VNS3 Configuration Quick Launch for first time VNS3 users in Azure

© 2018

Table of Contents

2

Setup 3

Notes 9

Create a Static IP 12

Create a Network Security Group 14

Launch VNS3 from Marketplace 19

VNS3 Unencrypted VLAN Setup 27

Next: Configuration 31

© 2018

Setup

3

© 2018

Requirements

4

• You have an Azure account (for a Free Azure trial, visit http://azure.microsoft.com/en-us/pricing/free-trial).

• You have the ability to configure a client (whether desktop based or cloud based) to use the OpenVPN TLS VPN client software.

• You have a compliant IPsec firewall/router networking device: Preferred  Most models from Cisco Systems*, Juniper, Watchguard, Dell SONICWALL, Netgear, Fortinet, Barracuda Networks, Check Point*, Zyxel USA, McAfee Retail, Citrix Systems, Hewlett Packard, D-Link, WatchGuard, Palo Alto Networks, OpenSwan, pfSense, and Vyatta.

Best Effort  Any IPsec device that supports: IKE1 or IKE2, AES256 or AES128 or 3DES, SHA1 or MD5.

*Known Exclusions  Checkpoint R65+ requires native IPSec connections as Checkpoint does not conform to NAT-Traversal Standards and Cisco ASA 8.4(2)-8.4(4) bugs prevent a stable connection from being maintained.

© 2018

Getting Help with VNS3

5

This guide covers a very generic VNS3 setup in the Azure cloud using the latest Resource Manager workflow. Classic Azure portal can be used, but there are some use-case restrictions given the limited controls.

If you need specific help with project planning, POCs, or audits, contact our professional services team via sales@cohesive.net for details.

Please review the VNS3 Support Plans and Support Site FAQ before opening a ticket.

© 2018

Firewall Considerations

6

VNS3 Controller instances use the following TCP and UDP ports:

• UDP port 1194 For client VPN connections; must be accessible from all servers that will join VNS3 topology as clients.

• UDP 1195-1203 For tunnels between Controller peers; must be accessible from all peers in a given topology. VNS3:vpn and VNS3:net Lite Edition will not require UDP ports 1195-1197 access as it is not licensed for Controller Peering.

• TCP port 8000 HTTPS admin interface; must be accessible from hosts where you will want to obtain runtime status or configure peering, also needs to be open to and from the Controllers at least for the peering process, and needs to be accessible when downloading credentials for installation on overlay network clients.

• UDP port 500 UDP port 500 is used for the phase 1 or IKE (Internet Key Exchange) component of an IPsec VPN connection.

• ESP Protocol 50 and possibly UDP port 4500 Protocol 50 is used for the phase 2 or ESP (Encapsulated Security Payload) component of an IPsec VPN connection only when negotiating with native IPsec. UDP port 4500* is used for the phase 2 or ESP (Encapsulated Security Payload) component of an IPsec VPN connection when using NAT-Traversal Encapsulation.

*Azure allows Protocol 50 past its edge, but at the time of this document's publication, the network security group configuration requires all protocols to be open between a specific source IP and the VNS3 controller NIC/Subnet.

© 2018

Address Considerations

7

VNS3 requires an Overlay Network subnet to be specified as part of the configuration process. Use of the Overlay Network is optional but provides improvements in security, address mobility, and performance.

Your VLAN CIDR and Subnets cannot not overlap with the VNS3 Overlay Network Subnet.

The Azure cloud does allow virtual machine instances to act as networks gateways for unencrypted VLAN traffic. Routing traffic from the unencrypted Azure VLAN instead of using the encrypted Overlay Network requires configuring the Azure Route Tables and enabling IP Forwarding. The Route Tables are configurable via Powershell, Azure CLI, and Azure UI. IP Forwarding is configurable via Powershell only.

See the VLAN traffic section at the end of the document for more details.

© 2018

open

open

open

VNS3

application

Virtual Network Addressing - Don't Overlap with VNS3 Overlay

8

Microsoft Virtual Networks provide an isolated address space within the Azure cloud where you run your VMs. Virtual Networks allow you to define address spaces, and associated Network Security Groups allow control of access control policies via the hypervisor firewall.

Cohesive Networks recommends creating a separate Virtual Network Subnet for the VNS3 Controllers that is different from the subnet or subnets defined for the application VMs

NOTE: The Azure VLAN CIDR you configure CANNOT overlap with the VNS3 Overlay Network you create during configuration of your VNS3 Controller VM.

Cohesive Networks typically recommends configuring a small subnet at the top of the Virtual Network range for the VNS3 Controller(s). You can then logically segment the lower part of the subnet for your application VMs in a single subnet or multiple subnets per VM role (e.g. web server, app server, db, etc.)

The diagram at the right shows how we will segment our /24 (255 addresses) Azure Virtual Network for this example deployment.

10.10.10.0/25

10.10.10.128/26

10.10.10.192/27

10.10.10.224/28

10.10.10.240/28

Azure Virtual Network 10.10.10.0/24

© 2018

Remote Support

9

Note that TCP 22 (ssh) is not required for normal operation.

Each VNS3 Controller is running a restricted SSH daemon, with access limited only to Cohesive for debugging purposes controlled by the user via the Remote Support toggle and key exchange generation.

In the event Cohesive needs to observe runtime state of a VNS3 Controller in response to a tech support request, we will ask you to open Security Group access to SSH from our support IP range and Enable Remote Support via the Web UI.

Cohesive will send you an encrypted passphrase to generate a private key used by Cohesive Support staff to access your Controller. Access to the restricted SSH daemon is completely controlled by the user. Once the support ticket has been closed, you can disable remote support access and invalidate the access key.

