VNS3 Configuration - irp-cdn.multiscreensite.com · Best Effort Any IPsec device that supports:...
Transcript of VNS3 Configuration - irp-cdn.multiscreensite.com · Best Effort Any IPsec device that supports:...
VNS3 Configuration Microsoft Azure
© 2018
Table of Contents
2
Requirements 3
Create a Network 9
Create a Static IP 12
Create a Network Security Group 14
Launch a VNS3 Controller VM 19
VNS3 Unencrypted VLAN Setup 27
VNS3 Configuration Document Links 31
© 2018
Requirements
3
© 2018
Requirements
4
• You have an Azure account (for a Free Azure trial, visit http://azure.microsoft.com/en-us/pricing/free-trial).
• You have the ability to configure a client (whether desktop based or cloud based) to use the OpenVPN TLS VPN client software.
• You have a compliant IPsec firewall/router networking device: Preferred Most models from Cisco Systems*, Juniper, Watchguard, Dell SONICWALL, Netgear, Fortinet, Barracuda Networks, Check Point*, Zyxel USA, McAfee Retail, Citrix Systems, Hewlett Packard, D-Link, WatchGuard, Palo Alto Networks, OpenSwan, pfSense, and Vyatta.
Best Effort Any IPsec device that supports: IKE1 or IKE2, AES256 or AES128 or 3DES, SHA1 or MD5.
*Known Exclusions Checkpoint R65+ requires native IPSec connections as Checkpoint does not conform to NAT-Traversal Standards and Cisco ASA 8.4(2)-8.4(4) bugs prevent a stable connection from being maintained.
© 2018
Getting Help with VNS3
5
This guide covers a very generic VNS3 setup in the Azure cloud using the latest Resource Manager workflow. Classic Azure portal can be used, but there are some use-case restrictions given the limited controls.
If you need specific help with project planning, POCs, or audits, contact our professional services team via [email protected] for details.
Please review the VNS3 Support Plans and Support Site FAQ before opening a ticket.
© 2018
Firewall Considerations
6
VNS3 Controller instances use the following TCP and UDP ports:
• UDP port 1194 For client VPN connections; must be accessible from all servers that will join VNS3 topology as clients.
• UDP 1195-1203For tunnels between Controller peers; must be accessible from all peers in a given topology. VNS3:vpn and VNS3:net Lite Edition will not require UDP ports 1195-1197 access as it is not licensed for Controller Peering.
• TCP port 8000 HTTPS admin interface; must be accessible from hosts where you will want to obtain runtime status or configure peering, also needs to be open to and from the Controllers at least for the peering process, and needs to be accessible when downloading credentials for installation on overlay network clients.
• UDP port 500UDP port 500 is used for the phase 1 or IKE (Internet Key Exchange) component of an IPsec VPN connection.
• ESP Protocol 50 and possibly UDP port 4500Protocol 50 is used for the phase 2 or ESP (Encapsulated Security Payload) component of an IPsec VPN connection only when negotiating with native IPsec. UDP port 4500* is used for the phase 2 or ESP (Encapsulated Security Payload) component of an IPsec VPN connection when using NAT-Traversal Encapsulation.
*Azure allows Protocol 50 past its edge, but at the time of this document's publication, the network security group configuration requires all protocols to be open between a specific source IP and the VNS3 controller NIC/Subnet.
© 2018
Address Considerations
7
VNS3 requires an Overlay Network subnet to be specified as part of the configuration process. Use of the Overlay Network is optional but provides improvements in security, address mobility, and performance.
Your VLAN CIDR and Subnets cannot not overlap with the VNS3 Overlay Network Subnet.
The Azure cloud does allow virtual machine instances to act as networks gateways for unencrypted VLAN traffic. Routing traffic from the unencrypted Azure VLAN instead of using the encrypted Overlay Network requires configuring the Azure Route Tables and enabling IP Forwarding. The Route Tables are configurable via Powershell, Azure CLI, and Azure UI. IP Forwarding is configurable via Powershell only.
See the VLAN traffic section at the end of the document for more details.
© 2018
Remote Support
8
Note that TCP 22 (ssh) is not required for normal operation.
Each VNS3 Controller is running a restricted SSH daemon, with access limited only to Cohesive for debugging purposes controlled by the user via the Remote Support toggle and key exchange generation.
In the event Cohesive needs to observe runtime state of a VNS3 Controller in response to a tech support request, we will ask you to open Security Group access to SSH from our support IP range and Enable Remote Support via the Web UI.
Cohesive will send you an encrypted passphrase to generate a private key used by Cohesive Support staff to access your Controller. Access to the restricted SSH daemon is completely controlled by the user. Once the support ticket has been closed, you can disable remote support access and invalidate the access key.
