VAPP NATT setup

Architecture

There are two Virtual Appliances, the first, an Application Delivery Controller (ADC) that will perform LoadBalancing NATTraversal (which we will call NATT) between the public network and DMZ while the other will contain the VPN component (which we will call VPN server) between the DMZ and the intranet, which will allow access to corporate computer systems (see Figure 1). Easy RSA has been installed within the latter, which will be used for creating and verifying certificates. When a client wants to connect to the VPN, it will first switch to NATT, which has a public listener listening to port 45483. All connections to this port will be forwarded to VPN server on port 1194. At this point, we will check the certificate of the client that you want to connect to the VPN and, if valid, VPN server will assign the client a 10.8.0.X IP address. As soon as the client receives the IP assignment, they will be able to access the corporate intranet. This architecture allows you to completely separate the two public and intranet environments using the DMZ as a security band.

image1 Figure 1: Vpn

To ensure that the VPN remains operational at all times, VPN server can be duplicated and assigned a different IP address than the previous one. Through the Oplon ADC balancer if a VPN server stops working for any reason, even for maintenance, traffic will be forwarded to the other VPN server while maintaining operational continuity (see Figure 2).

image2 Figure 2: VPN balanced

Compatibility Matrix and Freeware License Sizing

VAPP distributed and available directly from download are for the most popular virtual platforms on the market today, other virtual images can be requested to Oplon through email: customercare@oplon.net.

Images directly available from the site:

  • VMware Compatibility ESXi 5.1 and later (with basic OS "Powered by CentOS")

  • Virtual BOX all versions (with basic OS "Powered by CentOS")

Virtual appliances are licensed for these resources:

  • CPU: max 2

  • RAM: max 5120MB

If you assign multiple resources, the application delivery controller will not run the start

Virtual Appliance import

The import of VAPP is facilitated by the tools of virtualization systems. Each virtualization system provides a console to do so.

Once the VAPP is imported, the system is ready to perform the first setup compatible with the datacenter environment.

We recommend that you import the Virtual Appliance with "thin" or similar HDD functionality so that you consume disk space only as much as the system needs to work.

Note: During import, it is important to take care to choose, in different virtualization systems, an import with regeneration of MAC addresses of virtual cards. This ensures that the virtual machines do not conflict.

Setting up network adapters before start

Once you have imported the VAPP into the virtualization system, you must put it in the operating context.

Both the VAPP that will run NATT and the VAPP that will run the VPN server will need to be equipped with two network interfaces.

The NATT VAPP will need to be set up with one network interface that overlooks the Internet and the other facing the DMZ

image1

The VAPP VPN server will be set with one interface to the DMZ and the other to the corporate intranet.

image1

This configuration allows you to keep the Internet mode separate from the intranet world.

Setting the number of core CPUs

Once you have imported the VAPP and configured the network interfaces in the virtualization system, you must put it in the operating context by assigning resources.

VAPPs are preconfigured for disk space and memory. The only parameter to change is the number of CPUs that the factory sets to a minimum of 1.

If your virtual environment has multiple core CPUs, we recommend that you set 2 CPUs.

Once you have verified this parameter, you can run the start of the virtual machine.

Network Address Setup

At the start the system will require login and administrative password:

  • Login: administrator

  • Password: adminadmin

Once you arrive at the console prompt, prepare to run the commands from root:

  • sudo -i

  • Password: adminadmin

To set network addresses, the console tool is available nmtui that makes it easy to set up networks.

image3

ADC Management setting

After assigning ip addresses to network adapters, set the LBL parameters and credentials

image4

With the command lblhelp property you can request the list of available functions.

image5

Running lblsetup property the system will require you to set the administrator password. The VAPP is pre-set with the password: adminadmin

The initial configuration system has been minimized in the console to allow a simple setup of the functions with which to then connect through Oplon Global Distributed Gateway where you can perform the extended configuration. By default, consoles bind to all available addresses:

image6

Here is an explanation of the console's requests:

Management address: (default 0.0.0.0)

  • This is the address from which you can connect from the outside with Oplon anagement Console Management port: (default 54443). It is absolutely recommended to set an internal management address (DMZ). It is disa not only used to use 0.0.0.0 or an address that is exposed on the Internet.

