The SSL VPN-Plus services for an NSX Data Center for vSphere edge gateway in your VMware Cloud Director environment enable remote users to connect securely to the private networks and applications in the organization virtual data centers backed by that edge gateway. You can configure various SSL VPN-Plus services on the edge gateway.
In your VMware Cloud Director environment, the edge gateway SSL VPN-Plus capability supports network access mode. Remote users must install an SSL client to make secure connections and access the networks and applications behind the edge gateway. As part of the edge gateway SSL VPN-Plus configuration, you add the installation packages for the operating system and configure certain parameters. See Add an SSL VPN-Plus Client Installation Package On an NSX Data Center for vSphere Edge Gateway Using the VMware Cloud Director Tenant Portal for details.
Configuring SSL VPN-Plus on an edge gateway is a multi-step process.
Prerequisites
Verify that all SSL certificates needed for the SSL VPN-Plus have been added to the Certificates screen. See SSL Certificate Management on an NSX Data Center for vSphere Edge Gateway Using Your VMware Cloud Director Tenant Portal.
Navigate to the SSL-VPN Plus Screen Of an NSX Data Center for vSphere Edge Gateway in the VMware Cloud Director Tenant Portal
You can navigate to the SSL-VPN Plus screen to begin configuring the SSL-VPN Plus service for an NSX Data Center for vSphere edge gateway in VMware Cloud Director.
Procedure
- Open Edge Gateway Services.
- From the primary left navigation panel, select Networking and from the page top navigation bar, select Edge Gateways.
- Select the edge gateway that you want to edit, and click Services.
- Click the SSL VPN-Plus tab.
What to do next
On the General screen, configure the default SSL VPN-Plus settings. See Customize the General SSL VPN-Plus Settings for an NSX Data Center for vSphere Edge Gateway in the VMware Cloud Director Tenant Portal.
Configure SSL VPN Server Settings on an NSX Data Center for vSphere Edge Gateway Using the VMware Cloud Director Tenant Portal
These server settings configure the SSL VPN server, such as the IP address and port the service listens on, the cipher list of the service, and its service certificate. When connecting to the NSX Data Center for vSphere edge gateway in VMware Cloud Director, remote users specify the same IP address and port you set in these server settings.
If your edge gateway is configured with multiple, overlay IP address networks on its external interface, the IP address you select for the SSL VPN server can be different than the default external interface of the edge gateway.
While configuring the SSL VPN server settings, you must choose which encryption algorithms to use for the SSL VPN tunnel. You can choose one or more ciphers. Carefully choose the ciphers according to the strengths and weaknesses of your selections.
By default, the system uses the default, self-signed certificate that the system generates for each edge gateway as the default server identity certificate for the SSL VPN tunnel. Instead of this default, you can choose to use a digital certificate that you have added to the system on the Certificates screen.
Prerequisites
- Verify that you have met the prerequisites described in Configure SSL VPN-Plus On an NSX Data Center for vSphere Edge Gateway Using the VMware Cloud Director Tenant Portal.
- If you choose to use a service certificate different than the default one, import the required certificate into the system. See Add a Service Certificate to the Edge Gateway Using Your VMware Cloud Director Tenant Portal.
- Navigate to the SSL-VPN Plus Screen Of an NSX Data Center for vSphere Edge Gateway in the VMware Cloud Director Tenant Portal.
Procedure
What to do next
Add an IP pool so that remote users are assigned IP addresses when they connect using SSL VPN-Plus. See Create an IP Pool for Use with SSL VPN-Plus on an NSX Data Center for vSphere Edge Gateway in the VMware Cloud Director Tenant Portal.
Create an IP Pool for Use with SSL VPN-Plus on an NSX Data Center for vSphere Edge Gateway in the VMware Cloud Director Tenant Portal
The remote users are assigned virtual IP addresses from the static IP pools that you configure using the IP Pools screen on the SSL VPN-Plus tab in the VMware Cloud Director Tenant Portal.
Each IP pool added in this screen results in an IP address subnet configured on the edge gateway. The IP address ranges used in these IP pools must be different from all other networks configured on the edge gateway.
Prerequisites
Procedure
- On the SSL VPN-Plus tab, click IP Pools.
- Click the Create () button.
- Configure the IP pool settings.
Option Action IP Range Enter an IP address range for this IP pool, such as 127.0.0.1-127.0.0.9.. These IP addresses will be assigned to VPN clients when they authenticate and connect to the SSL VPN tunnel.
Netmask Enter the netmask of the IP pool, such as 255.255.255.0. Gateway Enter the IP address that you want the edge gateway to create and assign as the gateway address for this IP pool. When the IP pool is created, a virtual adapter is created on the edge gateway virtual machine and this IP address is configured on that virtual interface. This IP address can be any IP within the subnet that is not also in the range in the IP Range field.