© 2018
Create a Virtual Network
9
© 2018
open
open
open
VNS3
application
Virtual Network Addressing - Don't Overlap with VNS3 Overlay
10
Microsoft Virtual Networks provide an isolated address space within the Azure cloud where you run your VMs. Virtual Networks allow you to define address spaces, and associated Network Security Groups allow control of access control policies via the hypervisor firewall.
Cohesive Networks recommends creating a separate Virtual Network Subnet for the VNS3 Controllers that is different from the subnet or subnets defined for the application VMs
NOTE: The Azure VLAN CIDR you configure CANNOT overlap with the VNS3 Overlay Network you create during configuration of your VNS3 Controller VM.
Cohesive Networks typically recommends configuring a small subnet at the top of the Virtual Network range for the VNS3 Controller(s). You can then logically segment the lower part of the subnet for your application VMs in a single subnet or multiple subnets per VM role (e.g. web server, app server, db, etc.)
The diagram at the right shows how we will segment our /24 (255 addresses) Azure Virtual Network for this example deployment.
10.10.10.0/25
10.10.10.128/26
10.10.10.192/27
10.10.10.224/28
10.10.10.240/28
Azure Virtual Network 10.10.10.0/24
© 2018
Create a Virtual Network
11
Click Virtual networks in the Left Column Menu and click Add.
In the resulting window pane enter a name, address space (CIDR notation), subnet name, and subnet address space.
Note: you can add other subnets to the Virtual network after creation.
In this example we follow the addressing scheme presented on the previous page.
• Virtual network address space: 10.10.10.0/24
• Subnet address space: 10.10.10.240/28
You can select or create a Resource Group for your deployment. We recommend a new Resource Group to better organize and launch your VNS3 applications in Azure.
Select a Location (region).
Click Create.
© 2018
Create a Static IP
12
© 2018
Create a Static Public IP
13
Cohesive Networks recommends using static public IP as the IP of the VNS3 controller. This provides failover options in the event the VNS3 VM needs to be replaced.
Click Public IP addresses in the Left Column Menu and click Add.
In the resulting window pane create a public IP addresses, enter a name, select static, enter an optional DNS name label, and select your Resource Group and Location.
Click Create.
© 2018
Create a Network Security Group
14
© 2018
Create a Network Security Group
15
Azure network security groups allow you to build access control lists (ACLs) that are enforced at the Azure hypervisor firewall. These ACLs control access into and out of your Azure VMs. Network security groups can be associated with subnets or individual network interface cards (NICs) that are running on individual VMs.
In this example we associate a VNS3 controller network security group with the VNS3 controller subnet previously created. If you do not plan on segmenting out the VNS3 controllers into their own Azure network subnet, associate the network security group with the NIC running on the VNS3 controller during the launch steps covered later.
Click Network security groups in the Left Column Menu and click Add.
In the resulting Create network security group window pane, enter a name and select your Resource Group.
Click Create.
© 2018
Network Security Group - Edit
16
Once the Network security group has been successfully deployed, you can view all settings from the Overview.
Further down, under Settings, you can add inbound and outbound security rules, associate with a subnet, and associate with a NIC.
© 2018
Network Security Group - Add Inbound Rules
17
Click Inbound security rules.
The Inbound security rules window pane lists no rules by default. Click Default on to see the hidden rules.
The network security rules are processes in priority order. The lower the number the higher the priority. Default inbound rules include a Deny all traffic from anywhere to anywhere (essentially deny all) with the highest number (lowest priority). With that rule in place, you will need to include specific rules to allow inbound traffic per your use-case, as any traffic that does not match a specific Allow rule will be denied.
In order for the basic VNS3 functionality to work you will need to add the following inbound rules:
•TCP port 8000 from the IP you will be using to access the UI
•UDP 1194 from the devices you will be adding to the Overlay (likely the Virtual Network as the source)
•UDP 500 from the IPs of devices you will be connecting to via IPSec VPN
•UDP 4500 (NAT-Traversal) or Any Protocol (native IPsec) from the IPs of the devices you will be connecting to via IPSec VPN
© 2018
Network Security Groups - Review Outbound Rules
18
Click Outbound security rules.
The Outbound security rules window pane lists no rules by default. Click Default on to see the hidden rules.
The default rules allow all outbound traffic. Cohesive Networks recommends leaving this setting during implementation. You can always revisit to lock down the traffic per your use-case once the initial deployment is up and tested.
© 2018
Launch VNS3 VM from Azure Marketplace
19
© 2018
Launch VNS3 - Select VNS3 Image
20
VNS3 Free and Lite Edition virtual machine images are available in the Azure Marketplace. There are 2 options to launch:
1. Marketplace page:
VNS3 3.5 LTS - https://azure.microsoft.com/en-us/marketplace/partners/cohesive/cohesiveft-vns3-for-azure/#cohesive-vns3-free
VNS3 4.x current version: https://azuremarketplace.microsoft.com/en-us/marketplace/apps/cohesive.vns3_4x
Click Get it Now. From the popup, select the VNS3 Edition and click Continue. You’ll be redirected to the Azure Portal. Click Create.
