SSL VPN-Plus using vShield Edge – How To

I know since a long time, I kept on saying this place is not meant for any how to. No hard feeling for any one who write How To’s, but my focus was not to write something like, click here and click there and you should be fine.

However, today I am taking it back :).

Well, it all started with a Use Case scenario and a requirement from a different team altogether.

Now let me show you what is my setup and what was the requirement which lead me to write this post.

NestedLab
Now if you look at the above design, we have many nested cloud setups which is been used for some testing. These are all nested VMs, which means these are all registered on top of Virtual ESXi. These virtual ESXi are registered on top of Physical Hardware which is really robust in our case, so that it can take the entire load.

Now, you may think for this entire setup how many IPs you need. I can tell you its lot. To scale it as well, we can’t afford to have it run on top of Public IPs (Corp IPs). So, to minimize the use of Corp IPs and the scalability purpose we have deployed a vSM and an Edge device.

Today every one knows that we have 10 interfaces (Internal and External) in a Edge device. For external of course we need one and for our purpose we just took one interface and made it as Internal.

This interface is running a 192.168.0.0/16 Static IP Pool. This way we can have as many as 656534 usable IP address. This is of course enough for our requirement.

Our external network is running on 10.100.100.0/24 network. This can have as many as 254 usable IP Address and thus we had to segregate it using Edge. Let me also show you how we carved it out inside the virtual (nested) cloud.

Tenants

 

Our nested cloud is actually running on top of another private network which is segregated with Org Edge GW.

Now comes the real requirement. We actually needed to have consumers access the vCD cell to satisfy their need.

Oops!! The immediate question comes into mind is, how many cloud do we need, because according to that we need so many IPs right??

You may say, well this is not a problem, we can easily create a DNAT rule in Edge and have the Public IP mapped to the Private vCD Cell IP right?? Again the question, we have 254 IPs and we need to have our Mgmt Stack up with these IPs well. Can we actually look at this solution if we need to scale it out and the answer is no.

Now, what left in our hand is, creating a tunnel to the Edge and have the users get access to everything they need and of course we have firewall to block unwanted traffic. Here I thought of bringing an SSL VPN-Plus.

If you are logged in to the SSL VPN using your Edge device then you have access to all of your internal resources. Of course you have option to give access to particular port right, so why to worry? Let me show you now how to begin with and a step by step approach.

1. Login to your vSM portal and expand the Datacenters section and choose the Datacenter where you want to deploy the VPN through Edge.

2. Select Network Virtualization from the right hand side -> Select the Edge and Click on Actions -> Select Manage

Edge-DC

 

3. Once it opens up, go to the VPN Tab and it should show you the Dashboard.

Edge-VPNTab

 

4. First thing which you need to do it, Select Server Settings and click on Change button at the right hand tree.

5. At this stage select the external interface where you want to enable the SSL VPN. This will become your VPN termination IP. Rest of the input can be taken as default.

Edge-VPNServer

 

6. Now you should move to the IP Pool Item. Click on the Green “+” sign to add a IP Pool. This is basically going to be allocated when a client from outside connect to the VPN. The moment client connect to the VPN he will have an IP Address from this Pool and that will be assigned to his VPN Network Adapter.

Note: Here, you should choose the other subnet rather than the internal subnet what you have. In our requirement, our internal subnet is 192.168.0.0/16. So, we have used 172.168.0.0/24. That means 254 client can get one one IP address.

Edge-VPNIPPool

 

7. After this move to the Private Networks section. Click on the green “+” icon to add a Private Network space. You need to add which network this VPN should give access to. That means once a client login to the VPN which networks they will have access to. In this example we have given the 192.168.0.0/16 network access. That means when a client logs in to the VPN he/she will have access to the entire private clouds.

You also need to select how the traffic will be forwarded, by default entire traffic is forwarded SSL VPN Over Tunnel. If you select Traffic through Tunnel then you should enable TCP Optimization to optimize the internet speed. Read the below paragraph from vShield Admin guide.

Conventional full-access SSL VPNs tunnel sends TCP/IP data in a second TCP/IP stack for encryption over the internet. This results in application layer data being encapsulated twice in two separate TCP streams. When packet loss occurs (which happens even under optimal internet conditions), a performance degradation effect called TCP-over-TCP meltdown occurs. In essence, two TCP instruments are correcting a single packet of IP data, undermining network throughput and causing connection timeouts. TCP Optimization eliminates this TCP-over-TCP problem, ensuring optimal performance.

Type the port numbers that you want to open for the remote user to access the corporate internal servers/machines like 3389 for RDP, 20/21 for FTP, and 80 for http. If you want to give unrestricted access to the user, you can leave the Ports field blank.

Edge-VPNPrivateNW

 

8. Authentication is the next section. Here you have many options like, AD, LDAP, RADIUS, RSA-ACE and LOCAL. For our purpose we have chosen LOCAL. This is the basic authentication method and requires very less administrative overhead. We can have the local users added to the Users section and can have them authenticated locally.

You can select Password Policy where you have the option of choosing Password Length, Expiry, account lockout policy and so on.

 

Edge-VPNAuth

9. Now comes the Installation Package. Here we need to create an installation package of the SSL VPN-Plus client for the remote user. This is how the client will get the VPN Client software on their client machine. We support Windows, MAC and Linux.

Also you can select Installation Parameters here as well, like, create desktop icon, start client at logon, allow remember password and so on.

Click on the green “+” icon to add the client installation package. Within this window select the Green “+” icon to add the gateway. This is the same IP which you have chosen at the time of enabling outside VPN access. This is nothing but external IP address of your Edge device.

ClientPkg1

10. At the step 8 if you select LOCAL authentication, then you need to add some local users here. Select the Users section add some local users.

11. After this point there is no necessary things you should do, may be you can change some General Settings, like, preventing multiple logon using same user, compression, logging and so on.

For this select General Settings and click on Change at the right side and change the settings as per your requirement.

So, basically you are done with the configuration now and go back to the Dashboard, in the Service section click on Enable.

12. Now at the client side type the URL of the external IP of the Edge where you have enabled the SSL VPN (https://10.100.100.1/sslvpn-plus/)

13. Login to the portal using the local user which you have created at Step 8.

SSLClient

 

14. Here click on the SSL Client, this is basically a link which will download the client. Install the Client and then open it up. Click on Login and it will ask for the Username and Password. Supply the credentials as per Step 8 and now you should be logged in to the SSL VPN.

SSLLogin

SSLSuccess

Now once you are logged into it, you have all of the internal resource access. You either want to do RDP or SSH or other method to access all of your resources.

I hope this is useful to many of you as I did not find a single article on the net which can talk about the step by step process, so thought to enlighten the enthusiast who would like to implement similar solution.

 

About Prasenjit Sarkar

Prasenjit Sarkar is a Product Manager at Oracle for their Public Cloud with primary focus on Cloud Strategy, Oracle Openstack, PaaS, Cloud Native Applications and API Platform. His primary focus is driving Oracle’s Cloud Computing business with commercial and public sector customers; helping to shape and deliver on a strategy to build broad use of Oracle’s Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) offerings such as Compute, Storage, Java as a Service, and Database as a Service. He is also responsible for developing public/private cloud integration strategies, customer’s Cloud Computing architecture vision, future state architectures, and implementable architecture roadmaps in the context of the public, private, and hybrid cloud computing solutions Oracle can offer.

One thought on “SSL VPN-Plus using vShield Edge – How To