Architecture
There are two Virtual Appliances, the first, an Application Delivery
Controller (ADC) that will perform LoadBalancing NATTraversal (which
we will call NATT) between the public network and DMZ while the other
will contain the VPN component (which we will call VPN server) between
the DMZ and the intranet, which will allow access to corporate
computer systems (see Figure 1).
Easy RSA has been installed within the latter, which will be used for
creating and verifying certificates.
When a client wants to connect to the VPN, it will first switch to
NATT, which has a public listener listening to port 45483
. All
connections to this port will be forwarded to VPN server on port 1194
.
At this point, we will check the certificate of the client that you
want to connect to the VPN and, if valid, VPN server will assign the
client a 10.8.0.X
IP address.
As soon as the client receives the IP assignment, they will be able to
access the corporate intranet.
This architecture allows you to completely separate the two public and
intranet environments using the DMZ as a security band.
To ensure that the VPN remains operational at all times, VPN server can be duplicated and assigned a different IP address than the previous one. Through the Oplon ADC balancer if a VPN server stops working for any reason, even for maintenance, traffic will be forwarded to the other VPN server while maintaining operational continuity (see Figure 2).
Compatibility Matrix and Freeware License Sizing
VAPP distributed and available directly from download are for the most popular virtual platforms on the market today, other virtual images can be requested to Oplon through email: customercare@oplon.net.
Images directly available from the site:
VMware Compatibility ESXi 5.1 and later (with basic OS "Powered by CentOS")
Virtual BOX all versions (with basic OS "Powered by CentOS")
Virtual appliances are licensed for these resources:
CPU: max 2
RAM: max 5120MB
If you assign multiple resources, the application delivery controller will not run the start
Virtual Appliance import
The import of VAPP is facilitated by the tools of virtualization systems. Each virtualization system provides a console to do so.
Once the VAPP is imported, the system is ready to perform the first setup compatible with the datacenter environment.
We recommend that you import the Virtual Appliance with "thin" or similar HDD functionality so that you consume disk space only as much as the system needs to work.
Note: During import, it is important to take care to choose, in different virtualization systems, an import with regeneration of MAC addresses of virtual cards. This ensures that the virtual machines do not conflict.
Setting up network adapters before start
Once you have imported the VAPP into the virtualization system, you must put it in the operating context.
Both the VAPP that will run NATT and the VAPP that will run the VPN server will need to be equipped with two network interfaces.
The NATT VAPP will need to be set up with one network interface that overlooks the Internet and the other facing the DMZ
The VAPP VPN server will be set with one interface to the DMZ and the other to the corporate intranet.
This configuration allows you to keep the Internet mode separate from the intranet world.
Setting the number of core CPUs
Once you have imported the VAPP and configured the network interfaces in the virtualization system, you must put it in the operating context by assigning resources.
VAPPs are preconfigured for disk space and memory. The only parameter to change is the number of CPUs that the factory sets to a minimum of 1.
If your virtual environment has multiple core CPUs, we recommend that you set 2 CPUs.
Once you have verified this parameter, you can run the start of the virtual machine.
Network Address Setup
At the start the system will require login and administrative password:
Login: administrator
Password: adminadmin
Once you arrive at the console prompt, prepare to run the commands from root:
sudo -i
Password: adminadmin
To set network addresses, the console tool is available nmtui
that
makes it easy to set up networks.
ADC Management setting
After assigning ip addresses to network adapters, set the LBL parameters and credentials
With the command lblhelp property
you can request the list of
available functions.
Running lblsetup property
the system
will require you to set the administrator password. The VAPP is pre-set
with the password: adminadmin
The initial configuration system has been minimized in the console to allow a simple setup of the functions with which to then connect through Oplon Global Distributed Gateway where you can perform the extended configuration. By default, consoles bind to all available addresses:
Here is an explanation of the console's requests:
Management address: (default 0.0.0.0
)
This is the address from which you can connect from the outside with Oplon anagement Console Management port: (default
54443
). It is absolutely recommended to set an internal management address (DMZ). It is disa not only used to use 0.0.0.0 or an address that is exposed on the Internet.It is the port from which you can connect from the outside with Oplon Web Console (default
54443
, do not change unless strictly necessary)Global Distributed Gateway def. port (default
4444
) It is the port from which you can connect from the outside with OPLON Global Distributed Gateway. You can change this port through the Global Distributed Gateway process web console.Type LBL root username and password: It is the root administrator login setting with which you can perform from Oplon Web console the full setup and set or delete other users
Type primary system name and password for system delegation.
