How to Configure

Mobile VPN for

Forcepoint NGFW
TECHNICAL DOCUMENT
Table of Contents
TABLE OF CONTENTS 1

BACKGROUND 2

WINDOWS SERVER CONFIGURATION STEPS 2

CONFIGURING USER AUTHENTICATION 3

ACTIVE DIRECTORY SERVER 3

LDAP DOMAIN 4

DEFINING THE FIREWALL VPN SETTINGS 6

END-POINTS 6

VPN SITES 7

DHCP SERVER 7

VPN CLIENT SETTINGS 8

CONFIGURING THE VPN 10

VPN PROFILE 10

VPN ELEMENT 12

ENABLE VPN SITE FOR MOBILE VPN 14

ADDING ACCESS RULES TO ALLOW MOBILE VPN USERS’ CONNECTIONS 15

ACCESS RULE 15

CHECKING THE CONFIGURATION 15

Technical Document 1
Background
This document provides a Forcepoint NGFW mobile VPN configuration example. In this example we use
Windows Server 2012 R2 for user authentication: Active Directory (AD) was used as directory service,
and Network Policy Server (NPS) as authentication service. For VPN client IP addressing virtual adapter
it was used the Windows Server 2012 R2 DHCP Server.

AD, NPS and DHCP server are included part of Windows Server 2012 R2. An introduction about these
features is outside the scope of this document. Consult Microsoft´s documentation for further instructions.

The following versions (and respective IP Address) were used when writing this document:
 Security Management Center (SMC) 6.2.0 – 192.168.1.10
 Next Generation Firewall (NGFW) 6.2.0 – 192.168.1.1 (internal interface), 192.168.254.10
(external interface)
 VPN client for Windows 6.1.0 – 192.168.254.121
 Windows Server 2012 R2 – IP – 192.168.1.40

Windows Server Configuration Steps

 Enable the NPS in Windows Server 2012 R2;
 Register the NPS in your AD;
 Add the Forcepoint NGFW engine as a RADIUS client in the NPS;
 Create a Connection Request Policy;
 Enable dial-in for the end-users;
 Add a user account for the SMC components to allow bind access to the AD. In this scenario we
are going to use Administrator credentials;

For a more detailed reference Network Policy Server has been configured beforehand following
instructions from below KB article: https://support.forcepoint.com/KBArticle?id=How-to-configure-Active-
Directory-NPS-authentication-for-Next-Generation-Firewall.

On this setup it is also required to configure DHCP server in Windows Server. It is required to configure a
new scope like figure below.

Technical Document 2
Configuring User Authentication
In this section we go through how to setup user authentication using NPS authentication on Windows
Server 2012 R2. On SMC we will need to configure Active Directory server element, and LDAP domain
for AD.

ACTIVE DIRECTORY SERVER

To define external authentication we first need to configure Active Directory server element.

1. Configuration > User Authentication > Servers > New > Active Directory Server
2. In the General tab we define the IP address, port and LDAP settings for Active Directory Server.
Object Classes and Attributes are kept with default parameters

3. On the Authentication tab Radius settings used with Network Policy Server were defined. The
Shared Secret is the same one used in NPS when defining the NGFW engine as RADIUS client.

Technical Document 3
LDAP DOMAIN
Next we will configure LDAP Domain for Active Directory Server.

1. Configuration > User Authentication > Users > New > New External LDAP Domain
2. The Active Directory Server element created on previous step is added to Bound Servers. We
also enable Default LDAP Domain setting to allow users to use just their username when logging
in. Without this option users would need to use <username>@<ldapdomain> syntax on username
field. It is possible to configure more domains. In this case users will need to use <ldapdomain> to
“select” the domain he/she wants to authenticate to.

3. Since built-in Network Policy Server authentication method is used we set it as Authentication
Method on Default Authentication tab.

Technical Document 4
4. Configuration > User Authentication > Users > Configured Domain. You should be able to
browse the Windows Server 2012 R2 directory from SMC GUI.

Technical Document 5
Defining the firewall VPN settings
In this section we will define VPN settings on the firewall properties. This includes VPN end-points, sites,
and VPN client settings.

