The SSL VPN-Plus services for an NSX Data Center for vSphere edge gateway in your VMware Cloud Director environment enable remote users to connect securely to the private networks and applications in the organization virtual data centers backed by that edge gateway. You can configure various SSL VPN-Plus services on the edge gateway.

In your VMware Cloud Director environment, the edge gateway SSL VPN-Plus capability supports network access mode. Remote users must install an SSL client to make secure connections and access the networks and applications behind the edge gateway. As part of the edge gateway SSL VPN-Plus configuration, you add the installation packages for the operating system and configure certain parameters. See Add an SSL VPN-Plus Client Installation Package On an NSX Data Center for vSphere Edge Gateway Using the VMware Cloud Director Service Provider Admin Portal for details.

Configuring SSL VPN-Plus on an edge gateway is a multi-step process.

Prerequisites

Verify that all SSL certificates needed for the SSL VPN-Plus have been added to the Certificates screen. See SSL Certificate Management on an NSX Data Center for vSphere Edge Gateway Using Your VMware Cloud Director Service Provider Admin Portal.

Note: On an edge gateway, port 443 is the default port for HTTPS. For the SSL VPN functionality, the edge gateway HTTPS port must be accessible from external networks. The SSL VPN client requires the edge gateway IP address and port that are configured in the Server Settings screen on the SSL VPN-Plus tab to be reachable from the client system. See Configure SSL VPN Server Settings on an NSX Data Center for vSphere Edge Gateway Using the VMware Cloud Director Service Provider Admin Portal.

Navigate to the SSL-VPN Plus Screen Of an NSX Data Center for vSphere Edge Gateway in the VMware Cloud Director Service Provider Admin Portal

You can navigate to the SSL-VPN Plus screen to begin configuring the SSL-VPN Plus service for an NSX Data Center for vSphere edge gateway in VMware Cloud Director.

Procedure

  1. Open Edge Gateway Services.
    1. From the primary left navigation panel, select Resources, and from the page top navigation bar, select the Cloud Resources tab.
    2. From the secondary left panel, select Edge Gateways.
    3. Click the radio button next to the name of the target edge gateway, and click Services.
  2. Click the SSL VPN-Plus tab.

What to do next

On the General screen, configure the default SSL VPN-Plus settings. See Customize the General SSL VPN-Plus Settings for an NSX Data Center for vSphere Edge Gateway in the VMware Cloud Director Service Provider Admin Portal.

Configure SSL VPN Server Settings on an NSX Data Center for vSphere Edge Gateway Using the VMware Cloud Director Service Provider Admin Portal

These server settings configure the SSL VPN server, such as the IP address and port the service listens on, the cipher list of the service, and its service certificate. When connecting to the NSX Data Center for vSphere edge gateway in VMware Cloud Director, remote users specify the same IP address and port you set in these server settings.

If your edge gateway is configured with multiple, overlay IP address networks on its external interface, the IP address you select for the SSL VPN server can be different than the default external interface of the edge gateway.

While configuring the SSL VPN server settings, you must choose which encryption algorithms to use for the SSL VPN tunnel. You can choose one or more ciphers. Carefully choose the ciphers according to the strengths and weaknesses of your selections.

By default, the system uses the default, self-signed certificate that the system generates for each edge gateway as the default server identity certificate for the SSL VPN tunnel. Instead of this default, you can choose to use a digital certificate that you have added to the system on the Certificates screen.

Prerequisites

Procedure

  1. On the SSL VPN-Plus screen, click Server Settings.
  2. Click Enabled.
  3. Select an IP address from the drop-down menu.
  4. (Optional) Enter a TCP port number.
    The TCP port number is used by the SSL client installation package. By default, the system uses port 443, which is the default port for HTTPS/SSL traffic. Even though a port number is required, you can set any TCP port for communications.
    Note: The SSL VPN client requires the IP address and port configured here to be reachable from the client systems of your remote users. If you change the port number from the default, ensure that the IP address and port combination are reachable from the systems of your intended users.
  5. Select an encryption method from the cipher list.
  6. Configure the service Syslog logging policy.
    Logging is activated by default. You can change the level of messages to log or deactivate logging.
  7. (Optional) If you want to use a service certificate instead of the default system-generated self-signed certificate, click Change server certificate, selection a certificate, and click OK.
  8. Click Save changes.

What to do next

Note: The edge gateway IP address and the TCP port number you set must be reachable by your remote users. Add an edge gateway firewall rule that allows access to the SSL VPN-Plus IP address and port configured in this procedure. See Add an NSX Data Center for vSphere Edge Gateway Firewall Rule in the VMware Cloud Director Service Provider Admin Portal.