  • It is the port from which you can connect from the outside with Oplon Web Console (default 54443, do not change unless strictly necessary)

  • Global Distributed Gateway def. port (default 4444) It is the port from which you can connect from the outside with OPLON Global Distributed Gateway. You can change this port through the Global Distributed Gateway process web console.

  • Type LBL root username and password: It is the root administrator login setting with which you can perform from Oplon Web console the full setup and set or delete other users

  • Type primary system name and password for system delegation.

Set the primary delegate user password login to perform operations across multiple Oplon SAAI systems (it is recommended to set a login associated with a password that is only known to security personnel or otherwise unavailable to all personnel).

NOTE: Setup program automatically exits after 3 minutes from start

For security reasons, we recommend that you change the address, login, and password from the defaults.

image7

Once you have set your login and password, you can exit with save.

We secure the SSH input

From prompt as root user set the SSH daemon to accept connections only from the DMZ network and thus exclude the ability to access the operating system from the Internet:

vi /etc/ssh/sshd_config

Look for ListenAddress which is set to 0.0.0.0 (that is, all addresses and then including the address exposed on the Internet)

image8

Change ListenAddress to the ADDRESS of the DMZ network and uncomment from the line(remove #)

image9

Once you have changed the listen address, restart the Daemon as follows:

systemctl restart sshd.service

Operating system Timezone Date and Time setting

It is important to set the date and time because the encryption systems check that the system date and time and if misaligned may not work.

Therefore, for the following, we recommend that you set the system date and time with values as close as possible to the current date and time. Using NTP alignment is recommended.

To change the timezone is available the lbltimezone command that, depending on the basic operating system used, will have its own setup interface or directions to make the change.

For Italy set from root:

#timedatectl property set-timezone Europe/Rome, New York

Operating system Keyboard setting

To change the console keyboard, the lblkeyboard command is available, which, depending on the base operating system used, will have its own setup interface or directions to make the change.

image10

First login from OPLON Global Distributed Gateway NATT

From the console you can verify the current configuration and associated DHCP address through normal Linux commands (ip addr).

The Oplon Monitor and OPLON Global Distributed Gateway system are by default set to accept connections from all networks e.g.

image7

Just check with the command ip addr an address available and log in from Oplon Management Console, LBL Web Console or OPLON Global Distributed Gateway to the specified address e.g.:

image11

To access OPLON Global Distributed Gateway services, type: https://x.x.x.x:4444 (where x.x.x.x is any system address if you haven't changed the address 0.0.0.0 or the address you choose with lblsetup).

Type the login "root" with the chosen password with lblsetup:

image12

Once logged in, the dashboard will appear that will allow you to set the NATT component.

image13

Free VPN edition license setup

The Application Delivery Controller has already set up an unlimited free license if it is to be used for WEB applications.

If you also want to use the VPN Tunnel (NATT) component, you must enter the free license that you can download from the OPLON website www.oplon.net.

WARNING: The free license is valid for Virtual Appliance with a maximum of 2 vCPU and 5GB RAM. If you exceed these thresholds, the system does not start.

To set the license you just need to run after web login:

Modules -> ADC & GLB -> LBL ADC Platform Edition -> Edit

image14

In the top right, select Actions-Install license and then upload the license license.xml

image15

image16

Stop the module

image17

Once the module has stopped run Start Module

image18

Public Network NATT Listener Setting

Set the address of the public network, that is, the network exposed on the Internet on the Application Deliveri Controller Listener that is ready to accept TRAVERSal NAT connections. The Listener has already been preconfigured by the factory, you only need to set the address.

image1

ADC Settings -> ADCs -> Edit module of A10_LBLGoPlatform

image19

Expand the listener panel and change the address from 0.0.0.0 to the address of the Internet interface

image20

NATT tunnel setting for forwarding traffic to the VPN server

image1

Then search for the endpoint that will be set with the DMZ address of the VPN server.

Endpoints -> Search-type VPM-Edit of the endpoint A10_LBLGoPlatform

image21

Change the address from 127.0.0.1 to the listen address of the VPN server image22

Save the configuration

image23

Re-init to get the new configuration up and running

image24