Tag: openvpn

Can the management centre send a Radius “AVP” to the Radius server?

Symantec Community Leave a comment
I need a solution

Hi;

Can the management centre send a Radius attribute “AVP” to the Radius server? I mean in the Radius Authentication Request?  ideally, I would like the Management Centre to send the IP address of the user device supplying the username and password on the Management Centres login page, which in turn will be sent to the Radius server.

So ideally, the MC should send the following to the Radius server:  “username+password+the IP address of the device of the user trying to authenticate”.

Kindly

Wasfi

0

Related:

Configure SSL VPN for Android Devices using OpenVPN Connect

Sophos Leave a comment

Configure SSL VPN for Android Devices using OpenVPN Connect

Overview

OpenVPN Connect is the official full-featured Android client for the OpenVPN Access Server, Private Tunnel and OpenVPN Community, developed by OpenVPN Technologies, Inc.

OpenVPN Connect can be used to establish SSL VPN connection between any Android Device and Sophos.

The following sections are covered:

Applies to the following Sophos product : Sophos XG Firewall

Scenario :

Configure SSL VPN for Android Device using OpenVPN Connect.

Sophos Configuration :

Configure SSL VPN from Cyberoam Web Admin Console. Configuration requires read-write permission for therelevant features.

To know how to configure SSL VPN in Sophos , refer to the article :

Sophos XG Firewall: How to configure SSL VPN remote access :https://community.sophos.com/kb/en-us/122769

Android Configuration :

Step 1: Download and Install OpenVPN Connect

Download OpenVPN Connect and install it on your Android Device.

Step 2: Downloading the SSL VPN client configuration

From a browser, logon to the user portal using the Sophos Firewall’s public IP address and the user portal https port.

In this example, user portal is accessible at https://183.83.216.23>:<8443>

Note: You can find the user portal https port configured in Sophos Firewall by going to Administration > Admin Settings under Port Settings for Admin Console section.

Step 3:Once logged into the portal, download the SSL VPN client/configuration for the required endpoint accordingly.

In this article, we will download the configuration for Android / IOS and a file in .ovpn format would be downloaded

Save the file on a specific location in your android phone

Step 4: Import SSL VPN Configuration to OpenVPN Connect in Android Device

Launch OpenVPN Connect and Select the third option “OVPN Profile”

Step 5 : Click on Import and select the .ovpn configuration from the saved location on your phone and it will show you the public ip plus the username via which you will try to connect

5.Click on the option to connect and a virtual ip would be leased to the phone with the status “Connected

The above configuration establishes an SSL VPN connection between Cyberoam and Android Device using OpenVPN Connect.

Related information

  • Sophos XG Firewall: How to configure SSL VPN remote access

Feedback and contact

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

Does the unified agent on a mobile device establish an SSL VPN tunnel too?

Symantec Community Leave a comment
I need a solution

Hi;

Does the unified agent on a mobile device establish an SSL VPN tunnel too? I mean a device like iphone or android device.

Kindly

Wasfi

0

1559190157

Related:

SEP 14.2 doesn’t recognize ethernet adapter

Symantec Community Leave a comment
I need a solution

Environment:  Windows 7 Professional 64-bit, SEP 14.2 MP1 on UNMANAGED client(s)

Issue:   It appears that SEP 14.2 incorrectly identifies our hardware ethernet connection as a VPN connection.  We see traffic flowing through the Allow VPN firewall rule even though there is no VPN on the UNMANAGED client(s).  These clients have no access to the SEPM

Any ideas?

0

Related:

NOC Engineer

Symantec Community Leave a comment
I need a solution

Hi everyone

I’m beginning to discover the benefits of using Symantec VIP in our infrastructure and I’m very please until now.
We have a AD groups and a user store LDAP that authenticate the users by username – password + TOKEN ( VIP access )
Everything works very well.
But now the Client send me a new goal
We have some users that does not belong to the company and sometimes we need to create an AD user with username and password to these users.
If I create a user in VIP Gateway – public service – and configure a PIN, can I use these users in the VPN authentication, without a username AD?
We have the Firewall point to our VIP server in the local network, that is also connected to one DC by LDAP.
The issue is how can I create a new user store that only check the local users I create in the Cloud VIP Gateway, wend i try to create a new, only LDAP is permitted.

Is this possible – create users in VIP with pin and credential and make the VIP server authenticate these users?

Thanks in advance!

0

Related:

OpenVPN (OPNSense) and DNSMASQ (Pi-Hole) DSM

IBM Customer Leave a comment
I have created 2 new DSMs (OpenVPN and DNSMASQ (Pi-Hole)) that are available on GitHub with instructions on how to utilize them with QRadar. They are currently running in my home lab environment without issues and I wanted to share them incase anybody else is running similar applications/services and they want to utilize them with QRadar. I utilize both OPNSense (OpenVPN Server) and Pi-Hole (DNSMASQ Server) that will send the logs to QRadar.

