Define virtual IP addresses for VPN clients
You can use a Virtual Adapter to assign the VPN client an IP address in the VPN, independent of the address the VPN client computer uses in its local network.
Before you begin
- You must use an external DHCP server to assign the IP addresses.
- The users must use a VPN client that has a Virtual Adapter feature. The Forcepoint VPN Client always has this feature installed and active.
The virtual IP address is only used in communications through the VPN tunnels. The VPN gateway gets the IP address and network settings of the Forcepoint VPN Client from the an external DHCP server and forwards the information to the Forcepoint VPN Client. For one-way access without DNS resolving, the VPN gateway can alternatively be set up to apply NAT to translate the Forcepoint VPN Client connections. This method is meant for testing purposes.
The VPN gateway specifies the destination IP addresses for traffic that the Forcepoint VPN Client sends into the VPN tunnel. The IP addresses are configured as Site elements for each gateway in the Management Client. When the Sites contain specific internal networks, the Forcepoint VPN Client receives a configuration for split tunneling. Split tunneling means that only the specified portion of traffic uses the VPN tunnel, and other connections use the local network as usual.
Most DHCP servers allow a configuration in which a particular client computer is always assigned a particular IP address. For example, the DHCP server might assign the IP address based on the MAC address if VPN clients have fixed MAC addresses for their Virtual Adapters. By default, when the Forcepoint VPN Client virtual adapter requests an IP address, it uses the MAC address of the physical interface used in the VPN connection.
For more details about the product and how to configure features, click Help or press F1.
Steps
Engine Editor > VPN > VPN Client
Use this branch to change settings that are used when the Engine acts as a VPN Gateway in a mobile VPN.
Option | Definition |
---|---|
Gateway Display Name | If you want to show a different name for the Gateway to Mobile VPN users, enter the name for the VPN Gateway element. |
VPN Type | Defines the type of tunnels the mobile VPN supports.
|
SSL Port | (When VPN Type is SSL VPN) The port for SSL VPN tunnels. |
TLS Cryptography Suite Set | (When VPN Type is SSL VPN) The cryptographic suite for SSL VPN tunnels. Click Select to select an element.Note: Do not change the default setting unless you have a specific reason to do so.
|
Authentication Timeout | (When VPN Type is SSL VPN) The timeout for Forcepoint VPN Client user authentication. |
Option | Definition |
---|---|
Local Security Checks section (Forcepoint VPN Client for Windows only) | Defines whether the Forcepoint VPN Client for Windows checks for the presence of basic security software to stop connections from risky
computers.
|
Option | Definition |
---|---|
Virtual Address section | Options for configuring the Forcepoint VPN Client with virtual IP addresses assigned by a DHCP server for connections inside the VPN. |
DHCP Mode | Specifies how DHCP requests from VPN clients are sent.
Note: If
SSL VPN or
Both IPsec & SSL VPN is selected from the
VPN Type drop-down list, only the
Direct and
DHCP Relay are shown.
|
Interface | (When DHCP Mode is Direct) The source address for the DHCP packets when querying the DHCP server (the interface toward the DHCP server). |
Interface for DHCP Relay | (When DHCP Mode is Relay) The source address for the DHCP packets when querying the DHCP server (the interface toward the DHCP server). |
DHCP Server (Engine < 5.9) | (When DHCP Mode is Direct) The DHCP server that assigns IP addresses for the VPN clients.Note: This option is included for backward compatibility with legacy software versions.
|
DHCP Servers | (When DHCP Mode is Relay) The DHCP server that assigns IP addresses for the VPN clients. Click Add to add an element to the table, or Remove to remove the selected element. |
Add Information
(Optional) |
Specifies what VPN Client user information is added to the Remote ID option field in the DHCP Request packets.
|
Restrict Virtual Address Ranges | When selected, the VPN gateway restricts the VPN clients’ addresses to the specified range, even if the DHCP server tries to assign some other IP address. Enter the IP address range in the field on the right. |
Proxy ARP | When selected, the engine acts as a proxy for the VPN clients’ ARP requests. Enter the IP address range for proxy ARP in the field on the right. |
Option | Definition |
---|---|
Secondary IPsec VPN Gateways section (Optional) |
(When VPN Type is IPsec VPN) Other IPsec VPN gateways to contact in case there is a disruption at the IPsec VPN gateway end (in the order of contact). Click Add to add a row to the table, or Remove to remove the selected row. Click Up or Down to move the selected element up or down. |