Description (Optional) Enter a description for this IP pool. Status Select whether to activate or deactivate this IP pool. Primary DNS (Optional) Enter the name of the primary DNS server that will be used for name resolution for these virtual IP addresses. Secondary DNS (Optional) Enter the name of the secondary DNS server to use. DNS Suffix (Optional) Enter the DNS suffix for the domain the client systems are hosted on, for domain-based host name resolution. WINS Server (Optional) Enter the WINS server address for the needs of your organization. - Click Keep.
Results
What to do next
Add private networks that you want accessible to your remote users connecting with SSL VPN-Plus. See Add a Private Network for Use with SSL VPN-Plus on an NSX Data Center for vSphere Edge Gateway in the VMware Cloud Director Tenant Portal.
Add a Private Network for Use with SSL VPN-Plus on an NSX Data Center for vSphere Edge Gateway in the VMware Cloud Director Tenant Portal
Use the Private Networks screen on the SSL VPN-Plus tab to configure the private networks in the VMware Cloud Director Tenant Portal. The private networks are the ones you want the VPN clients to have access to, when the remote users connect using their VPN clients and the SSL VPN tunnel. The activated private networks will be installed in the routing table of the VPN client.
- SSL VPN-Plus allows remote users to access private networks based on the top-down order the IP pools appear in the on-screen table. After you add the private networks to the on-screen table, you can adjust their positions in the table using the up and down arrows.
- If you select to activate TCP optimization for a private network, some applications such as FTP in active mode might not work within that subnet. To add an FTP server configured in active mode, you must add another private network for that FTP server and deactivate TCP optimization for that private network. Also, the private network for that FTP server must be activated and appear in the on-screen table above the TCP-optimized private network.
Prerequisites
Procedure
- On the SSL VPN-Plus tab, click Private Networks.
- Click the Add () button.
- Configure the private network settings.
Option Action Network Type the private network IP address in a CIDR format, such as 192169.1.0/24. Description (Optional) Type a description for the network. Send Traffic Specify how you want the VPN client to send the private network and Internet traffic. - Over Tunnel
The VPN client sends the private network and Internet traffic over the SSL VPN-Plus activated edge gateway.
- Bypass Tunnel
The VPN client bypasses the edge gateway and sends the traffic directly to the private server.
Enable TCP Optimization (Optional) To best optimize the Internet speed, when you select Over Tunnel for sending the traffic, you must also select Enable TCP Optimization Selecting this option enhances the performance of TCP packets within the VPN tunnel but does not improve performance of UDP traffic.
Conventional full-access SSL VPNs tunnel sends TCP/IP data in a second TCP/IP stack for encryption over the Internet. This conventional method encapsulates application layer data in two separate TCP streams. When packet loss occurs, which can happen even under optimal Internet conditions, a performance degradation effect called TCP-over-TCP meltdown occurs. In TCP-over-TCP meltdown, two TCP instruments correct the same single packet of IP data, undermining network throughput and causing connection timeouts. Selecting Enable TCP Optimization eliminates the risk of this TCP-over-TCP problem occurring.
Note: When you activate TCP optimization:- You must enter the port numbers for which to optimize the Internet traffic.
- The SSL VPN server opens the TCP connection on behalf of the VPN client. When the SSL VPN server opens the TCP connection, the first automatically generated edge firewall rule is applied, which allows all connections opened from the edge gateway to get passed. Traffic that is not optimized is evaluated by the regular edge firewall rules. The default generated TCP rule is to allow any connections.
Ports When you select Over Tunnel, type a range of port numbers that you want opened for the remote user to access the internal servers, such as 20-21 for FTP traffic and 80-81 for HTTP traffic. To give unrestricted access to users, leave the field blank.
Status Activate or deactivate the private network. - Over Tunnel
- Click Keep.
- Click Save changes to save the configuration to the system.
What to do next
Add an authentication server. See Configure an Authentication Service for SSL VPN-Plus on an NSX Data Center for vSphere Edge Gateway in the VMware Cloud Director Tenant Portal.
Configure an Authentication Service for SSL VPN-Plus on an NSX Data Center for vSphere Edge Gateway in the VMware Cloud Director Tenant Portal
Use the Authentication screen on the SSL VPN-Plus tab to set up a local authentication server for the edge gateway SSL VPN service and optionally enable client certificate authentication. VMware Cloud Director uses this authentication server to authenticate the connecting users. All users configured in the local authentication server will be authenticated.
You can have only one local SSL VPN-Plus authentication server configured on the edge gateway. If you click + LOCAL and specify additional authentication servers, an error message is displayed when you try to save the configuration.
The maximum time to authenticate over SSL VPN is three (3) minutes. This maximum is determined by the non-authentication timeout, which is 3 minutes by default and is not configurable. As a result, if you have multiple authentication servers in chain authorization and user authentication takes more than 3 minutes, the user will not be authenticated.
Prerequisites
- Navigate to the SSL-VPN Plus Screen Of an NSX Data Center for vSphere Edge Gateway in the VMware Cloud Director Tenant Portal.
- Add a Private Network for Use with SSL VPN-Plus on an NSX Data Center for vSphere Edge Gateway in the VMware Cloud Director Tenant Portal.
- If you intend to enable client certificate authentication, verify that a CA certificate has been added to the edge gateway. See Add a CA Certificate to the Edge Gateway for SSL Certificate Trust Verification Using Your VMware Cloud Director Tenant Portal.
Procedure
- Click the SSL VPN-Plus tab and Authentication.
- Click Local.
- Configure the authentication server settings.
- (Optional) Enable and configure the password policy.
Option Description Enable password policy Turn on enforcement of the password policy settings you configure here. Password Length Enter the minimum and maximum allowed number of characters for password length. Minimum no. of alphabets (Optional) Type the minimum number of alphabetic characters, that are required in the password. Minimum no. of digits (Optional) Type the minimum number of numeric characters, that are required in the password. Minimum no. of special characters (Optional) Type the minimum number of special characters, such as ampersand (&), hash tag (#), percent sign (%) and so on, that are required in the password. Password should not contain user ID (Optional) Enable to enforce that the password must not contain the user ID. Password expires in (Optional) Type the maximum number of days that a password can exist before the user must change it. Expiry notification in (Optional) Type the number of days prior to the Password expires in value at which the user is notified the password is about to expire. - (Optional) Enable and configure the account lockout policy.
Option Description Enable account lockout policy Turn on enforcement of the account lockout policy settings you configure here. Retry Count Enter the number of times a user can try to access their account. Retry Duration Enter the time period in minutes in which the user account gets locked on unsuccessful login attempts. For example, if you specify the Retry Count as 5 and Retry Duration as 1 minute, the account of the user is locked after 5 unsuccessful login attempts within 1 minute.
Lockout Duration Enter the time period for which the user account remains locked. After this time has elapsed, the account is automatically unlocked.
- In the Status section, enable this authentication server.
- (Optional) Configure secondary authentication.
Options Description Use this server for secondary authentication (Optional) Specify whether to use the server as the second level of authentication. Terminate session if authentication fails (Optional) Specify whether to end the VPN session when authentication fails. - Click Keep.
- (Optional) Enable and configure the password policy.
- (Optional) To enable client certification authentication, click Change certificate, then turn on the enablement toggle, select the CA certificate to use, and click OK.
What to do next
Add local users to the local authentication server so that they can connect with SSL VPN-Plus. See Add SSL VPN-Plus Users to the Local SSL VPN-Plus Authentication Server On an NSX Data Center for vSphere Edge Gateway Using the VMware Cloud Director Tenant Portal.
Create an installation package containing the SSL Client so remote users can install it on their local systems. See Add an SSL VPN-Plus Client Installation Package On an NSX Data Center for vSphere Edge Gateway Using the VMware Cloud Director Tenant Portal.
Add SSL VPN-Plus Users to the Local SSL VPN-Plus Authentication Server On an NSX Data Center for vSphere Edge Gateway Using the VMware Cloud Director Tenant Portal
To add accounts for your remote users to the local authentication server for the NSX Data Center for vSphere edge gateway SSL VPN service, use the Users screen on the SSL VPN-Plus tab in the VMware Cloud Director Tenant Portal.
Prerequisites
Procedure
- On the SSL VPN-Plus tab, click Users.
- Click the Create () button.
- Configure the following options for the user.
Option Description User ID Enter the user ID. Password Enter a password for the user. Retype Password Reenter the password. First name (Optional) Enter the first name of the user. Last name (Optional) Enter the last name of the user. Description (Optional) Enter a description for the user. Enabled Specify whether the user is activated or deactivated. Password never expires (Optional) Specify whether to keep the same password for this user forever. Allow change password (Optional) Specify whether to let the user change the password. Change password on next login (Optional) Specify whether you want this user to change the password the next time the user logs in. - Click Keep.
- Repeat the steps to add additional users.
What to do next
Add local users to the local authentication server so that they can connect with SSL VPN-Plus. See Add SSL VPN-Plus Users to the Local SSL VPN-Plus Authentication Server On an NSX Data Center for vSphere Edge Gateway Using the VMware Cloud Director Tenant Portal.
