Scribd Logo
Hochladen

Willkommen bei Scribd!

  • Forcepoint NGFW SSL VPN Config

    Hochgeladen von

    crepusculo89
    380 Ansichten18 Seiten

    Copyright

    © © All Rights Reserved

    Verfügbare Formate

    PDF, TXT oder online auf Scribd lesen

    Stufen Sie dieses Dokument als nützlich ein?

    Sind diese Inhalte unangemessen?

    Dieses Dokument melden

    Copyright:

    © All Rights Reserved
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    380 Ansichten18 Seiten

    Forcepoint NGFW SSL VPN Config

    Hochgeladen von

    crepusculo89

    Copyright:

    © All Rights Reserved
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    von 18

    How to Configure

    SSL VPN for


    Forcepoint NGFW

    TECHNICAL DOCUMENT
    Table of Contents
    TABLE OF CONTENTS 1

    OVERVIEW 2

    SSL VPN – CASE STUDY 2

    CONFIGURE THE NGFW ENGINE 5

    ADD SSL VPN USERS 6

    ADDING LOCAL USERS THE SMC DATABASE 6

    ADDING LOCAL USERS TO A USER GROUP 7

    DATABASE REPLICATION TO THE NGFW 8

    CONFIGURATION OF SSL VPN POLICIES 9

    CONFIGURE SSL VPN PORTAL SERVICES 9

    CONFIGURE THE SSL VPN PORTAL POLICIES 11

    CONFIGURE THE SSL VPN PORTAL 12

    TESTING THE SSL VPN 14

    LOGGING IN AND TESTING LINKS 14

    SSL VPN TROUBLESHOOTING 16

    OVERVIEW 16

    DID THE TRAFFIC MAKE IT TO THE CORRECT FIREWALL? 16

    DID THE FIREWALL ACCEPT THE TRAFFIC? 16

    NOW WHAT? 17

    Technical Document 1
    Overview
    The Forcepoint SSL VPN provides a user a method to connect to protected resources using Secure
    Sockets Layer (SSL) via a web browser. This secure VPN method does not require a client to be
    installed, so is typically more portable than an IPSEC VPN.

    The purpose of this document is to provide a sample network, a configuration overview, and
    troubleshooting steps to aide in simple problem resolution.

    SSL VPN – Case Study


    SAH Corporate is a global company which manufactures widgets. With today’s traveling and worker
    strategy, SAH needs a method for employees to connect to resources securely and perform day to day
    task. Users travel and work from remote networks, which are considered insecure. SSL VPN using
    Forcepoint SSL VPN will allow users to connect to internal resources remotely without creating a tunnel.

    NETWORK DIAGRAM AND INFORMATION


    Relevant User Information:

    USERS DUTY DUTY GROUP

    JOHN GERO JGERO SECRETARY ACCOUNTING

    ELSA SMITH ESMITH IT CORPORATE


    ADMINISTRATOR SECURITY

    Relevant IP Information:

    INTERFACE IP ADDRESS

    WAN 10.100.0.33

    DMZ 172.16.20.1

    INSIDE 172.16.50.1

    HTTP SERVER 1 172.16.50.101

    HTTP SERVER 2 172.16.50.130

    Technical Document 2
    Network Diagram:

    Technical Document 3
    BASIC SSL VPN CONFIGURATION FLOW

    Basic SSL VPN configuration is comprised of a few simple steps:

     Configure the NGFW Engine

     Configure SSL VPN Policies

     Test the SSL VPN

     Troubleshoot connectivity issues

    Technical Document 4
    Configure the NGFW Engine
    The Next Generation Firewall Engine has to two sections that should be reviewed when configuring SSL
    VPN. To review the Engine configuration, log into the System Management Console (SMC) and follow
    the steps below:

    1. Right click on the Engine that will be configured. Click ‘Properties.’

    2. Expand VPN > End-Points. Right click the Interface in question and click Properties.

    3. Under the VPN Type section, select the radial button for All Types or Selected Types Only. If
    the latter is selected, select the SSL VPN Portal and Tunnel method. The tunnel mode is not
    convered in this case study. Click the OK button to close the Properties window.

    4. Select the Enable check box.

    Save and install the policy.

    Technical Document 5
    ADD SSL VPN Users
    ADDING LOCAL USERS THE SMC DATABASE
    1. On the SMC Home Page, clock the Configuration button.

    2. Expand the User Authentication policy section. On the InternalDomain pane, right click the
    stonegate domain, select New > Internal User.

    3. On the General tab, enter the user name in the Name field.

    4. Select the Authentication tab.


    5. Under Authentication Methods, click Add. Select User Password.
    6. Under the Password Properties section, enter the password for the user. Repeat the password
    for the Confirm Password entry.
    7. Click OK.
    8. Repeat the process for additional Users

    Technical Document 6
    Sample User configuration (Authentication):

    ADDING LOCAL USERS TO A USER GROUP


    1. Under the Configuration window, expand User Authentication, Users, and select
    InternalDomian.

    2. Right click on the Stonegate internal domain and select New > Internal User Group.

    Technical Document 7
    3. Specify the Group name and a comment (optional).

