Embed Size (px)
Citation preview
© 2016
Microsoft Azure ConfigurationAzure Resource Manager Setup for VNS3 2016
© 2016
Table of Contents
2
Requirements 3
Create a Resource Group 9
Create a Network 11
Create a Static IP 14
Create a Network Security Group 16
Create a Storage Account 21
Launch a VNS3 Controller VM 23
VNS3 Unencrypted VLAN Setup 31
VNS3 Configuration Document Links 37
© 2016
Requirements
3
© 2016
Requirements
4
• You have an Azure account (for a Free Azure trial, visit http://azure.microsoft.com/en-us/pricing/free-trial).
• You have the ability to configure a client (whether desktop based or cloud based) to use the OpenVPN TLS VPN client software.
• You have a compliant IPsec firewall/router networking device: Preferred Most models from Cisco Systems*, Juniper, Watchguard, Dell SONICWALL, Netgear, Fortinet, Barracuda Networks, Check Point*, Zyxel USA, McAfee Retail, Citrix Systems, Hewlett Packard, D-Link, WatchGuard, Palo Alto Networks, OpenSwan, pfSense, and Vyatta.
Best Effort Any IPsec device that supports: IKE1 or IKE2, AES256 or AES128 or 3DES, SHA1 or MD5.
*Known Exclusions Checkpoint R65+ requires native IPSec connections as Checkpoint does not conform to NAT-Traversal Standards and Cisco ASA 8.4(2)-8.4(4) bugs prevent a stable connection from being maintained.
© 2016
Getting Help with VNS3
5
This guide covers a very generic VNS3 setup in the Azure cloud using the latest Resource Manager workflow. Classic Azure portal can be used, but there are some use-case restrictions given the limited controls.
If you need specific help with project planning, POCs, or audits, contact our professional services team via [email protected] for details.
Please review the VNS3 Support Plans and Support Site FAQ before opening a ticket.
© 2016
Firewall Considerations
6
VNS3 Controller instances use the following TCP and UDP ports:
• UDP port 1194 For client VPN connections; must be accessible from all servers that will join VNS3 topology as clients.
• UDP 1195-1203For tunnels between Controller peers; must be accessible from all peers in a given topology. VNS3:vpn and VNS3:net Lite Edition will not require UDP ports 1195-1197 access as it is not licensed for Controller Peering.
• TCP port 8000 HTTPS admin interface; must be accessible from hosts where you will want to obtain runtime status or configure peering, also needs to be open to and from the Controllers at least for the peering process, and needs to be accessible when downloading credentials for installation on overlay network clients.
• UDP port 500UDP port 500 is used for the phase 1 or IKE (Internet Key Exchange) component of an IPsec VPN connection.
• ESP Protocol 50 and possibly UDP port 4500Protocol 50 is used for the phase 2 or ESP (Encapsulated Security Payload) component of an IPsec VPN connection only when negotiating with native IPsec. UDP port 4500* is used for the phase 2 or ESP (Encapsulated Security Payload) component of an IPsec VPN connection when using NAT-Traversal Encapsulation.
*Azure allows Protocol 50 past its edge, but at the time of this document's publication, the network security group configuration requires all protocols to be open between a specific source IP and the VNS3 controller NIC/Subnet.
© 2016
Address Considerations
7
VNS3 requires an Overlay Network subnet to be specified as part of the configuration process. Use of the Overlay Network is optional but provides improvements in security, address mobility, and performance.
Your VLAN CIDR and Subnets cannot not overlap with the VNS3 Overlay Network Subnet.
The Azure cloud does allow virtual machine instances to act as networks gateways for unencrypted VLAN traffic. Routing traffic from the unencrypted Azure VLAN instead of using the encrypted Overlay Network requires configuring the Azure Route Tables and enabling IP Forwarding. The Route Tables are configurable via Powershell, Azure CLI, and Azure UI. IP Forwarding is configurable via Powershell only.
See the VLAN traffic section at the end of the document for more details.
© 2016
Remote Support
8
Note that TCP 22 (ssh) is not required for normal operation.
Each VNS3 Controller is running a restricted SSH daemon, with access limited only to Cohesive for debugging purposes controlled by the user via the Remote Support toggle and key exchange generation.
In the event Cohesive needs to observe runtime state of a VNS3 Controller in response to a tech support request, we will ask you to open Security Group access to SSH from our support IP range and Enable Remote Support via the Web UI.
Cohesive will send you an encrypted passphrase to generate a private key used by Cohesive Support staff to access your Controller. Access to the restricted SSH daemon is completely controlled by the user. Once the support ticket has been closed, you can disable remote support access and invalidate the access key.
© 2016
Create a Resource Group
9
© 2016
Create a Resource Group
10
Microsoft Azure organizes the various components of a cloud application deployment (VMs, storage, virtual network, 3rd party appliances like VNS3, security controls, etc.) into groups via the Resource Manager. This guide shows how to utilize the Resource Group organization to launch your VNS3 secured and connected application in Azure.
See the Azure Resource Manager document for more information.
