NSX Edge vs vShield Edge: Part 5 – SSL VPN-PLUS

Overview:

The SSL VPN-Plus feature has been around since the VSE 5.x days and as I’ve found out was possibly the best underused feature of the VSE. Contributing to it’s lack of use was the fact that the functionality was not exposed via vCloud Director so one of the best use cases for the SSL VPN remained hidden to those that might have taken advantage of it the most.

With the SSL VPN-PLUS remote users can connect securely to private networks behind VSE and NSX Edges allowing remote users to access servers and applications in the private networks or Virtual Datacenters.

 

The graphic above is pulled from the NSX Online Documentation and shows the basic logical overview of what the SSL VPN-Plus feature enables. Windows is used in the example above but there are also clients for MacOS (Tiger, Leopard, Snow Leopard, Lion, Mountain Lion, and Maverick) or Linux (TCL-TK is required for UI to work. If not present, Linux client can be used using CLI).

Configuring SSL VPN-Plus From Web Client:

As a pre-requisite the VSE or NSX Edge requires a Certificate to be available in the edge config. To see how to create a Self Signed SSL Certificate click here to view Part 4.

The steps to configure and enable the SSL VPN are listed below with each step expanded out through the rest of the post.

  • Add SSL VPN-Plus Server Settings
  • Add an IP Pool
  • Add a Private Network
  • Add Authentication
  • Add a User
  • Add Installation Package
  • Enable the SSL VPN-Plus Service

To enable the SSL VPN you need to go to Networking & Security -> NSX Edges, double click on the edge in question and go to the SSL VPN-Plus Tab and then go to Server Settings and click on Change

Select the Primary IPv4 Address and choose the SSL Certificate (for the purpose of this example the default should be ok) and click ok. Note that if you are going to be hosting SSL Enabled services off the Edge it’s probably a good idea to use a non standard HTTP Port such as 9443 so as not to have issue binding web services later on.

Head to the IP Pool Menu and add an IP Pool. The remote user is assigned a virtual IP address from the IP pool that you create.

The IP Pool should be on a different Subnet to the configured VNICs

On the Private Networks Menu Add the network that you want the remote user to be able to access.

  • Type the private network IP address.
  • Type the netmask of the private network.
  • Type a description for the network. (Optional)
  • Specify whether you want to send private network and internet traffic over the SSL VPN-Plus enabled NSX Edge or directly to the private server by bypassing the NSX Edge.
  • If you selected Send traffic over the tunnel, select Enable TCP Optimization to optimize the internet speed.
    • Conventional full-access SSL VPNs tunnel sends TCP/IP data in a second TCP/IP stack for encryption over the internet. This results in application layer data being encapsulated twice in two separate TCP streams. When packet loss occurs (which happens even under optimal internet conditions), a performance degradation effect called TCP-over-TCP meltdown occurs. In essence, two TCP instruments are correcting a single packet of IP data, undermining network throughput and causing connection timeouts. TCP Optimization eliminates this TCP-over-TCP problem, ensuring optimal performance.
  • Type the port numbers that you want to open for the remote user to access the corporate internal servers/machines like 3389 for RDP, 20/21 for FTP, and 80 for http. If you want to give unrestricted access to the user, you can leave the Ports field blank.
  • Enable the Private Network

On the Authentication Menu you have the option to add the Authentication method. Instead of a local user, you can add an external authentication server (AD, LDAP, Radius, or RSA) which is bound to the SSL gateway. For this example we will configure Local Authentication…In the Add Authentication Server select Local and configure the following options and click ok.

The installation Package is downloaded from the SSL VPN Web UI and installed on remote machine connecting up to the remote network. Go to Installation Package and here you create an installation package of the SSL VPN-Plus client for the remote user. As a default the following needs to be configured.

Go to the Users Page to create a default user account.

Head back to the Dashboard Menu and Click on the Enable Button.

The Service is now Enabled with the configuration items specified above.

To test out that the SSL VPN is enabled and accessible you can use a web browser to hit the IP Address and Port selected in the config.

Configuring SSL VPN-Plus With NSX API:

Below are the key API commands to configure and manage SSL VPN-Plus.

Leave a Reply