Add an IP pool so that remote users are assigned IP addresses when they connect using SSL VPN-Plus. See Create an IP Pool for Use with SSL VPN-Plus on an NSX Data Center for vSphere Edge Gateway in the VMware Cloud Director Service Provider Admin Portal.

Create an IP Pool for Use with SSL VPN-Plus on an NSX Data Center for vSphere Edge Gateway in the VMware Cloud Director Service Provider Admin Portal

The remote users are assigned virtual IP addresses from the static IP pools that you configure using the IP Pools screen on the SSL VPN-Plus tab in the VMware Cloud Director Service Provider Admin Portal.

Each IP pool added in this screen results in an IP address subnet configured on the edge gateway. The IP address ranges used in these IP pools must be different from all other networks configured on the edge gateway.

Note: SSL VPN assigns IP addresses to the remote users from the IP pools based on the order the IP pools appear in the on-screen table. After you add the IP pools to the on-screen table, you can adjust their positions in the table using the up and down arrows.

Prerequisites

Procedure

  1. On the SSL VPN-Plus tab, click IP Pools.
  2. Click the Create (Create button) button.
  3. Configure the IP pool settings.
    Option Action
    IP Range Enter an IP address range for this IP pool, such as 127.0.0.1-127.0.0.9..

    These IP addresses will be assigned to VPN clients when they authenticate and connect to the SSL VPN tunnel.

    Netmask Enter the netmask of the IP pool, such as 255.255.255.0.
    Gateway Enter the IP address that you want the edge gateway to create and assign as the gateway address for this IP pool.

    When the IP pool is created, a virtual adapter is created on the edge gateway virtual machine and this IP address is configured on that virtual interface. This IP address can be any IP within the subnet that is not also in the range in the IP Range field.

    Description (Optional) Enter a description for this IP pool.
    Status Select whether to activate or deactivate this IP pool.
    Primary DNS (Optional) Enter the name of the primary DNS server that will be used for name resolution for these virtual IP addresses.
    Secondary DNS (Optional) Enter the name of the secondary DNS server to use.
    DNS Suffix (Optional) Enter the DNS suffix for the domain the client systems are hosted on, for domain-based host name resolution.
    WINS Server (Optional) Enter the WINS server address for the needs of your organization.
  4. Click Keep.

Results

The IP pool configuration is added to the on-screen table.

What to do next

Add private networks that you want accessible to your remote users connecting with SSL VPN-Plus. See Add a Private Network for Use with SSL VPN-Plus on an NSX Data Center for vSphere Edge Gateway in the VMware Cloud Director Service Provider Admin Portal.

Add a Private Network for Use with SSL VPN-Plus on an NSX Data Center for vSphere Edge Gateway in the VMware Cloud Director Service Provider Admin Portal

Use the Private Networks screen on the SSL VPN-Plus tab to configure the private networks in the VMware Cloud Director Service Provider Admin Portal. The private networks are the ones you want the VPN clients to have access to, when the remote users connect using their VPN clients and the SSL VPN tunnel. The activated private networks will be installed in the routing table of the VPN client.

The private networks is a list of all reachable IP networks behind the edge gateway that you want to encrypt traffic for a VPN client, or exclude from encrypting. Each private network that requires access through an SSL VPN tunnel must be added as a separate entry. You can use route summarization techniques to limit the number of entries.
  • SSL VPN-Plus allows remote users to access private networks based on the top-down order the IP pools appear in the on-screen table. After you add the private networks to the on-screen table, you can adjust their positions in the table using the up and down arrows.
  • If you select to activate TCP optimization for a private network, some applications such as FTP in active mode might not work within that subnet. To add an FTP server configured in active mode, you must add another private network for that FTP server and deactivate TCP optimization for that private network. Also, the private network for that FTP server must be activated and appear in the on-screen table above the TCP-optimized private network.

Prerequisites

Procedure

  1. On the SSL VPN-Plus tab, click Private Networks.
  2. Click the Add (Create button) button.
  3. Configure the private network settings.
    Option Action
    Network Type the private network IP address in a CIDR format, such as 192169.1.0/24.
    Description (Optional) Type a description for the network.
    Send Traffic Specify how you want the VPN client to send the private network and Internet traffic.
    • Over Tunnel

      The VPN client sends the private network and Internet traffic over the SSL VPN-Plus activated edge gateway.

    • Bypass Tunnel

      The VPN client bypasses the edge gateway and sends the traffic directly to the private server.