2. From the Azure Portal:
Click Add. Type VNS3 to see all VNS3 Marketplace offerings. Click on the VNS3 Edition and click Create.
For access to a private unlicensed VNS3 VM, contact our support team.
© 2018
Launch VNS3 - Select VNS3 Image
21
On the resulting product description window pane, there is information about the VNS3 product line, benefits, and resources.
Make sure the Resource Manager is selected for the deployment model (new Azure accounts will not have this option).
click Create.
© 2018
Launch VNS3 - 1- Configure Basics
22
On the resulting Basics window pane, name your VNS3 VM. Spaces are not allowed, so use hyphens to separate the words of an instance name.
Choose Standard (HDD) or Premium (SSD) disk type. This is impact your size and storage costs on Azure. We recommend HDD.
The Azure portal requires a username and an SSH key or password. Regardless of your entry, Cohesive Networks does not provide shell access to customers for VNS3 appliances. These entries are required, but will not be used.
Add the the VM to your existing Resource Group.
Click OK
© 2018
Launch VNS3 - 2 - Configure Size
23
On the resulting Size window pane, choose your disk type (HDD or SDD) and disk size.
VNS3 should have at least one core and 1.5GB of memory, so the “A2 Basic” instance type is a good place to start. Depending on need, VNS3 can be run as a very large instance to provide more throughput for the virtual network, site-to-site connections, firewall rules, or other network functions.
Click Select
© 2018
Launch VNS3 - 3 - Configure Settings
24
On the resulting Settings widow pane, configure the settings for the VM.
Under Storage, choose managed disk or not. Choose No to manage storage yourself and either select existing storage or create a new storage account.
Under Network, select the Virtual Network, Subnet, Public IP address, and Network Security group you previously created. Default settings will create new resources.
Under Extensions and High Availability you can add more options. This may increase your Azure costs.
Click Ok.
© 2018
Launch VNS3 - 4 - Summary
25
Review the settings on the Summary window pane.
Click OK.
© 2018
Launch VNS3 - 5 - Buy
26
Review the Purchase price and details on the resulting Purchase window pane.
Click Buy.
© 2018
VNS3 Unencrypted VLAN Setup
27
© 2018
Unencrypted VLAN Setup
28
In the event you choose to not use the Overlay Network, there are some additional steps required to allow VNS3 to act as the gateway for the Azure Virtual Network subnet(s).Remember even if you decide not to use the Overlay Network, you still need to define an Overlay Network address space as part of the initialization. Be sure to choose an address space that DOES NOT overlap with the Azure Virtual Network CIDR or remote network you plan on connecting to via IPsec VPN.You will need to create a Azure Route Table and enable IP Forwarding for the VNS3 controller VM.
© 2018
Create a Route Table
29
Click Route Tables in the Left Column Menu and click Add.In the resulting Create route table window pane, enter a name and select the resource group previously created. Click Create.Once created click on the Route Table, then All Settings.Click on Routes.On the resulting Routes window pane, click Add.In the resulting Add route window pane, enter a Route Name, Address prefix (the remote network you will connect to via VNS3 IPsec tunnel), Set Next hop type as Virtual appliance, and enter the VNS3 controller Azure private IP address as the Next hop address.Click Save.
© 2018
Enable IP Forwarding for the VNS3 VM
30
Enabling IP Forwarding allows the VNS3 controller VM to pass traffic where it is neither the source or the destination of the packet. It allows VNS3 to act as a gateway.At the time of this document's publication, IP Forwarding is only controllable via PowerShell. The link to the Azure documentation for IP Forwarding is below.https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-udr-how-to/#How-to-manage-routes
© 2018
VNS3 Configuration Document Links
31
© 2018
VNS3 Configuration Document Links
32
VNS3 Product Resources - Documentation | Add-ons
VNS3 Configuration Instructions (Free & Lite Editions | BYOL)Instructions and screenshots for configuring a VNS3 Controller in a single or multiple Controller topology. Specific steps include, initializing a new Controller, generating clientpack keys, setting up peering, building IPsec tunnels, and connecting client servers to the Overlay Network.
VNS3 Administration DocumentCovers the administration and operation of a configured VNS3 Controller. Additional detail is provided around the VNS3 Firewall, all administration menu items, upgrade licenses, other routes and SNMP traps.
VNS3 TroubleshootingTroubleshooting document that provides explanation issues that are more commonly experienced with VNS3.