VCAP6-NV (3V0-643) Study Guide – Part 9B. NSX SSL VPN-Plus.

This is part 9B of 20+ blogs I am writing covering the exam prep guide for the VMware Certified Advanced Professional 6 – Network Virtualisation Deployment (3V0-643)  VCAP6-NV certification.

At the time of writing there is no VCAP Design exam stream, thus you’re automatically granted the new VMware Certified Implementation Expert 6 – Network Virtualisation (VCIX6-NV) certification by successfully passing the VCAP6-NV Deploy exam.

Previous blogs in this series:

Part 1 – Intro
Part 2 – Objective 1.1
Part 3 – Objective 1.2
Part 4 – Objective 1.3
Part 5 – Objective 2.1
Part 6 – Objective 2.2
Part 7 – Objective 2.3
Part 8 – Objective 3.1
Part 9A – Objective 3.2 IPSec VPNs

This blogs covers:

Section 3 – Deploy and Manage VMware NSX Network Services
Objective 3.2 – Configure and Manage Logical Private Networks (VPNs)

  • Configure SSL VPN Service to Allow Remote Users to Access Private Networks.

As exam objective 3.2 is quite large and covers IPSec VPNs, SSL VPNs and Layer 2 VPNs, I have decided to split objective 3.2 into 3 parts, the first (9A) being IPSec VPNs, (9B) being SSL VPNs and (9C) being Layer 2 VPNs.

Configure SSL VPN Service to Allow Remote Users to Access Private Networks

In NSX, VMware call this feature SSL VPN Plus. Obviously it can only be configured on the Edge Services Gateway (ESG) as this is Internet facing.

SSL VPN Plus allows remote external users to connect securely via HTTPS to defined internal networks. As this service is consumed via HTTPS, it will be accessible from nearly anywhere the user has an Internet connection.

vpn-plus

The Edge Services Gateway (ESG) external IP address and TCP port 443 must be accessible to remote clients to be able to connect to the SSL VPN.

SSL VPN Plus supports the following remote client operating systems:

  • Windows XP and above (Windows 8 is supported).
  • Mac OS X Tiger, Leopard, Snow Leopard, Lion, Mountain Lion, Maverick, and Yosemite. These can be installed either manually or using the Java installer.
  • Linux – TCL-TK is required for UI to work. If not present, Linux client can be used using CLI.

There are two ways that SSL VPN Plus can be consumed.

  1. By downloading, installing and launching the client SSL VPN Plus software. This is called Network Access Mode.
  2. By accessing the SSL VPN Plus service from a web browser. This is called Web Access Mode.

 

Network Access Mode

Add SSL VPN Plus Server Settings

This configures the IPv4 or IPv6 address and TCP port (default 443) that the SSL VPN will listen on. You can also configure the encryption method and any server certificates. By default, it uses a ‘Default Certificate’. If you wish to configure a self-signed or CA certificate you will need to import these, see Part 8 that contains a section on how to create a certificate for your NSX Edge

Log into the vSphere Web Client.

Click Networking and Security, then NSX Edges.

Double-click the ESG that SSL VPN Plus will be configured on.

Click Manage, then SSL VPN-Plus.

Click Server Settings, then click Change.

ssl2

Enter the details relevant to your environment.
I have selected my Uplink (17.17.17.2), TCP port 443, AES-128 encryption and selected the option to use the default certificate.

vpn3

Next add an IP Pool.

Add an IP Pool

The IP Pool is a range of virtual IP addresses that remote clients are assigned when connected. It also includes the net mask, default gateway and DNS servers.

Click IP Pool, then click the green + sign to Add an IP Pool.

vpn1

Enter the details relevant to your environment.

vpn4

Next configure the Private Networks.

Configure Private Networks

This allows you to configure one or more networks that remote users can access. The option Send Traffic, make sure Over Tunnel is selected to send Private Network and Internet traffic over the SSL VPN enabled ESG.