    Enable TCP Optimization (Optional) To best optimize the Internet speed, when you select Over Tunnel for sending the traffic, you must also select Enable TCP Optimization

    Selecting this option enhances the performance of TCP packets within the VPN tunnel but does not improve performance of UDP traffic.

    Conventional full-access SSL VPNs tunnel sends TCP/IP data in a second TCP/IP stack for encryption over the Internet. This conventional method encapsulates application layer data in two separate TCP streams. When packet loss occurs, which can happen even under optimal Internet conditions, a performance degradation effect called TCP-over-TCP meltdown occurs. In TCP-over-TCP meltdown, two TCP instruments correct the same single packet of IP data, undermining network throughput and causing connection timeouts. Selecting Enable TCP Optimization eliminates the risk of this TCP-over-TCP problem occurring.

    Note: When you activate TCP optimization:
    • You must enter the port numbers for which to optimize the Internet traffic.
    • The SSL VPN server opens the TCP connection on behalf of the VPN client. When the SSL VPN server opens the TCP connection, the first automatically generated edge firewall rule is applied, which allows all connections opened from the edge gateway to get passed. Traffic that is not optimized is evaluated by the regular edge firewall rules. The default generated TCP rule is to allow any connections.
    Ports When you select Over Tunnel, type a range of port numbers that you want opened for the remote user to access the internal servers, such as 20-21 for FTP traffic and 80-81 for HTTP traffic.

    To give unrestricted access to users, leave the field blank.

    Status Activate or deactivate the private network.
  4. Click Keep.
  5. Click Save changes to save the configuration to the system.

What to do next

Add an authentication server. See Configure an Authentication Service for SSL VPN-Plus on an NSX Data Center for vSphere Edge Gateway in the VMware Cloud Director Service Provider Admin Portal.

Important: Add the corresponding firewall rules to allow network traffic to the private networks you have added in this screen. See Add an NSX Data Center for vSphere Edge Gateway Firewall Rule in the VMware Cloud Director Service Provider Admin Portal.

Configure an Authentication Service for SSL VPN-Plus on an NSX Data Center for vSphere Edge Gateway in the VMware Cloud Director Service Provider Admin Portal

Use the Authentication screen on the SSL VPN-Plus tab to set up a local authentication server for the edge gateway SSL VPN service and optionally enable client certificate authentication. VMware Cloud Director uses this authentication server to authenticate the connecting users. All users configured in the local authentication server will be authenticated.

You can have only one local SSL VPN-Plus authentication server configured on the edge gateway. If you click + LOCAL and specify additional authentication servers, an error message is displayed when you try to save the configuration.

The maximum time to authenticate over SSL VPN is three (3) minutes. This maximum is determined by the non-authentication timeout, which is 3 minutes by default and is not configurable. As a result, if you have multiple authentication servers in chain authorization and user authentication takes more than 3 minutes, the user will not be authenticated.

Prerequisites

Procedure

  1. Click the SSL VPN-Plus tab and Authentication.
  2. Click Local.
  3. Configure the authentication server settings.
    1. (Optional) Enable and configure the password policy.
      Option Description
      Enable password policy Turn on enforcement of the password policy settings you configure here.
      Password Length Enter the minimum and maximum allowed number of characters for password length.
      Minimum no. of alphabets (Optional) Type the minimum number of alphabetic characters, that are required in the password.
      Minimum no. of digits (Optional) Type the minimum number of numeric characters, that are required in the password.
      Minimum no. of special characters (Optional) Type the minimum number of special characters, such as ampersand (&), hash tag (#), percent sign (%) and so on, that are required in the password.
      Password should not contain user ID (Optional) Enable to enforce that the password must not contain the user ID.
      Password expires in (Optional) Type the maximum number of days that a password can exist before the user must change it.
      Expiry notification in (Optional) Type the number of days prior to the Password expires in value at which the user is notified the password is about to expire.
    2. (Optional) Enable and configure the account lockout policy.
      Option Description
      Enable account lockout policy Turn on enforcement of the account lockout policy settings you configure here.
      Retry Count Enter the number of times a user can try to access their account.
      Retry Duration Enter the time period in minutes in which the user account gets locked on unsuccessful login attempts.

      For example, if you specify the Retry Count as 5 and Retry Duration as 1 minute, the account of the user is locked after 5 unsuccessful login attempts within 1 minute.

      Lockout Duration Enter the time period for which the user account remains locked.

      After this time has elapsed, the account is automatically unlocked.