To begin, you need to create a Resource Group. This Resource Group will allow you to deploy, manage, and monitor all of the resources for your solution as a group, rather than handling these resources individually.
Click Resource Groups in the Left Column Menu and click Add.
In the resulting Resource Group window pane, enter a name and location for your Resource Group.
Click Create.
© 2016
Create a Virtual Network
11
© 2016
open
open
open
VNS3
application
Virtual Network Addressing - Don't Overlap with VNS3 Overlay
12
Microsoft Virtual Networks provide an isolated address space within the Azure cloud where you run your VMs. Virtual Networks allow you to define address spaces, and associated Network Security Groups allow control of access control policies via the hypervisor firewall.
Cohesive Networks recommends creating a separate Virtual Network Subnet for the VNS3 Controllers that is different from the subnet or subnets defined for the application VMs
NOTE: The Azure VLAN CIDR you configure CANNOT overlap with the VNS3 Overlay Network you create during configuration of your VNS3 Controller VM.
Cohesive Networks typically recommends configuring a small subnet at the top of the Virtual Network range for the VNS3 Controller(s). You can then logically segment the lower part of the subnet for your application VMs in a single subnet or multiple subnets per VM role (e.g. web server, app server, db, etc.)
The diagram at the right shows how we will segment our /24 (255 addresses) Azure Virtual Network for this example deployment.
10.10.10.0/25
10.10.10.128/26
10.10.10.192/27
10.10.10.224/28
10.10.10.240/28
Azure Virtual Network 10.10.10.0/24
© 2016
Create a Virtual Network
13
Click Virtual networks in the Left Column Menu and click Add.
In the resulting Create virtual network window pane enter a name, address space (CIDR notation), subnet name, subnet address space, and select the resource group previously created.
Note you can add other subnets to the Virtual network after creation.
In this example we follow the addressing scheme presented on the previous page.
•Virtual network address space: 10.10.10.0/24
•Subnet address space: 10.10.10.240/28
Click Create.
© 2016
Create a Static IP
14
© 2016
Create a Static Public IP
15
Cohesive Networks recommends using static public IP as the IP of the VNS3 controller. This provides failover options in the event the VNS3 VM needs to be replaced.
Click Public IP addresses in the Left Column Menu and click Add.
In the resulting create public IP addresses window pane, enter a name, select static, enter an optional DNS name label, and associate the IP with your Resource Group.
Click Create.
© 2016
Create a Network Security Group
16
© 2016
Create a Network Security Group
17
Azure network security groups allow you to build access control lists (ACLs) that are enforced at the Azure hypervisor firewall. These ACLs control access into and out of your Azure VMs. Network security groups can be associated with subnets or individual network interface cards (NICs) that are running on individual VMs.
In this example we associate a VNS3 controller network security group with the VNS3 controller subnet previously created. If you do not plan on segmenting out the VNS3 controllers into their own Azure network subnet, associate the network security group with the NIC running on the VNS3 controller during the launch steps covered later.
Click Network security groups in the Left Column Menu and click Add.
In the resulting Create network security group window pane, enter a name and associate with your Resource Group.
Click Create.
© 2016
Network Security Group - Edit
18
Once the Network security group has been successfully deployed, click its name and then click All settings.
From the Settings window pane, you can add inbound and outbound rules, associate with a subnet, and associate with a NIC.
© 2016
Network Security Group - Add Inbound Rules
19
Click Inbound security rules.
The Inbound security rules window pane lists no rules by default. Click Default on to see the hidden rules.
The network security rules are processes in priority order. The lower the number the higher the priority. Default inbound rules include a Deny all traffic from anywhere to anywhere (essentially deny all) with the highest number (lowest priority). With that rule in place, you will need to include specific rules to allow inbound traffic per your use-case, as any traffic that does not match a specific Allow rule will be denied.
In order for the basic VNS3 functionality to work you will need to add the following inbound rules:
•TCP port 8000 from the IP you will be using to access the UI
•UDP 1194 from the devices you will be adding to the Overlay (likely the Virtual Network as the source)
•UDP 500 from the IPs of devices you will be connecting to via IPSec VPN
•UDP 4500 (NAT-Traversal) or Any Protocol (native IPsec) from the IPs of the devices you will be connecting to via IPSec VPN
© 2016
Network Security Groups - Review Outbound Rules
20
Click Outbound security rules.
The Outbound security rules window pane lists no rules by default. Click Default on to see the hidden rules.
The default rules allow all outbound traffic. Cohesive Networks recommends leaving this setting during implementation. You can always revisit to lock down the traffic per your use-case once the initial deployment is up and tested.
© 2016
Create a Storage Account
21
© 2016
Create a Storage Account
22
Click Storage Accounts in the Left Column Menu and click Add.
In the resulting Create storage account window pane, enter a name and associate with your Resource Group.
Click Create.
This storage account will be associated with the VMs you launch later.