END-POINTS
VPN end-points define the IP address that VPN clients will connect to when they wish to establish VPN
tunnel.

1. Open firewall Properties > VPN > End-Points

2. In this setup we have only one external end-point so we enable that.

3. On this example all types of VPN are enabled to allow users to connect with Forcepoint VPN
client using either IPsec or SSL VPN tunnelling, or user browser (SSL VPN Portal)

Technical Document 6
VPN SITES
VPN site elements define the traffic selectors, i.e. what are the IP addresses that can be reached through
VPN when the tunnel between VPN client and NGFW engine is up and operational.

1. Open firewall Properties > VPN > Sites

2. VPN site configuration has Add and update IP addresses based on routing option, where SMC
will create automatic site based on the routing configuration. Automatic site will include all the
networks behind interfaces that do not have default route configured. In this setup we do not use
the automatic site option but instead define site manually for internal network 192.168.1.0/24.

DHCP SERVER

In order to assign IP address to remote clients it is used an external DHCP Server in Windows Servers
2012 R2. DHCP Server defined here will be used during VPN Client Settings.
Open Configuration > Network Elements > Servers (right click > New > DHCP Server). Define a
Name and IP Address for DHCP Server.

Technical Document 7
VPN CLIENT SETTINGS
In the VPN Client settings VPN types, client device checks and VPN client IP address related settings are
defined. The IP address related settings define which IP addresses VPN clients use in the internal network.
The recommendation is to use virtual IP addressing, where VPN client virtual adapters receive IP address
from company’s DHCP server. Other option is to use NAT pool to translate source IP addresses before
sending packets to network, but this option does not allow VPN client to provide internal DNS server IP
addresses to Operating System so when user is connected to mobile VPN, he/she cannot get company’s
internal DNS names resolved unless he/she manually changes the DNS server settings on the OS side.

Under Virtual Address settings, there are three options for DHCP Mode:
 Disabled – this option disables use of virtual adapter and you’ll need to configure NAT pool in the
firewall Advanced VPN settings to dynamically translate the source IP addresses of the
connections through the VPN client tunnels.

NOTE! This option is available only when VPN Type is set to IPsec VPN, i.e. when firewall supports
VPN client connections only from IPsec clients. Allowing SSL VPN clients to connect requires use of
virtual IP addressing and DHCP server to assign IP addresses for VPN client virtual adapters.

 Direct – This mode can be used when DHCP server is in directly connected network to firewall. In
this mode firewall acts like DHCP client broadcasting the DHCP requests to local network segment
through interface defined with Interface setting. If there’s more than one DHCP server in the local
network, the first DHCP offer is used.

 Relay – When this mode is selected, firewall sends the DHCP requests as unicasts to defined
DHCP server(s) through local relay agent. The Interface for DHCP Relay setting allows defining
the source interface for these unicast DHCP requests. This setting does not have effect on routing
of the DHCP requests but allows selecting requests to be sent from specific interface IP address
so that this can be used on DHCP server as criteria for selecting specific DHCP pool. Relay mode
also allows option to add user or group information to DHCP requests. This could be used on
DHCP server to select specific DHCP pool or IP address to assign to VPN client.

When virtual addressing is enabled, Restrict Virtual Address Ranges and Proxy ARP settings can be
enabled:
 Restrict Virtual Address Ranges – This option allows defining IP address range(s), that firewall
will accept for VPN client virtual adapters. Note that this option does not mean that firewall will “tell”
DHCP server which address range it should assign IP address from. Instead firewall will reject the
IP address offered if it is not part of the ranges defined with Restrict Virtual Address Ranges,
and VPN negotiation will fail. Thus range(s) defined should match the DHCP pool that DHCP
server uses to assign IP addresses to VPN client virtual adapters.

 Proxy ARP – When this option is enabled, the firewall will do proxy ARP for the address range(s)
defined. The proxy ARP is done dynamically so firewall will only reply to ARP requests for IP
addresses that are currently in use by VPN clients. Proxy ARP range(s) should also be configured
to match the DHCP pool that the DHCP server uses for VPN clients.