    3. In the Status section, enable this authentication server.
    4. (Optional) Configure secondary authentication.
      Options Description
      Use this server for secondary authentication (Optional) Specify whether to use the server as the second level of authentication.
      Terminate session if authentication fails (Optional) Specify whether to end the VPN session when authentication fails.
    5. Click Keep.
  4. (Optional) To enable client certification authentication, click Change certificate, then turn on the enablement toggle, select the CA certificate to use, and click OK.

What to do next

Add local users to the local authentication server so that they can connect with SSL VPN-Plus. See Add SSL VPN-Plus Users to the Local SSL VPN-Plus Authentication Server On an NSX Data Center for vSphere Edge Gateway Using the VMware Cloud Director Service Provider Admin Portal.

Create an installation package containing the SSL Client so remote users can install it on their local systems. See Add an SSL VPN-Plus Client Installation Package On an NSX Data Center for vSphere Edge Gateway Using the VMware Cloud Director Service Provider Admin Portal.

Add SSL VPN-Plus Users to the Local SSL VPN-Plus Authentication Server On an NSX Data Center for vSphere Edge Gateway Using the VMware Cloud Director Service Provider Admin Portal

To add accounts for your remote users to the local authentication server for the NSX Data Center for vSphere edge gateway SSL VPN service, use the Users screen on the SSL VPN-Plus tab in the VMware Cloud Director Service Provider Admin Portal.

Note: If a local authentication server is not already configured, adding a user on the Users screen automatically adds a local authentication server with default values. You can then use the edit button on the Authentication screen to view and edit the default values. For information about using the Authentication screen, see Configure an Authentication Service for SSL VPN-Plus on an NSX Data Center for vSphere Edge Gateway in the VMware Cloud Director Service Provider Admin Portal.

Prerequisites

Navigate to the SSL-VPN Plus Screen Of an NSX Data Center for vSphere Edge Gateway in the VMware Cloud Director Service Provider Admin Portal.

Procedure

  1. On the SSL VPN-Plus tab, click Users.
  2. Click the Create (Create button) button.
  3. Configure the following options for the user.
    Option Description
    User ID Enter the user ID.
    Password Enter a password for the user.
    Retype Password Reenter the password.
    First name (Optional) Enter the first name of the user.
    Last name (Optional) Enter the last name of the user.
    Description (Optional) Enter a description for the user.
    Enabled Specify whether the user is activated or deactivated.
    Password never expires (Optional) Specify whether to keep the same password for this user forever.
    Allow change password (Optional) Specify whether to let the user change the password.
    Change password on next login (Optional) Specify whether you want this user to change the password the next time the user logs in.
  4. Click Keep.
  5. Repeat the steps to add additional users.

What to do next

Add local users to the local authentication server so that they can connect with SSL VPN-Plus. See Add SSL VPN-Plus Users to the Local SSL VPN-Plus Authentication Server On an NSX Data Center for vSphere Edge Gateway Using the VMware Cloud Director Service Provider Admin Portal.

Create an installation package containing the SSL Client so the remote users can install it on their local systems. See Add an SSL VPN-Plus Client Installation Package On an NSX Data Center for vSphere Edge Gateway Using the VMware Cloud Director Service Provider Admin Portal.

Add an SSL VPN-Plus Client Installation Package On an NSX Data Center for vSphere Edge Gateway Using the VMware Cloud Director Service Provider Admin Portal

To create named installation packages of the SSL VPN-Plus client for the remote users, use the Installation Packages screen on the SSL VPN-Plus tab in the VMware Cloud Director Service Provider Admin Portal.

You can add an SSL VPN-Plus client installation package to the NSX Data Center for vSphere edge gateway. New users are prompted to download and install this package when they log in to use the VPN connection for the first time. When added, these client installation packages are then downloadable from the FQDN of the edge gateway's public interface.

You can create installation packages that run on Windows, Linux, and Mac operating systems. If you require different installation parameters per SSL VPN client, create an installation package for each configuration.

Prerequisites

Navigate to the SSL-VPN Plus Screen Of an NSX Data Center for vSphere Edge Gateway in the VMware Cloud Director Service Provider Admin Portal

Procedure

  1. On the SSL VPN-Plus tab in the tenant portal, click Installation Packages.
  2. Click the Add (Create button) button.
  3. Configure the installation package settings.
    Option Description
    Profile Name Enter a profile name for this installation package.

    This name is displayed to the remote user to identify this SSL VPN connection to the edge gateway.

    Gateway Enter the IP address or FQDN of the edge gateway public interface.

    The IP address or FQDN that you enter is bound to the SSL VPN client. When the client is installed on the local system of the remote user, this IP address or FQDN is displayed on that SSL VPN client.

    To bind additional edge gateway uplink interfaces to this SSL VPN client, click the Add (Create button) button to add rows and type in their interface IP addresses or FQDNs, and ports.

