Objective 6.2 – Configure and Manage Logical Virtual Private Networks (VPN)

Knowledge

  • Configure IPSec VPN
    • Add/Edit/Disable IPSec VPN Service
      • Enable
        • Log in to the vSphere Web Client.
        • Click Networking & Security and then click NSX Edges.
        • Double-click an NSX Edge.
        • Click the Manage tab and then click the VPN tab.
        • Click IPSec VPN.
        • Click Enable.
      • Specify Global IPSec Configuration
        • Log in to the vSphere Web Client.
        • Click Networking & Security and then click NSX Edges.
        • Double-click an NSX Edge.
        • Click the Manage tab and then click the VPN tab.
        • Click IPSec VPN.
        • Click Change next to Global configuration status.
        • Type a global pre-shared key for those sites whose peer endpoint is set to any and select Displayshared key to display the key.
        • Select Enable certificate authentication and select the appropriate certificate.
        • Click OK.
    • Configure IPSec VPN parameters
      • Log in to the vSphere Web Client.Click Networking & Security and then click NSX Edges.
      • Double-click an NSX Edge.
      • Click the Manage tab and then click the VPN tab.
      • Click IPSec VPN.
      • Click the Add “+” icon.
      • Type a name for the IPSec VPN.
      • Type the IP address of the NSX Edge instance in Local Id. This will be the peer Id on the remote site.
      • Type the IP address of the local endpoint.
        If you are adding an IP to IP tunnel using a pre-shared key, the local Id and local endpoint IP can be the same.
      • Type the subnets to share between the sites in CIDR format. Use a comma separator to type multiple subnets.
      • Type the Peer Id to uniquely identify the peer site. For peers using certificate authentication, this ID must be the common name in the peer’s certificate. For PSK peers, this ID can be any string. VMware recommends that you use the public IP address of the VPN or a FQDN for the VPN service as the peer ID.
      • Type the IP address of the peer site in Peer Endpoint. If you leave this blank, NSX Edge waits for the peer device to request a connection.
      • Type the internal IP address of the peer subnet in CIDR format. Use a comma separator to type multiple subnets.
      • Select the Encryption Algorithm
      • In Authentication Method, select one of the following:
        • PSK (Pre Shared Key) Indicates that the secret key shared between NSX Edge and the peer site is to be used for authentication. The secret key can be a string with a maximum length of 128 bytes.
        • Certificate Indicates that the certificate defined at the global level is to be used for authentication.
        • Type the shared key in if anonymous sites are to connect to the VPN service
        • Click Display Shared Key to display the key on the peer site.
      • In Diffie-Hellman (DH) Group, select the cryptography scheme that will allow the peer site and the NSX Edge to establish a shared secret over an insecure communications channel.Edit the default MTU if required.
      • Select whether to enable or disable the Perfect Forward Secrecy (PFS) threshold. In IPsec negotiations, Perfect Forward Secrecy (PFS) ensures that each new cryptographic key is unrelated to any previous key.
      • Click OK.
        NSX Edge creates a tunnel from the local subnet to the peer subnet.
    • Edit IPSec VPN Service
      • Log in to the vSphere Web Client.
      • Click Networking & Security and then click NSX Edges.
      • Double-click an NSX Edge.
      • Click the Monitor tab and then click VPN tab.
      • Click IPSec VPN.
      • Select the IPSec service that you want to edit.
      • Click the Edit icon.
      • Make the appropriate edits.
      • Click OK.
    • Disable IPSec VPN Service
      • Log in to the vSphere Web Client.
      • Click Networking & Security and then click NSX Edges.
      • Double-click an NSX Edge.
      • Click the Monitor tab and then click VPN tab.
      • Click IPSec VPN.
      • Select the IPSec service that you want to disable.
      • Click the Disable icon
    • Enable logging
      • Log in to the vSphere Web Client.
      • Click Networking & Security and then click NSX Edges.
      • Double-click an NSX Edge.
      • Click the Manage tab and then click the VPN tab.
      • Click IPSec VPN.
