Configure VPN for virtual offices

Written By Tami Sutcliffe (Super Administrator)

Updated at September 5th, 2023

Connect to the VPN 

When the VPN has been configured, the Virtual Office will generate a link that allows you to connect to the VPN. This link can be copied and sent to the desired recipients. 

1. Navigate to the appropriate Virtual Office page.

You can do this in two ways:

Through the Dashboard tab:

  • Click on the Dashboard tab in the lefthand navigation of RMC.
  • Open the Activities of Interest accordion.
  • Open the Cloud Virtualizations accordion.
  • Hover over the righthand side of the table under the appropriate Client.
  • Click on the Manage Office text that appears.

or 

Through the Clients tab:

  • Click on the Clients tab in the lefthand navigation of RMC.
  • Open the Activities of Interest accordion.
  • Open the Cloud Virtualizations accordion.
  • Hover over the righthand side of the table.
  • Click on the Manage Office text that appears.

2. On the Virtual Office page, click the Configure Office button.

 

3. On the Configure Virtual Office page, click the Login to VPN button in the VPN section.

4. On the VPN Access page, enter login credentials. These are the same credentials created in the User Authentication field on the VPN screen.

Click Sign in to continue.

 


NOTE: The Pulse Connect Secure client must be installed

If you have not already done so, you will be prompted to download and install the Pulse Secure Connect client. 

Once the client is installed, click Open Pulse Secure Application Launcher when prompted.

MOBILE USERS: Pulse Secure Connect is available on Apple iOS and Android

5. Click Start to launch the VPN client and connect the the Virtual Office VPN network

6. You can monitor your VPN connection from the Ivanti client icon in the system tray:

The Ivanti client icon in the system tray looks like this:


Edit VPN settings

To configure or edit VPN settings: 

1. Go to Clients tab in the navigation. 

Choose Test Virtual Office in the Account at a Glance section.

 


2. On the Virtual Office (Test) page, click on the Configure Office button on the top right.


3. On the Configure Virtual Office page, click the Edit button in the VPN section.4. In the VPN section of the screen, enter a value for one or more of the following fields

  • Enable the VPN setting to turn on VPN.
  • Enable the Split Tunneling setting to route the VPN user’s Internet access through their device. Alternatively, disable to route all Internet traffic through the Virtual Office.
  • In the VLAN IP field, enter the IP address that gets assigned to the virtual network interface inside the failover network. This address must be an unused IP address.
  • In the Client IP Range field, enter the range of available IP addresses that are assigned to connecting VPN users. This range must not conflict with any devices in the Virtual Office.
  • Optional fields:
    • Primary DNS IP and Secondary DNS IP are used for resolving hostnames for IP addresses.
    • DNS Domain can be used to resolve hostnames that are not fully qualified.
  • In the User Authentication section of the screen, select the preferred method of VPN authentication.
    • Click the Active Directory radio button to integrate with Active Directory, which enables users to connect through VPN using their known Active Directory credentials. If you select this option, you will be prompted to configure the following fields:
      • In the Active Directory server field, enter the IP address of the Active Directory server.
      • In the Active Directory Domain field, enter the domain name of the Active Directory server.
      • In the Domain Administrator Username field, enter the username of the Active Directory administrative user.
      • In the Domain Administrator Password field, enter the password of the Active Directory administrative user.
      • In the Connection Type field, use the radio buttons to select your preferred connection type, including: Unencrypted, LDAPS, or Start TLS.
      • Please note that if you select LDAPS or the Start TLS method, you must also configure the Active Directory Certificate Services role on the domain controller. For more information, please reference the Configuring Active Directory Certificate Services Settings section below
    • Alternatively, in the User Authentication section of the screen, click the Direct radio button to manually create login credentials for users to connect through VPN. If you select this option, you will be required to configure the following fields:
      • In the Username field, enter a username needed for users to connect through VPN.
      • In the Password field, enter a password needed for users to connect through VPN.


5. Click the Save button when you are finished. 


Configure Active Directory Certificate Services settings

When configuring VPN connection settings, you can optionally integrate with Active Directory for authentication purposes. This option requires that you select a connection type, including Unencrypted, LDAPS (LDAP over SSL/TLS), or Start TLS. LDAPS and Start TLS connection types both require that you set up the Active Directory Certificate Services role on the domain controller.

Please note that LDAPS (LDAP over SSL/TLS) is automatically enabled when you install an Enterprise Root CA on a domain controller.

 Set up the Active Directory Certificate Services settings

1. On the domain controller, start the Service Manager and select Add Roles and Features.

The Add Roles and Features Wizard displays.


2. In the wizard, click the series of Next buttons until you reach the Select server roles screen. On the Select server roles screen, click the Active Directory Certificate Services checkbox.

Click the Next button to continue.


3. Continue through the wizard until you reach the Select role services screen. On the Select role services screen, click the Certification Authority checkbox. Click the Next button to continue.


4. On the Setup Type screen, click the Enterprise CA radio button. Click the Next button to continue.


5. On the CA Type screen, click the Root CA radio button. Click the Next button to continue.


6. On the Private Key screen, click the Create a new private key radio button. Click the Next button to continue.

 

7. On the Cryptography for CA screen, configure the following settings:

  1. In the Select a cryptographic provider drop-down menu, select RSA #Microsoft Software Key Storage Provider.
  2. In the Key length drop-down menu, select 2048.
  3. In the Select the hash algorithm scroll-down menu, select SHA1.