**Note:** They are a WIP project, but I believe I have mapped all the events that they send to QRadar.

**DNSMASQ (Pi-Hole):**
https://github.com/Xboarder56/DNSMASQ-DSM

**OpenVPN (OPNSense):**
https://github.com/Xboarder56/OpenVPN-DSM

If you have any additional questions let me know below or you can create an issue on the GitHub repositories and I will review them as I get free time. As always thanks for the IBM team and all that they do to support QRadar!

Related:

Configure an MDM managed VPN profile for Citrix SSO

Citrix Leave a comment

Device level VPN Profiles

Device level VPN profiles are used to setup a system wide VPN. Traffic from all Apps and services will be tunneled to NetScaler Gateway based on the VPN policies (such as Full-tunnel, Split-tunnel, Reverse Split-tunnel etc.) defined in NetScaler. Follow these steps to configure a device level VPN on Citrix XenMobile:

  1. On the XenMobile MDM console, navigate to Configure > Device Policies > Add New Policy.

  2. Select iOS and Mac OS on the left Policy Platform pane. Select VPN Policy on the right pane.

  3. On the Policy Info page, type a valid Policy Name and Description and click next.

  4. On the Policy detail page for iOS, type a valid Connection Name and choose “Custom SSL” from the Connection Type dropdown control.

    Note: In the MDM VPN payload, Connection Name corresponds to the “UserDefinedName” key and “VPN Type” Key must be set to value “VPN”.

  5. In the Custom SSL identifier (reverse DNS format) text field, type “com.citrix.NetScalerGateway.ios.app”. This is the bundle identifier for the Citrix SSO App on iOS.

    Note: In the MDM VPN payload, Custom SSL identifier corresponds to the “VPNSubType” key.

  6. In the Provider bundle identifier text field, type “com.citrix.NetScalerGateway.ios.app.vpnplugin”. This is the bundle identifier of the Network Extension contained in the Citrix SSO iOS App binary.

    Note: In the MDM VPN payload, Provider bundle identifier corresponds to the “ProviderBundleIdentifier” key.

  7. In the Server name or IP address text field, type the IP address or FQDN of the NetScaler associated with this XenMobile instance.

  8. The remaining fields in the configuration page are optional. Configurations for these fields can be found in XenMobile documentation. The completed page should resemble the screenshot below. Click Next. You may go straight to point 13 from here if you do not need to configure VPN policy for MacOS. Proceed to the next step otherwise.

    User-added image

  9. On the Policy detail page for MacOS, type a valid Connection Name and choose “Custom SSL” from the Connection Type dropdown control.

  10. In the Custom SSL identifier (reverse DNS format) text field, type “com.citrix.NetScalerGateway.macos.app”. This is the bundle identifier for the Citrix SSO App on Mac OS.

  11. In the Server name or IP address text field, type the IP address or FQDN of the NetScaler associated with this XenMobile instance.

  12. The remaining fields in the configuration page are optional. Configurations for these fields can be found in XenMobile documentation. The completed page should resemble the screenshot below.

    User-added image

  13. Click Next and choose a delivery group for this VPN profile. Click Save.

Per-App VPN Profiles

Per-App VPN profiles are used to setup VPN for a specific Application. Traffic from only the specific App is tunneled to NetScaler Gateway. The Per-App VPN payload supports all of the keys for Device-wide VPN plus a few additional keys. To configure a Per-App VPN on Citrix XenMobile:

  1. Follow steps 1 to 7 as mentioned in configuring a Device-level VPN section.

  2. Turn the Enable Per-App VPN switch ON in the Per-App VPN section.

  3. Turn the On-Demand Match App Enabled switch ON if Citrix SSO should be started automatically when the Match App is launched. This is recomended for most Per-App cases.

    Note: In the MDM VPN payload, this field corresponds to the key “OnDemandMatchAppEnabled”.

  4. Select “Packet Tunnel” in the Provider Type dropdown menu.

    Note: In the MDM VPN payload, this field corresponds to the key “ProviderType”.

  5. Safari Domain configuration is optional. Configuring this will start Citrix SSO automatically when users launch Safari and navigate to a URL that matches the one in Domain field. This is not recommended if you want to restrict VPN for a specific App.

    Note: In the MDM VPN payload, this field corresponds to the key “SafariDomains”.