      • Click next to Logging Policy and click Enable logging to log the traffic flow between the local subnet and peer subnet and select the logging level.
      • Select the log level and click Publish Changes .
  • Configure Layer 2 VPN
    • Enable Layer 2 VPN
      • Log in to the vSphere Web Client.
      • Click Networking & Security and then click NSX Edges.
      • Double-click an NSX Edge.
      • Click the Manage tab and then click the VPN tab.
      • Click L2 VPN.
      • Click Enable
    • Add Layer 2 VPN Client/Server
      • Client:
        • Log in to the vSphere Web Client.
        • Click Networking & Security and then click NSX Edges.
        • Double-click an NSX Edge.
        • Click the Manage tab and then click the VPN tab.
        • Click L2 VPN, select Client, and click Change.
        • Expand Client Details and type the server address to which the VPN is to be connected. The address can be the host name or IP address.
        • If required, edit the default port to which the VPN is to be connected.
        • Select the internal interface on the NSX Edge to be stretched. The interface must be connected to a dvport group or logical switch.
        • Type a description.
        • Expand User Details and type the same user credentials as specified on the L2 VPN server.
        • If the client NSX Edge does not have direct access to the internet and needs to reach the source (server) NSX Edge via a proxy server, expand Proxy Settings.
        • To enable only secure proxy connections, select Enable Secure Proxy.
        • Type the proxy server address, port, user name, and password.
        • Do one of the following.
          • To enable server certificate validation, select Validate Server Certificate and select the appropriate certificate.
          • To disable server certificate validation, un-select Validate Server Certificate.
        • Click OK.
      • Server:
        • Log in to the vSphere Web Client.
        • Click Networking & Security and then click NSX Edges.
        • Double-click an NSX Edge.
        • Click the Manage tab and then click the VPN tab.
        • Click L2 VPN, select Server, and click Change.
        • Expand Server Details.
        • In Listener IP, type the primary or secondary IP address of an external interface of the NSX Edge.
        • The default port for the L2 VPN service is 443. Edit this if required.
        • Select the encryption method.
        • Select the internal interface of the NSX Edge which is being stretched. This interface must be connected to a dv port group or logical switch.
        • Type a description.
        • Expand User Details and type the user name and password.
        • In Server Certificates, do one of the following.
          • Select Use System Generated Certificate to use a self-signed certificate for authentication.
          • Select the signed certificate to be used for authentication.
        • Click OK
    • View Layer 2 VPN Statistics
      • Log in to the vSphere Web Client.
      • Click Networking & Security and then click NSX Edges.
      • Double-click an NSX Edge.
      • Click the Manage tab and then click the VPN tab.
      • Click L2 VPN.
      • Click Fetch Status and expand Tunnel Status.
  • Configure Network Access/Web Access SSL VPN-Plus
    • Edit Client Configurations
      • Log in to the vSphere Web Client.
      • Click Networking & Security and then click NSX Edges.
      • Double-click an NSX Edge.
      • Click the Monitor tab and then click the SSL VPN-Plus tab.
      • Select Client Configuration from the left panel.
      • Select the Tunneling Mode
        In split tunnel mode, only the VPN flows through the NSX Edge gateway. In full tunnel, the NSX Edge gateway becomes the remote user’s default gateway and all traffic (VPN, local, and internet) flows through this gateway.
      • If you selected the full tunnel mode:
        • Select Exclude local subnets to exclude local traffic from flowing through the VPN tunnel.
        • Type the IP address for the default gateway of the remote user’s system.
      • Select Enable auto reconnect if you would like the remote user to automatically reconnect to the SSL VPN client after getting disconnected.
      • Select Client upgrade notification for the remote user to get a notification when an upgrade for the client is available. The remote user can then choose to install the upgrade.
      • Click OK
    • Edit General Settings