Create an installation package containing the SSL Client so the remote users can install it on their local systems. See Add an SSL VPN-Plus Client Installation Package On an NSX Data Center for vSphere Edge Gateway Using the VMware Cloud Director Tenant Portal.
Add an SSL VPN-Plus Client Installation Package On an NSX Data Center for vSphere Edge Gateway Using the VMware Cloud Director Tenant Portal
To create named installation packages of the SSL VPN-Plus client for the remote users, use the Installation Packages screen on the SSL VPN-Plus tab in the VMware Cloud Director Tenant Portal.
You can add an SSL VPN-Plus client installation package to the NSX Data Center for vSphere edge gateway. New users are prompted to download and install this package when they log in to use the VPN connection for the first time. When added, these client installation packages are then downloadable from the FQDN of the edge gateway's public interface.
You can create installation packages that run on Windows, Linux, and Mac operating systems. If you require different installation parameters per SSL VPN client, create an installation package for each configuration.
Prerequisites
Procedure
- On the SSL VPN-Plus tab in the tenant portal, click Installation Packages.
- Click the Add () button.
- Configure the installation package settings.
Option Description Profile Name Enter a profile name for this installation package. This name is displayed to the remote user to identify this SSL VPN connection to the edge gateway.
Gateway Enter the IP address or FQDN of the edge gateway public interface. The IP address or FQDN that you enter is bound to the SSL VPN client. When the client is installed on the local system of the remote user, this IP address or FQDN is displayed on that SSL VPN client.
To bind additional edge gateway uplink interfaces to this SSL VPN client, click the Add () button to add rows and type in their interface IP addresses or FQDNs, and ports.
Port (Optional) To modify the port value from the displayed default, double-click the value and enter a new value. Windows
Linux
Mac
Select the operating systems for which you want to create the installation packages. Description (Optional) Type a description for the user. Enabled Specify whether this package is activated or deactivated. - Select the installation parameters for Windows.
Option Description Start client on logon Starts the SSL VPN client when the remote user logs in to their local system. Allow remember password Enables the client to remember the user password. Enable silent mode installation Hides installation commands from remote users. Hide SSL client network adapter Hides the VMware SSL VPN-Plus Adapter which is installed on the computer of the remote user, together with the SSL VPN client installation package. Hide client system tray icon Hides the SSL VPN tray icon which indicates whether the VPN connection is active or not. Create desktop icon Creates an icon on the user desktop to invoke the SSL client. Enable silent mode operation Hides the window that indicates that installation is complete. Server security certificate validation The SSL VPN client validates the SSL VPN server certificate before establishing the secure connection. - Click Keep.
What to do next
Edit the client configuration. See Edit the SSL VPN-Plus Client Configuration On an NSX Data Center for vSphere Edge Gateway Using the VMware Cloud Director Tenant Portal.
Edit the SSL VPN-Plus Client Configuration On an NSX Data Center for vSphere Edge Gateway Using the VMware Cloud Director Tenant Portal
To customize the way the SSL VPN client tunnel responds when the remote user logs in to SSL VPN, use the Client Configuration screen on the SSL VPN-Plus tab in the VMware Cloud Director Tenant Portal.
Prerequisites
Procedure
Customize the General SSL VPN-Plus Settings for an NSX Data Center for vSphere Edge Gateway in the VMware Cloud Director Tenant Portal
By default, the system sets some SSL VPN-Plus settings on an edge gateway in your VMware Cloud Director environment. You can use the General Settings screen on the SSL VPN-Plus tab in the VMware Cloud Director tenant portal to customize these settings.
Prerequisites
Procedure
- On the SSL VPN-Plus tab, click General Settings.
- Edit the general settings as required for the needs of your organization.
Option Description Prevent multiple logon using same username Turn on to restrict a remote user to having only one active login session under the same user name. Compression Turn on to enable TCP-based intelligent data compression and improve data transfer speed. Enable Logging Turn on to maintain a log of the traffic that passes through the SSL VPN gateway. Logging is enabled by default.
Force virtual keyboard Turn on to require remote users to use a virtual (on-screen) keyboard only to enter login information. Randomize keys of virtual keyboard Turn on to have the virtual keyboard use a randomized key layout. Session idle timeout Enter the session idle timeout in minutes. If there is no activity in a user session for the specified time period, the system disconnects the user session. The system default is 10 minutes.
User notification Type the message to be displayed to remote users after they log in. Enable public URL access Turn on to allow remote users to access sites that are not explicitly configured by you for remote user access. Enable forced timeout Turn on to have the system disconnect remote users after the time period that you specify in the Forced timeout field is over. Forced timeout Type the timeout period in minutes. This field is displayed when Enable forced timeout toggle is turned on.
- Click Save changes.