    Port (Optional) To modify the port value from the displayed default, double-click the value and enter a new value.

    Windows

    Linux

    Mac

    		Select the operating systems for which you want to create the installation packages.
    Description (Optional) Type a description for the user.
    Enabled Specify whether this package is activated or deactivated.
  4. Select the installation parameters for Windows.
    Option Description
    Start client on logon Starts the SSL VPN client when the remote user logs in to their local system.
    Allow remember password Enables the client to remember the user password.
    Enable silent mode installation Hides installation commands from remote users.
    Hide SSL client network adapter Hides the VMware SSL VPN-Plus Adapter which is installed on the computer of the remote user, together with the SSL VPN client installation package.
    Hide client system tray icon Hides the SSL VPN tray icon which indicates whether the VPN connection is active or not.
    Create desktop icon Creates an icon on the user desktop to invoke the SSL client.
    Enable silent mode operation Hides the window that indicates that installation is complete.
    Server security certificate validation The SSL VPN client validates the SSL VPN server certificate before establishing the secure connection.
  5. Click Keep.

What to do next

Edit the client configuration. See Edit the SSL VPN-Plus Client Configuration On an NSX Data Center for vSphere Edge Gateway Using the VMware Cloud Director Service Provider Admin Portal.

Edit the SSL VPN-Plus Client Configuration On an NSX Data Center for vSphere Edge Gateway Using the VMware Cloud Director Service Provider Admin Portal

To customize the way the SSL VPN client tunnel responds when the remote user logs in to SSL VPN, use the Client Configuration screen on the SSL VPN-Plus tab in the VMware Cloud Director Service Provider Admin Portal.

Prerequisites

Navigate to the SSL-VPN Plus Screen Of an NSX Data Center for vSphere Edge Gateway in the VMware Cloud Director Service Provider Admin Portal

Procedure

  1. On the SSL VPN-Plus tab, click Client Configuration.
  2. Select the Tunneling mode.
    • In split tunnel mode, only the VPN traffic flows through the edge gateway.
    • In full tunnel mode, the edge gateway becomes the default gateway for the remote user and all traffic, such as VPN, local, and Internet, flows through the edge gateway.
  3. If you select full tunnel mode, enter the IP address for the default gateway used by the clients of the remote users and, optionally, select whether to exclude local subnet traffic from flowing through the VPN tunnel.
  4. (Optional) Deactivate auto reconnect.
    Enable auto reconnect is activated by default. If auto reconnect is activated, the SSL VPN client automatically reconnects users when they get disconnected.
  5. (Optional) Optionally enable the ability for the client to notify remote users when a client upgrade is available.
    This option is deactivated by default. If you activate this option, remote users can choose to install the upgrade.
  6. Click Save changes.

Customize the General SSL VPN-Plus Settings for an NSX Data Center for vSphere Edge Gateway in the VMware Cloud Director Service Provider Admin Portal

By default, the system sets some SSL VPN-Plus settings on an edge gateway in your VMware Cloud Director environment. You can use the General Settings screen on the SSL VPN-Plus tab in the VMware Cloud Director tenant portal to customize these settings.

Prerequisites

Navigate to the SSL-VPN Plus Screen Of an NSX Data Center for vSphere Edge Gateway in the VMware Cloud Director Service Provider Admin Portal.

Procedure

  1. On the SSL VPN-Plus tab, click General Settings.
  2. Edit the general settings as required for the needs of your organization.
    Option Description
    Prevent multiple logon using same username Turn on to restrict a remote user to having only one active login session under the same user name.
    Compression Turn on to enable TCP-based intelligent data compression and improve data transfer speed.
    Enable Logging Turn on to maintain a log of the traffic that passes through the SSL VPN gateway.

    Logging is enabled by default.

    Force virtual keyboard Turn on to require remote users to use a virtual (on-screen) keyboard only to enter login information.
    Randomize keys of virtual keyboard Turn on to have the virtual keyboard use a randomized key layout.
    Session idle timeout Enter the session idle timeout in minutes.

    If there is no activity in a user session for the specified time period, the system disconnects the user session. The system default is 10 minutes.

    User notification Type the message to be displayed to remote users after they log in.
    Enable public URL access Turn on to allow remote users to access sites that are not explicitly configured by you for remote user access.
    Enable forced timeout Turn on to have the system disconnect remote users after the time period that you specify in the Forced timeout field is over.
    Forced timeout Type the timeout period in minutes.

    This field is displayed when Enable forced timeout toggle is turned on.

  3. Click Save changes.