The option Enable TCP Optimisation should be enabled to eliminate the TCP-Over-TCP-Meltdown condition which you can read more of here. From the VMware Administration guide they offer this information:

Conventional full-access SSL VPNs tunnel sends TCP/IP data in a second TCP/IP stack for encryption over the internet. This results in application layer data being encapsulated twice in two separate TCP streams. When packet loss occurs (which happens even under optimal internet conditions), a performance degradation effect called TCP-over-TCP meltdown occurs. In essence, two TCP instruments are correcting a single packet of IP data, undermining network throughput and causing connection timeouts. TCP Optimization eliminates this TCP-over-TCP problem, ensuring optimal performance.

Click Private Networks, then  click the green + sign to Add a Private Network.

priv1

Enter the details for the Private Network. Repeat if you have more than one.

priv2

If the Edge Firewall is enabled you will need to add a rule to allow traffic to the destination Private Network/s (north-south FW rule). The Source will be the virtual IP range you configured in the IP pool.

Next step is to configure an authentication server.

Add Authentication

This is where you configure an authentication server that will authenticate users connecting to the SSL VPN. There are various authentication methods available that can be configured such as:

  • Active Directory
  • LDAP
  • Radius
  • RSA-ACE
  • Local

Each method has different options to configure. I am going to configure the Local option, where users will be authenticated locally by the ESG SSL VPN. You can have more than one authentication server.

When you configure the Local authentication method you are basically creating a password and lockout policy as shown below. There are numerous options available.

To Configure Local Authentication

Click Authentication, then click the green + sign to Add an Authentication Server.

vpn5

I selected the Authentication Server Type as Local. I left all settings as default and clicked OK. (in production I would want to change some settings if using Local Authentication – such as password length etc).

vpn6

I can now see this has been configured:

vpn7

Next I need to add an installation package.

Add an Installation Package

This step creates a customised client installer package. When a remote user connects to the URL or IP of the SSL VPN it will prompt them to download the package. The remote user must install this to connect to the SSL VPN. Once installed, the user launches the SSL VPN client to connect.

There are a quite a few simple options that can be configured. By default the package is created for Windows, with Linux and Mac also available.

Click Installation Package, then click the green + sign to Add an Installation Package.

vpn8.JPG

Enter the Profile Name, the Gateway and the port. The Gateway can either be the IP address or external DNS name for the public facing interface. Both the Gateway and the Port will be what you set when configuring the SSL VPN Plus Server Settings.

All I have configured is the Profile Name and Gateway.

vpn10.JPG

I can now see the Installation package has been created:

vpn1.JPG

Next we need to add some users to be allowed to connect to the SSL VPN.

Add Users

If you are using the Local Authentication method, you will need to add users to the local database.

Click Users, then click the green + sign to Add Users.

vpn2

Add the information of the user.

vpn4.JPG

I can now see the user has been added.

vpn5.JPG

That pretty much is the entire configuration done apart from enabling the SSL VPN-Plus service.

Enable the SSL VPN-Plus Service

Click Dashboard, then click the vpn7.JPG button.

Click Yes to enable the service.

Make sure the service status changes to Enabled.

vpn9.JPG

The configuration is now live.

 

Optional Settings

These settings are not required but offer further customisation.

Login/Logoff Scripts

vpn6

General Settings

vpn10

Portal Customisation

vpn11

Web Access

You can also configure SSL VPN-Plus web access via a browser so remote end users do not need to install the client. I am not going to configure this, but here is a screenshot of the configuration options.

web.JPG

 

Testing the Configuration.

I have a VM that can hit the external IP address of my lab ESG that is running the SSL VPN-Plus service configured above. The IP address is 17.17.17.2:443.

vm

I enter the credentials for the local user I created and click Login.

vpn66.JPG

I am presented with a package that can be downloaded.

vpn67

I click the package and select Install.

vpn68

Once the client package has installed the following VMwareTray icon appears on the Desktop.

vpn70.JPG

 

Launch the VMwareTray icon to launch the SSL VPN-Plus client software.

1.JPG

Click Login and enter the user credentials, then click OK.

2.JPG

The connection is established.

3.JPG

In the SSL VPN configuration I allowed remote connections to access the internal private network 172.16.10.0/24.