Set the primary delegate user password login to perform operations across multiple Oplon SAAI systems (it is recommended to set a login associated with a password that is only known to security personnel or otherwise unavailable to all personnel).
NOTE: Setup program automatically exits after 3 minutes from start
For security reasons, we recommend that you change the address, login, and password from the defaults.
Once you have set your login and password, you can exit with save.
We secure the SSH input
From prompt as root user set the SSH daemon to accept connections only from the DMZ network and thus exclude the ability to access the operating system from the Internet:
vi /etc/ssh/sshd_config
Look for ListenAddress which is set to 0.0.0.0
(that is, all addresses
and then including the address exposed on the Internet)
Change ListenAddress to the ADDRESS of the DMZ network and uncomment
from the line(remove #
)
Once you have changed the listen address, restart the Daemon as follows:
systemctl restart sshd.service
Operating system Timezone Date and Time setting
It is important to set the date and time because the encryption systems check that the system date and time and if misaligned may not work.
Therefore, for the following, we recommend that you set the system date and time with values as close as possible to the current date and time. Using NTP alignment is recommended.
To change the timezone is available the lbltimezone command that, depending on the basic operating system used, will have its own setup interface or directions to make the change.
For Italy set from root:
#timedatectl property set-timezone Europe/Rome, New York
Operating system Keyboard setting
To change the console keyboard, the lblkeyboard
command is available,
which, depending on the base operating system used, will have its own
setup interface or directions to make the change.
First login from OPLON Global Distributed Gateway NATT
From the console you can verify the current configuration and associated
DHCP address through normal Linux commands (ip addr
).
The Oplon Monitor and OPLON Global Distributed Gateway system are by default set to accept connections from all networks e.g.
Just check with the command ip addr
an address available and log in from Oplon Management Console,
LBL Web Console or OPLON Global Distributed Gateway to the specified
address e.g.:
To access OPLON Global Distributed Gateway services, type:
https://x.x.x.x:4444
(where x.x.x.x
is any system address if you haven't changed the address
0.0.0.0
or the address you choose with lblsetup
).
Type the login "root" with the chosen password with lblsetup
:
Once logged in, the dashboard will appear that will allow you to set the NATT component.
Free VPN edition license setup
The Application Delivery Controller has already set up an unlimited free license if it is to be used for WEB applications.
If you also want to use the VPN Tunnel (NATT) component, you must enter the free license that you can download from the OPLON website www.oplon.net.
WARNING: The free license is valid for Virtual Appliance with a maximum of 2 vCPU and 5GB RAM. If you exceed these thresholds, the system does not start.
To set the license you just need to run after web login:
Modules -> ADC & GLB -> LBL ADC Platform Edition -> Edit
In the top right, select Actions-Install license and then upload the
license license.xml
Stop the module
Once the module has stopped run Start Module
Public Network NATT Listener Setting
Set the address of the public network, that is, the network exposed on the Internet on the Application Deliveri Controller Listener that is ready to accept TRAVERSal NAT connections. The Listener has already been preconfigured by the factory, you only need to set the address.
ADC Settings -> ADCs -> Edit module of A10_LBLGoPlatform
Expand the listener panel and change the address from 0.0.0.0
to the
address of the Internet interface
NATT tunnel setting for forwarding traffic to the VPN server
Then search for the endpoint that will be set with the DMZ address of the VPN server.
Endpoints -> Search-type VPM-Edit of the endpoint A10_LBLGoPlatform
Change the address from 127.0.0.1
to the listen address of the VPN
server
Save the configuration
Re-init to get the new configuration up and running