  6. The remaining fields in the configuration page are optional. Configurations for these fields can be found in XenMobile documentation. The completed page should resemble the screenshot below. Click Next. You may go straight to point 13 from here if you do not need to configure the VPN policy for Mac OS. Proceed to the next step otherwise.User-added image

  7. On the Policy detail page for MacOS, type a valid Connection Name and choose “Custom SSL” from the Connection Type dropdown control.

  8. In the Custom SSL identifier (reverse DNS format) text field, type “com.citrix.NetScalerGateway.macos.app”. This is the bundle identifier for the Citrix SSO App on Mac OS.

  9. In the Server name or IP address text field, type the IP address or FQDN of the NetScaler associated with this XenMobile instance.

  10. Turn the Enable Per-App VPN switch ON in the Per-App VPN section.

  11. Turn the On-Demand Match App Enabled switch ON if Citrix SSO should be started automatically when the Match App is launched. This is recommended for most Per-App cases.

  12. Safari Domain configuration is optional. Configuring this will start Citrix SSO automatically when users launch Safari and navigate to a URL that matches the one in Domain field. This is not recommended if you want restrict VPN for a specific App. The completed page should resemble the screenshot below.User-added image

  13. Click Next and choose a delivery group for this VPN profile. Click Save.

  14. Additionally, to associate this VPN profile to a specific App on the device, you will need to create an App Inventory policy and a Credentials Provider policy by following this guide – https://www.citrix.com/blogs/2016/04/19/per-app-vpn-with-xenmobile-and-citrix-vpn/.

Related:

Secure Web: Configure User connections

Citrix Leave a comment

Secure Web supports the following configurations for user connections:

  • Secure browse. Connections that tunnel to the internal network can use a variation of a clientless VPN, referred to as secure browse. This is the default configuration specified for the Preferred VPN mode policy. Secure browse is recommended for connections that require single sign-on (SSO).
  • Full VPN tunnel. Connections that tunnel to the internal network can use a full VPN tunnel, configured by the Preferred VPN mode policy. Full VPN tunnel is recommended for connections that use client certificates or end-to-end SSL to a resource in the internal network. Full VPN tunnel handles any protocol over TCP and can be used with Windows and Mac computers as well as iOS and Android devices.

The Permit VPN mode switching policy allows automatic switching between the full VPN tunnel and secure browse modes as needed. By default, this policy is off. When this policy is on, a network request that fails due to an authentication request that cannot be handled in the preferred VPN mode is retried in the alternate mode. For example, server challenges for client certificates can be accommodated by the full VPN tunnel mode, but not secure browse mode. Similarly, HTTP authentication challenges are more likely to be serviced with SSO when using secure browse mode.

  • Full VPN tunnel with PAC. You can use a Proxy Automatic Configuration (PAC) file with a full VPN tunnel deployment for iOS and Android devices. A PAC file contains rules that define how web browsers select a proxy to access a given URL. PAC file rules can specify handling for both internal and external sites. Secure Web parses PAC file rules and send the proxy server information to NetScaler Gateway.
  • The full VPN tunneling performance when a PAC file is used is comparable to secure browse mode. For details about PAC configuration, see Full VPN Tunneling with PAC.

Related:

Configure User connections in SecureWeb

Citrix Leave a comment

Secure Web supports the following configurations for user connections:

  • Secure browse. Connections that tunnel to the internal network can use a variation of a clientless VPN, referred to as secure browse. This is the default configuration specified for the Preferred VPN mode policy. Secure browse is recommended for connections that require single sign-on (SSO).
  • Full VPN tunnel. Connections that tunnel to the internal network can use a full VPN tunnel, configured by the Preferred VPN mode policy. Full VPN tunnel is recommended for connections that use client certificates or end-to-end SSL to a resource in the internal network. Full VPN tunnel handles any protocol over TCP and can be used with Windows and Mac computers as well as iOS and Android devices.

The Permit VPN mode switching policy allows automatic switching between the full VPN tunnel and secure browse modes as needed. By default, this policy is off. When this policy is on, a network request that fails due to an authentication request that cannot be handled in the preferred VPN mode is retried in the alternate mode. For example, server challenges for client certificates can be accommodated by the full VPN tunnel mode, but not secure browse mode. Similarly, HTTP authentication challenges are more likely to be serviced with SSO when using secure browse mode.

  • Full VPN tunnel with PAC. You can use a Proxy Automatic Configuration (PAC) file with a full VPN tunnel deployment for iOS and Android devices. A PAC file contains rules that define how web browsers select a proxy to access a given URL. PAC file rules can specify handling for both internal and external sites. Secure Web parses PAC file rules and send the proxy server information to NetScaler Gateway.
  • The full VPN tunneling performance when a PAC file is used is comparable to secure browse mode. For details about PAC configuration, see Full VPN Tunneling with PAC.

Related: