Example: creating a policy-based VPN for mobile users

An example of a policy-based VPN that allows mobile users to authenticate and connect to internal networks.

Company A has service technicians and salespeople who must be able to connect to their office networks to access information when they are on customer visits. The administrators need to add VPN client access to the existing VPN infrastructure. The administrators decide to use Forcepoint VPN Client. As the authentication method, the administrators decide to use passwords stored in the Management Server’s internal database.

The administrators also want to provide only one point of access so that the users do not have to select which gateway to connect to. The central office has site-to-site VPN tunnels to both remote offices that can be used for forwarding traffic to those sites as needed. The existing DHCP server at the central office can be used for assigning IP addresses to the VPN clients’ Virtual Adapter. A Virtual Adapter is required for this type of forwarding.

The administrators:
  1. Edit the central office engine element, then activate the Virtual Adapter method for VPN client address management.
  2. Edit the VPN Profile to use Hybrid Authentication for authenticating the VPN client users.
  3. Create a Policy-Based SD-WAN element called “Remote User SD-WAN” that includes the central office gateway as a Central Gateway.
  4. Select the Only central Gateways from overall topology option on the Mobile VPN tab.
  5. Create a “Forward Addresses” Site element under the central office gateway.
  6. Populate the site with the remote office networks to route those IP addresses through the “Remote User SD-WAN”.
  7. Disable the “Forward Addresses” Site in the existing “Inter-Office VPN” between the central office and the remote offices. Sites are global for all policy-based VPNs, so this Site must be disabled to avoid a misconfiguration in the Inter-Office VPN.
  8. Create User Group and User elements to define the user names and passwords for the VPN client users.
  9. Add the following Access rules in the policy of the central office engine:
    Source Destination Action Authentication Source SD-WAN
    ANY Central office internal networks Select Allow, then open the Action options. Set SD-WAN Action to Enforce SD-WAN, then select the “Remote User SD-WAN” Policy-Based SD-WAN element.

    Users tab: “VPN Client Users” User Group

    Authentication Methods tab: “User Password” Authentication Service

     
    VPN Client DHCP addresses Remote offices’ internal IP addresses Select Allow, then open the Action options. Set SD-WAN Action to Forward, then select the “Inter-office VPN” Policy-Based SD-WAN element.   Rule matches traffic from any VPN client
  10. Create a customized Forcepoint VPN Client installation package for Windows. A customized installation package allows users of Forcepoint VPN Client for Windows to install using a silent installation package that does not require their input. The administrators include the gateway contact information in the package so that the users do not need to enter it manually even when they use the Forcepoint VPN Client for the first time.