      • Log in to the vSphere Web Client.
      • Click Networking & Security and then click NSX Edges.
      • Double-click an NSX Edge.
      • Click the Monitor tab and then click the SSL VPN-Plus tab.
      • Select General Settings from the left panel.
      • Make required selections.
        • Prevent multiple logon using same username
          Allow a remote user to login only once with a username.
        • Enable compression
          Enable TCP based intelligent data compression and improve data transfer speed.
        • Enable logging
          Maintain a log of the traffic passing through the SSL VPN gateway.
        • Force virtual keyboard
          Allow remote users to enter web or client login information only via the virtual keyboard.
        • Randomize keys of virtual keyboard
          Make the virtual keyboard keys random.
        • Enable forced timeout
          Disconnect the remote user after the specified timeout period is over. Type the timeout period in minutes.
        • Session idle timeout
          If there is no activity on the user session for the specified period, end the user session after that period is over.
        • User notification
          Type a message to be displayed to the remote user after he logs in.
        • Enable public URL access
          Allow remote user to access any site which is not configured (and not listed on web portal) by administrator.
      • Click OK
    • Edit Web Portal Designs
      • Log in to the vSphere Web Client.
      • Click Networking & Security and then click NSX Edges.
      • Double-click a vShield Edge.
      • Click the Manage tab and then click the SSL VPN-Plus tab.
      • Select Portal Customization from the left panel.
      • Type the portal title.
      • Type the remote user’s company name.
      • In Logo, click Change and select the image file for the remote user’s logo.
      • In Colors, click the color box next to numbered item for which you want to change the color, and select the desired color.
      • If desired, change the client banner.
      • Click OK
    • Add/Edit/Delete IP Pools
      • Add:
        • Click Networking & Security and then click NSX Edges.
        • Double-click a vShield Edge.
        • Click the Manage tab and then click the SSL VPN-Plus tab.
        • In the SSL Vpn-Plus tab, select IP Pools from the left panel.
        • Click the Add “+” icon.
        • Type the begin and end IP address for the IP pool.
        • Type the netmask of the IP pool.
        • Type the IP address which is to add the routing interface in the NSX Edge gateway.
        • (Optional) Type a description for the IP pool.
        • Select whether to enable or disable the IP pool.
        • (Optional) In the Advanced panel, type the DNS name.
        • (Optional) Type the secondary DNS name.
        • Type the connection-specific DNS suffix for domain based host name resolution.
        • Type the WINS server address.
        • Click OK.
      • Edit:
        • Log in to the vSphere Web Client.
        • Click Networking & Security and then click NSX Managers.
        • Click an NSX Manager in the Name column and then click the Manage tab.
        • Click the Grouping Objects tab and then click IP Pool.
        • Select the IP pool that you want to edit.
        • Click the Edit (Pencil) icon.
          The Edit IP Pool dialog box opens.
        • Make the required edits.
        • Click OK
    • Enable/Disable IP Pools
      • Log in to the vSphere Web Client.
      • Click Networking & Security and then click NSX Edges.
      • Double-click an NSX Edge.
      • Click the Monitor tab and then click the SSL VPN-Plus tab.
      • Select IP Pool from the left panel.
      • Select the IP pool that you want to enable/disable
      • Click the Enable (Tick) icon or Disable (No Entry) icon
    • Add/Edit/Delete Private Networks
      • In the SSL Vpn-Plus tab, select Private Networks from the left panel.
      • Click the Add “+” icon
      • Type the private network IP address.
      • Type the netmask of the private network.
      • (Optional) Type a description for the network.
      • Specify whether you want to send private network and internet traffic over the SSL VPN-Plus enabled NSX Edge or directly to the private server by bypassing the NSX Edge.
      • If you selected Send traffic over the tunnel, select Enable TCP Optimization to optimize the internet speed.

