Configure and Manage SSL VPN in NSX

SSL VPN on NSX Edge Gateway allows end-user to connect to a private network through a SSL-VPN tunnel so that the end-user can access the application/services which are hosted on remote site, on their local network. Application/services can be accessed via Web-based SSL client or a regular client. 

Below image taken from NSX Administration Guide demonstrates the process of connecting to private network via SSL-VPN

                                           Graphic Thanks to VMware

To configure SSL VPN, double click on the Edge Gateway and navigate to Manage > SSL VPN-Plus tab. 

Go to Server Settings and click on Change button.

Select the ESG IP to which end user will connect via SSL VPN and select the appropriate encryption algo. make sure port 443 is populated. Hit OK to save settings.

Go to IP Pool page and click on + button to add a pool of IP. 

This is the local IP which end user gets when they connect to SSL VPN. 

Provide the IP range and subnet mast and gateway etc and hit OK. 

Go to Private Networks and click on + button.

Select the private network to which end user will get access post connecting to SSL VPN. 

Specify whether you want to send private network and internet traffic over the SSL VPN-enabled NSX Edge or directly to the private server by bypassing the NSX Edge. If you selected Send traffic over the tunnel, select Enable TCP Optimization to optimize the internet speed.

Go to Authentication tab and click on + button.

You can use following authentication methods:

  • AD
  • LDAP
  • Local
  • Radius
  • RSA-ACE

In my lab, I am using local authentication. If you select this then you can specify  following:

  • Password length and password complexity etc.
  • Password expiration (in days) and when end user will be notified when password is about to expire. 
  • Account lockout policy.

Once you are done with your selection, make sure status is set to Enabled before clicking OK.

To know about configuring other authentication mechanism, please see this article from VMware NSX Administration Guide.

Next is to create installation package. Click on + button to create new package.

Provide a name for the profile and for the gateway IP type the IP address or FQDN of the public interface of NSX Edge and port 443.

Select the platform for which you want to create installation package. Windows is selected by default. In my lab I created package only for windows os.

Select the installation parameters and make sure status is set to enabled before your hit ok.

You can configure following installation parameters 

Go to users page and click on + button to add users.

Specify username/password and first name/last name for the user (optional)

Specify password details and set status to Enabled and hit OK.

From the dashboard tab, enable the SSL VPN service.

To download the SSL installation package, connect to the NSX edge public IP address (specified during package installation task) and punch in the user details created in previous step.

Click on Download Phat Client.

Once the installation is completed, launch the Phat Client and select the network to which you want to connect.

You will be presented with a certificate alert as we are not using signed certificates. Click yes to continue.

Punch in your username/password (created during user creation task) and hit OK.

and you will be connected to the SSL VPN.

You can verify the local IP which you got and verify it matches with what you configured on edge. Also you can see the private subnets which will be now directly accessible from local machine.

Now let’s test the configuration. From my local desktop I RDP’ed into one of my windows server using its private ip.

and I can see a certificate warning (usually we get while doing mstsc) and I was connected to my server.

I  hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing. Be sociable 

Leave a ReplyCancel reply