© 2018

Launch VNS3

10

© 2018

From External Azure Marketplace

11

VNS3 Free and Lite Edition virtual machine images are available in the Azure Marketplace. To launch from the Marketplace page:

VNS3 3.5 LTS - https://azure.microsoft.com/en-us/marketplace/partners/cohesive/cohesiveft-vns3-for-azure/#cohesive-vns3-free

VNS3 4.x current version: https://azuremarketplace.microsoft.com/en-us/marketplace/apps/cohesive.vns3_4x

Click Get it Now.From the popup, select the VNS3 Edition and click Continue. For access to a private unlicensed VNS3 VM, contact our support team.

You’ll be redirected to the Azure Portal. Click Create.

© 2018

From Inside Azure Portal

12

VNS3 Free and Lite Edition virtual machine images are available in the Azure Marketplace. To launch from the Marketplace page:

VNS3 3.5 LTS - https://azure.microsoft.com/en-us/marketplace/partners/cohesive/cohesiveft-vns3-for-azure/#cohesive-vns3-free

VNS3 4.x current version: https://azuremarketplace.microsoft.com/en-us/marketplace/apps/cohesive.vns3_4x

Click Add.In the resulting window pane, type VNS3 to see all VNS3 Marketplace offerings. For access to a private unlicensed VNS3 VM, contact our support team.

Click on the VNS3 Edition and click Create.

© 2018

Confirm VNS3 Image

13

On the resulting product description window pane, there is information about the VNS3 product line, benefits, and resources.

Make sure the Resource Manager is selected for the deployment model (this option is not available for new Azure accounts - they are all Resource Manager accounts).

click Create.

© 2018

1- Configure Basics

14

On the resulting Basics window pane, name your VNS3 VM. Spaces are not allowed, so use hyphens to separate the words of an instance name.

Choose Standard (HDD) or Premium (SSD) disk type. This is impact your size and storage costs on Azure. We recommend HDD.

The Azure portal requires a username and an SSH key or password. Regardless of your entry, Cohesive Networks does not provide shell access to customers for VNS3 appliances. These entries are required, but will not be used.

Add the the VM to your existing Resource Group.

Click OK

© 2018

2 - Configure Size

15

On the resulting Size window pane, choose disk size.

VNS3 should have at least one core and 1.5GB of memory, so the “A2 Basic” instance type is a good place to start. Depending on need, VNS3 can be run as a very large instance to provide more throughput for the virtual network, site-to-site connections, firewall rules, or other network functions.

Click Select

© 2018

3 - Configure Settings

16

On the Settings widow pane, edit:

Storage

Choose managed disk or not. Choose No to manage storage yourself and create a new storage account.

Network

Create a new Virtual Network, here we use 10.10.10.0/24 Also create new Subnet, here we use 10.10.10.240/28 Click OK

Next, create a new Public IP address. Select Static. Click OK.

Create a new Network Security group. 2 defaults may appear:

- Edit and keep TCP 8000 from Internet

- Delete SSH 22 access from all

- Add other optional rules. See page 6 for rules and details.

Skip Extensions and High Availability.

Click Ok.

© 2018

4 - Summary

17

Review the settings on the Summary window pane.

Click OK.

© 2018

5 - Buy

18

Review the Purchase price and details on the resulting Purchase window pane.

Click Buy.

© 2018

Next: Configuration

19

© 2018

VNS3 Configuration Document Links

20

VNS3 Product Resources - Documentation | Add-ons

VNS3 Configuration Instructions (Free & Lite Editions | BYOL) Instructions and screenshots for configuring a VNS3 Controller in a single or multiple Controller topology. Specific steps include, initializing a new Controller, generating clientpack keys, setting up peering, building IPsec tunnels, and connecting client servers to the Overlay Network.

VNS3 Administration DocumentCovers the administration and operation of a configured VNS3 Controller. Additional detail is provided around the VNS3 Firewall, all administration menu items, upgrade licenses, other routes and SNMP traps.

VNS3 TroubleshootingTroubleshooting document that provides explanation issues that are more commonly experienced with VNS3.

© 2018

Optional Set Up: VNS3 Unencrypted VLAN Setup

21

© 2018

Unencrypted VLAN Setup

22

In the event you choose to not use the Overlay Network, there are some additional steps required to allow VNS3 to act as the gateway for the Azure Virtual Network subnet(s).Remember even if you decide not to use the Overlay Network, you still need to define an Overlay Network address space as part of the initialization. Be sure to choose an address space that DOES NOT overlap with the Azure Virtual Network CIDR or remote network you plan on connecting to via IPsec VPN.You will need to create a Azure Route Table and enable IP Forwarding for the VNS3 controller VM.

© 2018

Create a Route Table

23

Click Route Tables in the Left Column Menu and click Add.In the resulting Create route table window pane, enter a name and select the resource group previously created. Click Create.Once created click on the Route Table, then All Settings.Click on Routes.On the resulting Routes window pane, click Add.In the resulting Add route window pane, enter a Route Name, Address prefix (the remote network you will connect to via VNS3 IPsec tunnel), Set Next hop type as Virtual appliance, and enter the VNS3 controller Azure private IP address as the Next hop address.Click Save.

© 2018

Enable IP Forwarding for the VNS3 VM

24

Enabling IP Forwarding allows the VNS3 controller VM to pass traffic where it is neither the source or the destination of the packet. It allows VNS3 to act as a gateway.At the time of this document's publication, IP Forwarding is only controllable via PowerShell. The link to the Azure documentation for IP Forwarding is below.https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-udr-how-to/#How-to-manage-routes