        Conventional full-access SSL VPNs tunnel sends TCP/IP data in a second TCP/IP stack for encryption over the internet. This results in application layer data being encapsulated twice in two separate TCP streams. When packet loss occurs (which happens even under optimal internet conditions), a performance degradation effect called TCP-over-TCP meltdown occurs. In essence, two TCP instruments are correcting a single packet of IP data, undermining network throughput and causing connection timeouts. TCP Optimization eliminates this TCP-over-TCP problem, ensuring optimal performance.

      • Type the port numbers that you want to open for the remote user to access the corporate internal servers/machines like 3389 for RDP, 20/21 for FTP, and 80 for http. If you want to give unrestricted access to the user, you can leave the Ports field blank.
      • Specify whether you want to enable or disable the private network.
      • Click OK
    • Enable/Disable Private Networks
      • Log in to the vSphere Web Client.
      • Click Networking & Security and then click NSX Edges.
      • Double-click an NSX Edge.
      • Click the Monitor tab and then click the SSL VPN-Plus tab.
      • Select Private Networks from the left panel.
      • Click the network that you want to enable/disable/delete
      • Click the Enable icon (Tick)/Disable icon (No entry sign)/Delete icon (cross)
      • The selected network is enabled/disabled/delete
    • Add/Edit/Delete Installation Packages
      • In the SSL Vpn-Plus tab, select Installation Package from the left panel.
      • Click the Add “+” icon.
      • Type a profile name for the installation package.
      • In Gateway, type the IP address or FQDN of the public interface of NSX Edge.This IP address or FQDN is binded to the SSL client. When the client is installed, this IP address or FQDN is displayed on the SSL client.
      • Type the port number that you specified in the server settings for SSL VPN-Plus.
      • (Optional) To bind additional NSX Edge uplink interfaces to the SSL client,
        • Click the Add “+” icon.
        • Type the IP address and port number.
        • Click OK.
      • The installation package is created for Windows operating system by default. Select Linux or Mac to create an installation package for Linux or Mac operating systems as well.
      • (Optional) Enter a description for the installation package.
      • Select Enable to display the installation package on the Installation Package page.
      • Select the following options as appropriate.
        • Start client on logon The SSL VPN client is started when the remote user logs on to his system.
        • Allow remember password Enables the option.
        • Enable silent mode installation Hides installation commands from remote user.
        • Hide SSL client network adapter Hides the VMware SSL VPN-Plus Adapter, which is installed on the remote user’s computer along with the SSL VPN installation package.
        • Hide client system tray icon Hides the SSL VPN tray icon which indicates whether the VPN connection is active or not.
        • Create desktop icon Creates an icon to invoke the SSL client on the user’s desktop.
        • Enable silent mode operation Hides the pop-up that indicates that installation is complete.
        • Server security certificate validation The SSL VPN client validates the SSL VPN server certificate before establishing the secure connection.
      • Click OK
    • Add/Edit/Delete Users
      • In the SSL Vpn-Plus tab, select Users from the left panel.
      • Click the Add “+” icon.
      • Type the user ID.
      • Type the password.
      • Retype the password.
      • (Optional) Type the first and last name of the user.
      • (Optional) Type a description for the user.
      • In Password Details, select Password never expires to always keep the same password for the user.
      • Select Allow change password to let the user change the password.
      • Select Change password on next login if you want the user to change the password the next time he logs in.
      • Set the user status.
      • Click OK
    • Add/Edit/Delete Login/Logoff script
      • In the SSL Vpn-Plus tab, select Login/Logoff Scripts from the left panel.
      • Click the Add “+” icon.
      • In Script, click Browse and select the script you want to bind to the NSX Edge gateway.
      • Select the Type of script.
        • Login – Performs the script action when remote user logs in to SSL VPN.
        • Logoff – Performs the script action when remote user logs out of SSL VPN.
        • Both – Performs the script action both when remote user logs in and logs out of SSL VPN.
      • Type a description for the script.
      • Select Enabled to enable the script.
      • Click OK
    • Enable/Disable Login/Logoff script
      • Log in to the vSphere Web Client.
      • Click Networking & Security and then click NSX Edges.
      • Double-click an NSX Edge.
      • Click the Manage tab and then click the SSL VPN-Plus tab.
      • Select Login/Logoff Scripts from the left panel.
      • Select a script and click the Enable (Tick) icon/Disable (No entry sign) icon
  • Determine appropriate VPN service type for a given NSX implementation
    • SSL VPN-Plus allows remote users to access private corporate applications.
      • Network Access SSL VPN-Plus requires users to download a client to access private networks.
      • Web Access SSL VPN-Plus allows users to access private networks without a hardware or software SSL client
    • IPSec VPN offers site-to-site connectivity between an NSX Edge instance and remote sites.
    • L2 VPN allows you to extend your datacenter by allowing virtual machines to retain network connectivity across geographical boundaries.
  • Determine appropriate NSX Edge instance size based on load balancing requirements
    • The Large NSX Edge has more CPU, memory, and disk space than the Compact NSX Edge, and supports a bigger number of concurrent SSL VPN-Plus users.
    • The X-Large NSX Edge is suited for environments which have Load Balancer with millions of concurrent sessions.
    • The Quad Large NSX Edge is recommended for high throughput and requires a high connection rate.

Tools

  • NSX Installation and Upgrade Guide
  • NSX Administration Guide
  • NSX Manager
  • vSphere Web Client
Advertisements

One thought on “Objective 6.2 – Configure and Manage Logical Virtual Private Networks (VPN)

  1. Pingback: VMware VCP-NV NSX Study Resources | darrylcauldwell.com

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s