Click the Next button to continue.


8. On the CA Name screen, configure settings for the certificate authority (CA). Click the Next button to continue.

Continue through the wizard until you successfully configure the Active Directory Certificate Services role, and then click the Close button when you are finished.

 

Delete

Note: For alternative instructions, please reference the LDAP over SSL (LDAPS) Certification Microsoft TechNet article.


Site-to-Site Open VPN settings

Site-to-Site Open VPN allows you to create a single VPN endpoint for a local network through which any local user can connect to the Virtual Office. 

When the Site to Site Open VPN endpoint has been configured, a virtual image is generated, which must then be downloaded and run on any VMware virtual machine software.

Warning: Using Site-to-Site Open VPN is not recommended in a test environment.

However, during a disaster, it can provide valuable services in the following situations:

  • When a disaster occurs in an organization with two (or more) sites linked together in a corporate network. A Site‑to‑Site VPN connection can be configured that recreates the corporate network for the unavailable physical site.
  • When a site is being rebuilt after a disaster and users can physically use the site itself, but not the servers. A Site‑to‑Site VPN connection can be configured as a replacement while the servers are being rebuilt.

For the Site-to-Site Open VPN feature to work, Port Forwarding must be enabled. 

When it is enabled, you can continue to configure the Site-to-Site Open VPN.

 How to configure the Site-to-Site Open VPN

1. Enable the Port Forwarding feature according to the instructions listed in the Port Forwarding section of the Manage Virtual Offices article

2. Staying on the Configure Virtual Office page, and after Port Forwarding has been enabled, click the Edit button in the Site-to-Site VPN section on the same page.

3. In the Site to Site Open VPN section, update the following fields

  1. Enable the Site-to-Site Open VPN option.
  2. Optionally, in the Whitelisted IPs field, add an IP address that can access the Virtual Office. Only IP addresses from this list can access the Virtual Office. Click Add Another to whitelist additional IP addresses.
  3. Configure the Endpoint, including:
    1. In the Endpoint Name field, enter the desired name for the Endpoint.
    2. Optionally, in the Key Password field, set a password for the SSL RSA key. If configured, this password will be required to log in to the VPN.
    3. In the Configured Using section, use the radio buttons to select whether to configure using a Static IP address or DHCP.
    4. In the Gateway field, enter the gateway IP address.
    5. In the Netmask field, enter the netmask value.
    6. In the IP of Endpoint field, enter the IP address of the Endpoint (static IP address only). This address should be on a different subnet than that of the Virtual Office. For example, if the Virtual Office IP address is 192.168.99.2, configure the endpoint address to 172.168.22.2.
    7. In the DNS (Static IP Only) field, enter the IP address of the DNS server.
    8. Once configured correctly, click the Add Endpoint button, or click the Done button. 

4. When Site-to-Site VPN settings are configured, click the Download Client link to download the virtual image. This image should be deployed at the desired location using any VMware virtual machine software.

When the virtual machine is deployed, all local devices must have their gateway changed to the IP address of the endpoint. 

 The message will be formatted as follows:
“Open VPN Connect *** ESTABLISHED ***”

NOTE: When the VM endpoint is powered on, a console window will print out a message acknowledging the Open VPN connection.

A message will also appear with network instructions to reconfigure the host machine on which the VM endpoint is being deployed. If you do not see these console windows, please contact Axcient Support.

Please add <Virtual Office Subnet> netmask <Host Machine Netmask> gw <Host Machine Gateway> to your subnet router.

Delete

 


Configure IPSec site-to-site VPN settings

The Internet Protocol Security (IPSec) Site-to-Site VPN feature allows you to establish IPSec VPN tunnels from the Virtual Office in the Axcient Cloud to any standard compliant IKEv2 IPSec VPN gateway on your local network. Specially, you can use this feature during a site disaster to:

  • Recreate the network in an organization with two or more sites linked together in a corporate network
  • Temporarily replace a connection while a machine room is rebuilt after a disaster

Warning; IPSEC Site-to-Site VPN is not recommended in a test environment.

To set up an IPSec Site-to-Site VPN connection, you must turn on the feature in your Virtual Office and also configure settings on your gateway.

How to set up an IPSec site-to-site VPN connection

1. Enable the Port Forwarding feature according to the instructions listed in the Port Forwarding section of the Manage Virtual Offices article

 

 

2. After Port Forwarding settings have been configured, scroll down to the Site-to-Site IPSec VPN section of the Configure Virtual Office page and click the Edit button. 

You can configure the following options:

  • Enble the Site to site IPSec VPN option.
  • In the Site Public IP field, enter either the public IP address of the remote machine/hardware with IPSec software or a distinguishing name (FSDN, user FSND, or any unique string), such as "Cisco ASA".
  • In the Remote Sites section, enter the site name, public IP, and remote subnets for sharing with the Virtual Office subnets.
    • Please note that these subnets do not need to intersect with the Virtual Office subnets.

Click Save when you are finished.

Gateway settings

You can connect with any standard compliant IKEv2 IPSec VPN gateway.

Delete

 

1597