Minimum no. of alphabets (Optional) Type the minimum number of alphabetic characters, that are required in the password. Minimum no. of digits (Optional) Type the minimum number of numeric characters, that are required in the password. Minimum no. of special characters (Optional) Type the minimum number of special characters, such as ampersand (&), hash tag (#), percent sign (%) and so on, that are required in the password. Password should not contain user ID (Optional) Enable to enforce that the password must not contain the user ID. Password expires in (Optional) Type the maximum number of days that a password can exist before the user must change it. Expiry notification in (Optional) Type the number of days prior to the Password expires in value at which the user is notified the password is about to expire. - (Optional) Enable and configure the account lockout policy.
Option Description Enable account lockout policy Turn on enforcement of the account lockout policy settings you configure here. Retry Count Enter the number of times a user can try to access their account. Retry Duration Enter the time period in minutes in which the user account gets locked on unsuccessful login attempts. For example, if you specify the Retry Count as 5 and Retry Duration as 1 minute, the account of the user is locked after 5 unsuccessful login attempts within 1 minute.
Lockout Duration Enter the time period for which the user account remains locked. After this time has elapsed, the account is automatically unlocked.
- In the Status section, enable this authentication server.
- (Optional) Configure secondary authentication.
Options Description Use this server for secondary authentication (Optional) Specify whether to use the server as the second level of authentication. Terminate session if authentication fails (Optional) Specify whether to end the VPN session when authentication fails. - Click Keep.
- (Optional) Enable and configure the password policy.
- (Optional) To enable client certification authentication, click Change certificate, then turn on the enablement toggle, select the CA certificate to use, and click OK.
What to do next
Add local users to the local authentication server so that they can connect with SSL VPN-Plus. See Add SSL VPN-Plus Users to the Local SSL VPN-Plus Authentication Server.
Create an installation package containing the SSL Client so remote users can install it on their local systems. See Add an SSL VPN-Plus Client Installation Package.