I’m going to walkthrough how to setup remote access vpn in sophos UTM. This post is intended for the minimum deployment and might not be as scalable, but baseline is as below:
Clientless – no need to install client software on PC
Secure – Multifactor authentication
Affordable – no need for extra service nor device
As the requirement of remote access increase, IT needs to setup environment quickly, and still in cost effectively.
Sophos UTM is one of the least expensive UTM in the market, which is ready for enterprise use.
In summary, the settings follow below:
(optional)configure user portal
configure HTML5 VPN
First, you need to create users. This username is used for remote users to login to the portal.
We use tOTP based token this time to use Multi Factor Authentication(MFA). You just need to enable it.
We need to create HTML5 VPN Portal for every users in this case. First add “network definition” for users PC at office, I’m using IP address here, but alternatively you can use DNS name. Second add remote user, which you created at step 1, into “Allowed users” so that only the user can access each PC. And that’s all for Sophos UTM setup.
Ask users to access the URL “https://”, and they should login with the reomte user name and password which you created at step 1.
Once users logged into the portal, it should prompt users to register OTP. Users can use any tOTP based applicaiton. In my case I used Google Authenticator, which is available via playstore/applestore for free. Scan the QR code, and it should now prompt the PIN.
Once done, users need to login again. But this time the password is “password you created at step 1” + “PIN on tOTP app”(eg. secretpassword123456). users should be able to see the user portal now.
Click “HTML5 VPN Portal”, and then click the PC name to connect to.
It pops up another window showing your PC desktop. Ask users not to shutdown the PC, and ask them simply logoff or close the window.
Some UTMs require separate subscription to use clientless VPN (eg. PaloAlto), while Sophos UTM comes with most of the function built-in the box.
Please drop me a message if you encounter any problem. THanks for reading!
In VPN settings, there are two main part you need to consider first:
Authentication … AWS Client VPN supports two types:
Active Directory Authentication
Mutual (Certificate) Authentication
Network-based Authorization (work with Active Directory Authentication)
In my opinion, Active Directory Authentication is more flexible and intuitive compared to Mutual Authentication. It doesn’t support MFA yet, but it provides user/password authentication as well as it allows specific groups of users in AD to be able to connect to SSLVPN, which is a requirement of most clients.
Setup procedure is below:
Generate certs and keys using easy-rsa, and register them on ACM
Procure Simple AD
Create users and groups on Simple AD
Procure Client VPN Endpoint
(Option) Configure a web server for connection test
Configure OpenVPN client
By the end of this guide, the test environment looks like below:
1. Generate Certificate and Keys
You need to generate certificate and keys for servers to process client vpn first. You can follow the official steps here. It is not required to generate client certificate/key because we use Active Directory Authentication.
If it returns arn, you are successfully registered certificate/key on ACM.
2. Procure Simple AD
Simple AD is not available yet in all regions. You can check the availability here.
First, select “Simple AD”, and select your VPC and subnet you want this service.
Once created, wait for a ew minutes till Directory service is ready. Note the DNS address listed in Directory detail, this information is required later to have management server join this domain.
3. Create Users and Groups for VPN access
In order to manage this AD, I procure another Windows server(management server) in public subnet.
For DNS configuration, you can either change DHCP option of your subnet or set DNS server statically in the servers.
After restart, reconnect to the server, this time with domain administrator account – password is the one you set during Simple AD setup. Install RSAT.
Launch “Active Directory Users and Computers”. If you logged in with domain administrator account, you should be able to see your domain is listed. I created two users “shogo.kobayashi” and “john.smith”, and only “shogo.kobayashi” is a member of “SSLVPN_USERS” group.
4. Procure Client VPN Endpoint
In Create Client VPN Endpoint wizard, you need to specify IPv4 CIDR which should be different from your existing VPC.
Server certificate ARN … Select arn, which you received in step 1.
Authentication Options … Select “Use Active Directory authentication”
Directory ID … select Directory ID you created on step 2.
DNS Server 1/2 IP Address … Use DNS IP address of your Simple AD
Associate this endpoint with your subnet in order to use it. Note that you will be charged once you associate endpoint with subnet. I used private subnet for this.
VPC … VPC you want to use this VPN Endpoint in
Subnet … Subnet you want to use this VPN Endpoint in
This is to authorize which network is reachable for each group of users. In this lab, I created only one rule that allows VPN connection to communicate anyone in the network as long as the authenticated user is in “SSLVPN_USERS” AD security group.
Destination network to enable … Which network this group of users can access
Grant access to … Allow access to users in a specific Active Directory group
Active Directory Group ID … SID of the SSLVPN_USERS group in AD
5. (Optional) Setup web server for connection test
We are going to setup web server for connection test. We use VPC endpoint to retrieve httpd packages because we want this server to be in private subnet, and hence there is no direct internet connectivity.
And minimum setup to bootstrap web server.
6. Configure OpenVPN Client
You can download configuration file from AWS console.
Launch OpenVPN client of your choice, and use the configuration file you just downloaded. Note you need to have a root CA certificate, which you generate in step 1, in the same folder you have your configuration file.
Now you should …
Be able to access web server if you login with user who is a member of “SSLVPN_USERS”, and
Not be able to access web server if you login with user who is NOT a member of “SSLVPN_USERS”.
There are lots of network automation tools around. But do you know what is the difference of each tools? I’m going to introduce what you can achieve with each tools.
First of all, I want to classify this network automation into three categories:
Network Operation Automation … in the old days, you need to log in to each devices via ssh / telnet to change configuration. Tools in this category aims to automate these processes.
Configuration Management … this includes not only version management(e.g. RANCID, Oxidized), but also host grouping(e.g. AS numbers)
Service Management … In the previous categories, each configurations are stored separately. In this category, configuration is separated into each services(e.g. snmp-community, ntp server settings) rather than each device. You can control all the devices by services.
In the previous post, I demonstrated how to get the fortigate configuration using Ansible with fortios module. In this post, I will show you how to get the backup config using Ansible with RestAPI via uri module.
In NSO, service is defined in YANG model. And once YANG model is defined and compiled, it will then be encoded to XML. There are few variations to define encode, such as “template only” and “python and template”. As name suggests, template is the most basic pattern, and it directly map the YANG model to XML. While with python some arbitrary operation can be configured based on YANG model before passing any values for XML encode.
Late last year, Cisco posted “Get NSO for Free!” and since NSO is available for Lab/PoC use for developers. This post is to introduce how to install NSO on Ubuntu16.04, and brief introduction of what it can do.
Basically you don’t need license to access APIs on the network devices directly, because it’s on base license.
However, if you search “Cisco API” online, or when you follow Cisco Devnet contents, it is confusing because a lot of contents are made around ACI/APIC/DNA. And DNA subscription is mandatory for some devices(e.g. Catalyst9k) now, and it sometimes misleads the customer that DNA subscription is required to use any kind of APIs on Cisco boxes.