Define virtual IP addresses for VPN clients

You can use a Virtual Adapter to assign the VPN client an IP address in the VPN, independent of the address the VPN client computer uses in its local network.

Before you begin

To use virtual IP addresses for VPN clients:
  • You must use an external DHCP server to assign the IP addresses.
  • The users must use a VPN client that has a Virtual Adapter feature. The Forcepoint VPN Client always has this feature installed and active.

The virtual IP address is only used in communications through the VPN tunnels. The VPN gateway gets the IP address and network settings of the Forcepoint VPN Client from the an external DHCP server and forwards the information to the Forcepoint VPN Client. For one-way access without DNS resolving, the VPN gateway can alternatively be set up to apply NAT to translate the Forcepoint VPN Client connections. This method is meant for testing purposes.

The VPN gateway specifies the destination IP addresses for traffic that the Forcepoint VPN Client sends into the VPN tunnel. The IP addresses are configured as Site elements for each gateway in the Management Client. When the Sites contain specific internal networks, the Forcepoint VPN Client receives a configuration for split tunneling. Split tunneling means that only the specified portion of traffic uses the VPN tunnel, and other connections use the local network as usual.

Most DHCP servers allow a configuration in which a particular client computer is always assigned a particular IP address. For example, the DHCP server might assign the IP address based on the MAC address if VPN clients have fixed MAC addresses for their Virtual Adapters. By default, when the Forcepoint VPN Client virtual adapter requests an IP address, it uses the MAC address of the physical interface used in the VPN connection.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Right-click the firewall, then select Edit <element type>.
  2. Browse to VPN > VPN Client.
  3. From the DHCP Mode drop-down list, select how DHCP requests from VPN clients are sent.
    Note: If SSL VPN or Both IPsec & SSL VPN is selected from the VPN Type drop-down list, only Direct and DHCP Relay are shown.
  4. From the Interface or Interface for DHCP Relay drop-down list, select the source address for the DHCP packets when querying the DHCP server (the interface toward the DHCP server).
  5. Click Add, then select the DHCP server element that assigns IP addresses for the VPN clients.
  6. (Optional) From the Add Information drop-down list, select what VPN Client user information is added to the Remote ID option field in the DHCP Request packets.
    • Add User information — VPN Client user information (in the form user@domain) is automatically added to the Remote ID option field in the DHCP Request packets.
    • Add Group information — VPN Client user information (in the form group@domain) is automatically added to the Remote ID option field in the DHCP Request packets.
    Your DHCP server must support the DHCP Relay Agent Information option to use this information. Depending on your DHCP server configuration, this information can be used as a basis for IP address selection.
  7. (Optional) Select Restrict Virtual Address Ranges, then enter the IP address range in the field on the right.
    With this option, you can restrict the VPN clients’ addresses to a set range, even if the DHCP server tries to assign another IP address. If an incorrect address is assigned, the user might not be able to access resources. These address ranges must not overlap with the NAT Pool.
    Note: If the NAT Pool is active, it is also used for translating connections from VPN clients that have a virtual IP address. It is not possible to exclude hosts with a virtual IP address from being subject to the NAT Pool address translation.
  8. (Optional) Configure the Firewall to act as a proxy for the VPN client’s ARP requests.
    1. Select Proxy ARP.
    2. In the field on the right, enter the IP address range for proxy ARP.
    Note: The Proxy ARP option might be required for a working VPN depending on your network configuration.
  9. Click Save and Refresh.

Engine Editor > VPN > VPN Client

Use this branch to change settings that are used when the Engine acts as a VPN Gateway in a mobile VPN.

Option Definition
Gateway Display Name If you want to show a different name for the Gateway to Mobile VPN users, enter the name for the VPN Gateway element.
VPN Type Defines the type of tunnels the mobile VPN supports.
  • IPsec VPN — The mobile VPN only supports IPsec tunnels.
  • SSL VPN — The mobile VPN only supports SSL VPN tunnels.
  • Both IPsec & SSL VPN — The mobile VPN supports IPsec and SSL VPN tunnels.
SSL Port

(When VPN Type is SSL VPN)

The port for SSL VPN tunnels.
TLS Cryptography Suite Set

(When VPN Type is SSL VPN)

The cryptographic suite for SSL VPN tunnels. Click Select to select an element.
Note: Do not change the default setting unless you have a specific reason to do so.
Authentication Timeout

(When VPN Type is SSL VPN)

The timeout for Forcepoint VPN Client user authentication.
Option Definition
Local Security Checks section (Forcepoint VPN Client for Windows only) Defines whether the Forcepoint VPN Client for Windows checks for the presence of basic security software to stop connections from risky computers.
  • Anti-Virus is enabled — Requires anti-virus software to be enabled on the computers of mobile VPN users.
  • Firewall is enabled — Requires firewall software to be enabled on the computers of mobile VPN users.
  • Windows Update is enabled — Requires the Windows Update service to be enabled on the computers of mobile VPN users.
Option Definition
Virtual Address section Options for configuring the Forcepoint VPN Client with virtual IP addresses assigned by a DHCP server for connections inside the VPN.
DHCP Mode Specifies how DHCP requests from VPN clients are sent.
  • Disabled (IPsec VPN type only) — DHCP is not enabled.
  • Direct — When selected, the engine sends a normal DHCP client broadcast message to a DHCP server located in a directly connected network.
    Note: This option is included for backward compatibility with legacy software versions.
  • Relay — When selected, the engine sends unicast DHCP relay messages for VPN clients’ DHCP requests.
Note: If SSL VPN or Both IPsec & SSL VPN is selected from the VPN Type drop-down list, only the Direct and DHCP Relay are shown.
Interface

(When DHCP Mode is Direct)

The source address for the DHCP packets when querying the DHCP server (the interface toward the DHCP server).
Interface for DHCP Relay

(When DHCP Mode is Relay)

The source address for the DHCP packets when querying the DHCP server (the interface toward the DHCP server).
DHCP Server (Engine < 5.9)

(When DHCP Mode is Direct)

The DHCP server that assigns IP addresses for the VPN clients.
Note: This option is included for backward compatibility with legacy software versions.
DHCP Servers

(When DHCP Mode is Relay)

The DHCP server that assigns IP addresses for the VPN clients. Click Add to add an element to the table, or Remove to remove the selected element.
Add Information

(Optional)

Specifies what VPN Client user information is added to the Remote ID option field in the DHCP Request packets.
  • Add User Information — When selected, VPN Client user information (in the form user@domain) is automatically added to the Remote ID option field in the DHCP Request packets.
  • Add Group Information — When selected, VPN Client user information (in the form group@domain) is automatically added to the Remote ID option field in the DHCP Request packets.
  • None — When selected, no user or user group information is added to the Remote ID option field in the DHCP Request packets.
Restrict Virtual Address Ranges When selected, the VPN gateway restricts the VPN clients’ addresses to the specified range, even if the DHCP server tries to assign some other IP address. Enter the IP address range in the field on the right.
Proxy ARP When selected, the engine acts as a proxy for the VPN clients’ ARP requests. Enter the IP address range for proxy ARP in the field on the right.
Option Definition
Secondary IPsec VPN Gateways section

(Optional)

(When VPN Type is IPsec VPN)

Other IPsec VPN gateways to contact in case there is a disruption at the IPsec VPN gateway end (in the order of contact). Click Add to add a row to the table, or Remove to remove the selected row. Click Up or Down to move the selected element up or down.