    4. Click OK.
    5. Drag and drop the users previously created to the Portal_Users group.

    DATABASE REPLICATION TO THE NGFW


    1. Go to the SMC home page by clicking the HOME icon in the navigation bar.
    2. Right click the firewall, go to Options and enable the User DB replication option.

    Technical Document 8
    Configuration of SSL VPN Policies
    CONFIGURE SSL VPN PORTAL SERVICES
    1. On the SMC Home Page, clock the Configuration button.

    2. On the Navigation pane, expand the VPN section and the SSL VPN Portal section.

    3. Click on the SSL VPN Portal Services. Right click on the Policy pane (right side) and select
    New SSL VPN Portal Service.

    4. Select the General tab. Enter the data for the Name, External URL Prefix, and Internal URL.

    Technical Document 9
    Select the Look and Feel tab. Enter the value for the Title field. Click OK.

    5. Create a second entry for New SSL VPN Portal Service. Select the General tab. Enter the
    data for the Name, External URL Prefix, and Internal URL. Select the Look and Feel tab.
    Enter the value for the Title field. Click OK.

    Technical Document 10
    CONFIGURE THE SSL VPN PORTAL POLICIES
    1. On the Policy pane, select SSL VPN Portal Policies. Right click on the SSL VPN Portal Policy
    pane and select New SSL VPN Portal Policy. Populate the General tab and click OK.

    2. Right click on the SSL VPN Portal Policies entry that was just created and select Edit SSL
    VPN Portal Policy <name>

    3. Right click on Discall all > Add Rule.

    4. Using the Resources pane values, populate the newly created rule with the SSL VPN Portal
    Service and Authentication values previously configured.

    Technical Document 11
    5. Save the policy by clicking the Save icon in the navigation bar.

    CONFIGURE THE SSL VPN PORTAL


    1. In the policy pane, select SSL VPN Portals. Right click in the SSL VPN Portal Pane (right side)
    and select New SSL VPN Portal.

    2. On the General tab, enter the name, select the SAHPORTAL SSL VPN Portal Policy, enter the
    hostname that your SSL VPN NGFW will resolve to. This should be the IP Address selected
    under the NGFW Engine properties previously defined. Upload certificates or select Use Self-
    Signed Certificate.

    Technical Document 12
    3. Select the Look & Feel tab. Enter the Title for the SSLVPN Portal.

    4. Select the Target Engine tab. Click the ADD button. Right click the Target Engine column and
    select Edit Target Engine. Select the SAH engine and click Select. Click OK.

    Technical Document 13
    TESTING THE SSL VPN
    LOGGING IN AND TESTING LINKS
    1. Open a browser and enter https://10.100.0.33 in the address bar.
    2. Log in with John Gero’s login info: johngero and the password entered previously.

    3. Click on the link to access Http_WebServer1.

    Technical Document 14
    4. Verify the link opens and note the address bar.

    5. The address bar appends the name to the URL (“Server1”). This is the External URL Prefix that
    was configured in the SSL VPN Portal Services policy.

    6. Test the HTTPSERVER 2 connection.

    Test the SSL VPN with SSO Domains and different policies to limit access and customize SSL VPN
    users’ experience!

    Technical Document 15
    SSL VPN Troubleshooting
    OVERVIEW
    With troubleshooting, most issues need to go through a process. Below is the overview:
    1. Did the traffic make it to the correct Firewall?
    2. Did the firewall accept the traffic?
    3. Now what?

    DID THE TRAFFIC MAKE IT TO THE CORRECT FIREWALL?


    1. Verify in the logs that the packets are not being dropped.
    2. Verify that connectivity is not an issue: ping, traceroute, and other connectivity issues need to be
    tested.

    DID THE FIREWALL ACCEPT THE TRAFFIC?


    1. If they are, ensure that the correct interface is Enabled in the Endpoints configuration located
    under the Engine Properties.

    2. Ensure that the correct SSL VPN port is correct in the Configuration> VPN> SSL VPN Portal
    configuration.

    3. Review the logs for any related connectivity logs.

    Technical Document 16
    NOW WHAT?
    1. Can you login? Verify the password for the end user.

    2. Ensure that the IP and Host name specified under: Configuration > VPN > SSL VPN Portal >
    SSL VPN Portals has the correct hostname or IP. If you are using a public IP address, ensure it
    does resolve to the hostname in the http header. This issue will manifest will manifest while
    logging into the portal:

    3. Ensure you have the latest firmware installed. This will rule out possible bugs and compatibility
    issues. (Optional)

    4. Verify the TLS version your browser supports. The default TLS entries for the SSL VPN are
    below:

    Contact FORCEPOINT Support for issues related to the FORCEPOINT NGFW. We are here to help!

    Technical Document 17

    Das könnte Ihnen auch gefallen