© 2016
Launch VNS3 VM from Azure Marketplace
23
© 2016
Launch VNS3 - Select VNS3 Image
24
VNS3 Free and Lite Edition virtual machine images are available in the Azure Marketplace:
VNS3:vpn Free Edition - https://azure.microsoft.com/en-us/marketplace/partners/cohesive/cohesiveft-vns3-for-azure/#cohesive-vns3-free
VNS3:net Lite Edition - https://azure.microsoft.com/en-us/marketplace/partners/cohesive/cohesiveft-vns3-for-azure/#cohesive-vns3-lite
Click Virtual Machines in the Left Column Menu and click Add.
In the resulting Compute window pane, enter VNS3 as the filter to see the two Azure Marketplace offerings. For access to a private unlicensed VNS3 VM, refer to the Azure Image Delivery document and contact our support team.
Click on the VNS3 Edition that works for your use-case.
© 2016
Launch VNS3 - Select VNS3 Image
25
On the resulting product description window pane, there is information about the VNS3 product line, benefits, and resources.
Make sure the Resource Manager is selected for the deployment model and click Create.
© 2016
Launch VNS3 - 1- Configure Basics
26
On the resulting Basics window pane, name your VNS3 VM. Spaces are not allowed, so use hyphens to separate the words of an instance name.
The Azure portal requires a username and an SSH key or password. Regardless of your entry - Cohesive Networks does not provide shell access to customers for VNS3 appliances. The entry is required, but will not be used.
Associate the the VM with your Resource Group.
Click OK
© 2016
Launch VNS3 - 2 - Configure Size
27
On the resulting Size window pane, choose your tier of service and instance size.
VNS3 should have at least one core and 1.5GB of memory, so the “A1 Basic” instance type is a good place to start. Depending on need, VNS3 can be run as a very large instance to provide more throughput for the virtual network, site-to-site connections, firewall rules, or other network functions.
Click Select
© 2016
Launch VNS3 - 3 - Configure Settings
28
On the resulting Settings widow pane, configure the settings for the VM.
Select Standard or Premium (SSD) storage.
Click Storage account and select the storage account previously created.
Click Public IP address and select the static public IP previously created.
Click Network Security Group and select the network security group previously created.
Click Ok.
© 2016
Launch VNS3 - 4 - Summary
29
Review the settings on the Summary window pane.
Click OK.
© 2016
Launch VNS3 - 5 - Purchase
30
Review the Purchase price and details on the resulting Purchase window pane.
Click Buy.
© 2016
VNS3 Unencrypted VLAN Setup
31
© 2016
Unencrypted VLAN Setup
32
In the event you choose to not use the Overlay Network, there are some additional steps required to allow VNS3 to act as the gateway for the Azure Virtual Network subnet(s).Remember even if you decide not to use the Overlay Network, you still need to define an Overlay Network address space as part of the initialization. Be sure to choose an address space that DOES NOT overlap with the Azure Virtual Network CIDR or remote network you plan on connecting to via IPsec VPN.You will need to create a Azure Route Table and enable IP Forwarding for the VNS3 controller VM.
© 2016
Create a Route Table
33
Click Route Tables in the Left Column Menu and click Add.In the resulting Create route table window pane, enter a name and select the resource group previously created. Click Create.
© 2016
Associate the Route Table with a Subnet
34
Once the Route table has been successfully deployed, click its name and then click All settings.Click on Routes.On the resulting Routes window pane, click Add.In the resulting Add route window pane, enter a Route Name, Address prefix (the remote network you will connect to via VNS3 IPsec tunnel), Set Next hop type as Virtual appliance, and enter the VNS3 controller Azure private IP address as the Next hop address.Click Save.
© 2016
Add Route to the Route Table
35
Click on Subnets.On the resulting Subnets window pane, click Add.In the resulting Associate subnet window pane, choose a Virtual Network, then choose a Subnet inside that Virtual Network.Click Ok.
© 2016
Enable IP Forwarding for the VNS3 VM
36
Enabling IP Forwarding allows the VNS3 controller VM to pass traffic where it is neither the source or the destination of the packet. It allows VNS3 to act as a gateway.At the time of this document's publication, IP Forwarding is only controllable via PowerShell. The link to the Azure documentation for IP Forwarding is below.https://azure.microsoft.com/en-us/documentation/articles/virtual-network-create-udr-arm-ps/#enable-ip-forwarding-on-fw1
© 2016
VNS3 Configuration Document Links
37
© 2016
VNS3 Configuration Document Links
38
VNS3 Product Resources - Documentation | Add-ons
VNS3 Configuration Instructions Instructions and screenshots for configuring a VNS3 Controller in a single or multiple Controller topology. Specific steps include initializing a new Controller, generating clientpack keys, setting up peering, building IPsec tunnels, and connecting client servers to the Overlay Network.
VNS3 Administration Document Covers the administration and operation of a configured VNS3 Controller. Additional detail is provided about the VNS3 Firewall, all administration menu items, upgrade licenses, other routes, and SNMP traps.
VNS3 Docker InstructionsExplains the value of the VNS3 3.5 Docker integration and covers uploading, allocating, and exporting application containers.
VNS3 Troubleshooting Troubleshooting document that provides explanations of issues that are most commonly experienced with VNS3.
