Define VPN client settings for Secure SD-WAN Engines

VPN client settings in the Engine Editor define the settings that are used when the Secure SD-WAN Engine acts as a VPN Gateway in a mobile VPN.

If you use Forcepoint VPN Client, configure the Virtual Adapter. The alternative NAT Pool method does not allow the Forcepoint VPN Client computers to use your organization’s internal DNS servers. Virtual IP addresses work with all Forcepoint VPN Client versions and with third-party VPN clients that support this feature.

If you use Forcepoint VPN Client, the policy-based VPN configuration defined in the Management Client is also used for creating the configuration for Forcepoint VPN Client. Forcepoint VPN Client downloads the settings from the VPN gateway the first time that the Forcepoint VPN Client connects to the VPN Gateway, and automatically whenever there are relevant changes. All IPsec and address management settings are included in the download. For example, the download includes information about which encryption methods are used, which VPN endpoints are available, and which internal networks clients can access through the gateway. The decision whether a VPN tunnel is used is based on the IP addresses you have defined for the Sites of the gateway.

For third-party VPN clients and external VPN gateways, you must duplicate the VPN Gateway settings in the configuration of the VPN client or gateway. You must also duplicate the VPN Gateway settings for engines under a different administrative Domain. The settings that you must duplicate include the following:
  • All IPsec-related settings, such as the authentication, encryption, and integrity checking options.
  • The encryption domain (the IP addresses that are allowed in the VPN as a source or destination IP address).

If a VPN Gateway that contains VPN Client settings is used in a route-based VPN, the VPN Client settings are ignored.

Note: The Virtual Adapter IP addresses must be assigned by a DHCP server. It is not possible to define the IP addresses in the VPN client or in the VPN gateway configuration. When you use a Single Engine's internal DHCP server, use the IP address of the interface on which the internal DHCP server is enabled as the IP address of the DHCP Server element.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Right-click a Engine element, then select Edit <element type>.
  2. Browse to SD-WAN > VPN Client.
  3. Configure the settings.
    If you selected a VPN Mode that includes SSL VPN, configure the settings in the Virtual Address section.
  4. Click Save.

Engine Editor > SD-WAN > VPN Client

Use this branch to change settings that are used when the Secure SD-WAN Engine acts as a VPN Gateway in a mobile VPN.

Option Definition
Gateway Display Name If you want to show a different name for the Gateway to Mobile VPN users, enter the name for the VPN Gateway element.
SD-WAN Type Defines the type of tunnels the mobile VPN supports.
  • IPsec VPN — The mobile VPN only supports IPsec tunnels.
  • SSL VPN — The mobile VPN only supports SSL VPN tunnels.
  • Both IPsec & SSL VPN — The mobile VPN supports IPsec and SSL VPN tunnels.
SSL Port

(When SD-WAN Type is SSL VPN)

The port for SSL VPN tunnels.
TLS Cryptography Suite Set

(When SD-WAN Type is SSL VPN)

The cryptographic suite for SSL VPN tunnels. Click Select to select an element.
Note: Do not change the default setting unless you have a specific reason to do so.
Authentication Timeout

(When SD-WAN Type is SSL VPN)

The timeout for Forcepoint VPN Client user authentication.
Option Definition
Local Security Checks section (Forcepoint VPN Client for Windows only) Defines whether the Forcepoint VPN Client for Windows checks for the presence of basic security software to stop connections from risky computers.
  • Anti-Virus is enabled — Requires anti-virus software to be enabled on the computers of mobile VPN users.
  • Firewall is enabled — Requires firewall software to be enabled on the computers of mobile VPN users.
  • Windows Update is enabled — Requires the Windows Update service to be enabled on the computers of mobile VPN users.
Option Definition
Virtual Address section Options for configuring the Forcepoint VPN Client with virtual IP addresses assigned by a DHCP server for connections inside the VPN.
DHCP Mode Specifies how DHCP requests from VPN clients are sent.
  • Disabled (IPsec VPN type only) — DHCP is not enabled.
  • Direct — When selected, the engine sends a normal DHCP client broadcast message to a DHCP server located in a directly connected network.
    Note: This option is included for backward compatibility with legacy software versions.
  • Relay — When selected, the engine sends unicast DHCP relay messages for VPN clients’ DHCP requests.
Note: If SSL VPN or Both IPsec & SSL VPN is selected from the SD-WAN Type drop-down list, only the Direct and DHCP Relay are shown.
Interface

(When DHCP Mode is Direct)

The source address for the DHCP packets when querying the DHCP server (the interface toward the DHCP server).
Interface for DHCP Relay

(When DHCP Mode is Relay)

The source address for the DHCP packets when querying the DHCP server (the interface toward the DHCP server).
DHCP Server (Secure SD-WAN < 5.9)

(When DHCP Mode is Direct)

The DHCP server that assigns IP addresses for the VPN clients.
Note: This option is included for backward compatibility with legacy software versions.
DHCP Servers

(When DHCP Mode is Relay)

The DHCP server that assigns IP addresses for the VPN clients. Click Add to add an element to the table, or Remove to remove the selected element.
Add Information

(Optional)

Specifies what VPN Client user information is added to the Remote ID option field in the DHCP Request packets.
  • Add User Information — When selected, VPN Client user information (in the form user@domain) is automatically added to the Remote ID option field in the DHCP Request packets.
  • Add Group Information — When selected, VPN Client user information (in the form group@domain) is automatically added to the Remote ID option field in the DHCP Request packets.
  • None — When selected, no user or user group information is added to the Remote ID option field in the DHCP Request packets.
Restrict Virtual Address Ranges When selected, the VPN gateway restricts the VPN clients’ addresses to the specified range, even if the DHCP server tries to assign some other IP address. Enter the IP address range in the field on the right.
Proxy ARP When selected, the engine acts as a proxy for the VPN clients’ ARP requests. Enter the IP address range for proxy ARP in the field on the right.
Option Definition
Secondary IPsec VPN Gateways section

(Optional)

(When SD-WAN Type is IPsec VPN)

Other IPsec VPN gateways to contact in case there is a disruption at the IPsec VPN gateway end (in the order of contact). Click Add to add a row to the table, or Remove to remove the selected row. Click Up or Down to move the selected element up or down.