Technical Document 8
In this example configuration we used firewall’s internal DHCP server, which can be used with single node
firewall installations. With cluster installations external DHCP server has to be used.
1. Open firewall Properties > VPN > VPN Client
2. In the VPN Client settings we enable gateway to support connections from IPsec. In DHCP Server
we include the DHCP Server already configured on Windows Server 2012. We also configure
Restrict Virtual Address Ranges, and Proxy ARP to match the DHCP pool that internal DHCP
server uses.

Technical Document 9
Configuring the VPN
Now that we have defined the VPN settings in the firewall properties we can create the VPN profile and
VPN elements.

VPN PROFILE
VPN Profile contains settings related to authentication, integrity checking, and encryption of the IPsec
VPN tunnel. In this example configuration we used customized version of built-in iOS Suite profile.
1. Configuration > VPN > Other Elements > Profiles > VPN Profiles > right-click iOS Suite profile
element > New > Duplicate
2. On the IKE SA settings we used settings shown in below picture.

Technical Document 10
3. For IPsec SA below settings were used

4. On the IPsec Client tab following settings were used to allow hybrid authentication where firewall
authenticates to VPN client using RSA certificate, and user (VPN client) authenticates to firewall
using AD username and password.

Technical Document 11
VPN ELEMENT
Next we create VPN element that will be used in the access rule that allows mobile VPN connections.
1. Configuration > VPN > Policy-Based VPNs > New > Policy-Based VPN
2. On Policy-Based VPN Properties we define the name for the VPN element, and select the VPN
profile that we created above.

3. On Site-to-Site tab we add our VPN gateway under Central Gateways

Technical Document 12
4. On the Mobile VPN tab we can use Only Central Gateways from overall topology setting.

5. On the Tunnels tab check the validity marked as green

Technical Document 13
ENABLE VPN SITE FOR MOBILE VPN
Now that VPN element is created we need to make sure that VPN site we created earlier is enabled for
newly create mobile VPN.
1. Open firewall properties > VPN > Sites
2. On the VPN site element properties on the VPN References tab (on the right, right click the site >
properties > VPN References tab) verify that the site is enabled for mobile VPN just created, and
it’s set to Normal mode.

Technical Document 14
Adding access rules to allow mobile VPN users’ connections
The last step is to define the access rules that allow connections through the mobile VPN tunnels. It is
important to keep in mind when creating access rule for mobile VPN traffic, that the Users and
Authentication Methods tab definitions in the Authentication cell will be used as additional matching
criteria. However also other rules that match the connections based on the source and destination IP
address and the service can match connections coming through mobile VPN tunnel thus possibly allowing
or discarding traffic incorrectly. If you have rules for internal network host traffic that also match the VPN
client connections based on IP address and service information, you can use the Source VPN cell to
prevent these rules from matching connections from VPN clients by enabling Match traffic based on
source VPN setting and selecting Rule does not match traffic from any VPN option.

ACCESS RULE
In our example setup we allow all traffic from mobile VPN clients to Internal Zone (Internal network on
NGFW Engine) network when user has been authenticated using Network Policy Server authentication
method and used belongs to Mobile VPN Users Active Directory group.
1. Configuration > NGFW > Policies > Firewall Policies > open the firewall policy for editing
2. Following access rule was added to allow mobile VPN users accessing internal network, when
connection comes through Mobile_VPN_01 tunnel, user is part of VPN_Users AD group, and
user was authenticated using Network Policy Server authentication method.
3.

Checking the Configuration

We assume the VPN Client is already installed on the host we are going to test the connection. From the
client on external network launch the VPN Client ensuring there is a gateways configured, the external
interface of NGFW Engine.

Click the Connection button and enter the user credentials (username and password) of a user already
configured in Windows server 2012 R2 AD.

Technical Document 15
The steps of connection should be fine like the following screen.

By clicking details it is possible to see parameters and information related to Virtual Interface (IP
address assigned by internal DHCP server, etc..) as well as IPSec SA related parameters.

By using SMC it is possible to monitor IPSec SA by right click the NGFW engine then Monitoring > VPN
SAs.

Technical Document 16
By checking the content of /proc/Stonegate/auth/usertable it is possible to check the logged in users in
NGFW.

So here user account is user1, and this account is part of VPN_Users groups in AD using IP address
192.168.1.190.

Technical Document 17