I can ping a VM (172.16.10.100) that I have sitting on this private network.

5

Awesome, it works!

And that wraps up the NSX SSL VPN-Plus feature. Very easy to configure. Hope you find this content useful.

The next blog, Part 9C will work through exam objective 3.2 covering: Configure L2 VPN service to stretch multiple logical networks across geographical sites.

Be Social; Please share.

 

  1. […] The next blog, Part 9B will work through exam objective 3.2 covering: Configure SSL VPN Service to … […]

    Like

    Reply

  2. Wael Ali Mohamed October 20, 2016 at 11:11 am

    great work sir, keep it up please im following your blog closely for VCAP6-NV exam preparations.

    Liked by 1 person

    Reply

    1. Thanks Wael, it’s a lot of work in each blog to generate the content: read a stack of material, lab it, then create the blog page in what I hope is very straight forward language. Once I have finished the blogs, I will spend another 2-3 weeks of solely deploying and configuring NSX until I can do it with my eyes closed. Good luck with your exam.

      Like

      Reply

  3. Great work sir, keep it up please, im following your blog closely for my preparations for VCAP6-NV.

    Liked by 1 person

    Reply

  4. Hi kiwiclint,

    Great job,this blog is phenomenal, helping for my exam, Please keep the good Work going, much Appreciated..! Thanks.

    Liked by 1 person

    Reply

  5. […] Part 1 – Intro Part 2 – Objective 1.1 Part 3 – Objective 1.2 Part 4 – Objective 1.3 Part 5 – Objective 2.1 Part 6 – Objective 2.2 Part 7 – Objective 2.3 Part 8 – Objective 3.1 Part 9A – Objective 3.2 IPSec VPNs Part 9B – Objective 3.2 SSL VPNs […]

    Like

    Reply

  6. […] Part 7 – Objective 2.3 Part 8 – Objective 3.1 Part 9A – Objective 3.2 IPSec VPNs Part 9B – Objective 3.2 SSL VPNs Part 9C – Objective 3.3 L2 […]

    Like

    Reply

  7. […] Part 7 – Objective 2.3 Part 8 – Objective 3.1 Part 9A – Objective 3.2 IPSec VPNs Part 9B – Objective 3.2 SSL VPNs Part 9C – Objective 3.2 L2 VPNs Part 10 – Objective […]

    Like

    Reply

  8. […] 2.2 Part 7 – Objective 2.3 Part 8 – Objective 3.1 Part 9A – Objective 3.2 IPSec VPNs Part 9B – Objective 3.2 SSL VPNs Part 9C – Objective 3.2 L2 VPNs Part 10 – Objective 3.3 Part 11 – Objective […]

    Like

    Reply

  9. […] 2.2 Part 7 – Objective 2.3 Part 8 – Objective 3.1 Part 9A – Objective 3.2 IPSec VPNs Part 9B – Objective 3.2 SSL VPNs Part 9C – Objective 3.2 L2 VPNs Part 10 – Objective 3.3 Part 11 – Objective 4.1 Part 12 […]

    Like

    Reply

  10. […] 2.2 Part 7 – Objective 2.3 Part 8 – Objective 3.1 Part 9A – Objective 3.2 IPSec VPNs Part 9B – Objective 3.2 SSL VPNs Part 9C – Objective 3.2 L2 VPNs Part 10 – Objective 3.3 Part 11 – Objective 4.1 Part 12 – […]

    Like

    Reply

  11. […] 2.2 Part 7 – Objective 2.3 Part 8 – Objective 3.1 Part 9A – Objective 3.2 IPSec VPNs Part 9B – Objective 3.2 SSL VPNs Part 9C – Objective 3.2 L2 VPNs Part 10 – Objective 3.3 Part 11 – Objective 4.1 Part 12 – […]

    Like

    Reply

  12. […] Objective 3.2 – Configure and Manage Logical Virtual Private Networks (SSL VPNs) […]

    Like

    Reply

  13. […] review the implementation and configuration of the SSL VPN-Plus service refer to blog post 9B. Make sure everything is configured as it should […]

    Like

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: