VPN client settings and how they work
Forcepoint VPN Client settings are configured centrally in the SMC. The settings are automatically updated to the Forcepoint VPN Client from the engines when the clients connect.
The following settings are transferred from the gateway to the client:
- Routing information (VPN Site definitions). Generally, if an IP address that the client wants to contact is included in the Site definition, the traffic is routed into the VPN.
- Authentication settings
- Encryption settings
- Information about the gateway’s endpoints
- Settings for NAT traversal methods allowed
- Settings for local security checks on the client computer
- Secondary IPsec VPN gateways to contact in case there is a disruption at the IPsec VPN gateway end
VPN client settings have the following limitations:
- When the Forcepoint VPN Client is first installed, it has no configuration. Either the user or the administrator must add the basic information about gateways, such as the IP address to use for connecting.
- There are version-specific dependencies between the Forcepoint VPN Client and Firewall/ VPN software. See the Release Notes of the Forcepoint VPN Client version you intend to use for information about compatibility with your Firewall/VPN gateway’s software version.
- The SMC does not create configurations for third-party VPN clients. You must create the configuration through the controls and tools of the third-party VPN client product.
VPN Client - Properties dialog box
Use this dialog box to view the VPN Client settings that are configured in the Engine Editor.
| Option | Definition | 
|---|---|
| General tab | |
| Name | Specifies the unique name of the element. | 
| Gateway Profile | Shows the selected gateway profile. | 
| Select | Opens the Select Element dialog box. | 
| Comment | An optional comment for your own reference. | 
| Option | Definition | 
|---|---|
| Endpoints tab | |
| Search | Opens a search field for the selected element list. | 
| New | This option is not available in this dialog box. | 
| Tools | 
 | 
| Option | Definition | 
|---|---|
| Sites tab | |
| Search | Opens a search field for the selected element list. | 
| Up | Navigates up one level in the navigation hierarchy. Not available at the top level of the navigation hierarchy. | 
| New | This option is not available in this dialog box. | 
| Tools | 
 | 
| Option | Definition | 
|---|---|
| Trusted CAs tab | |
| Trust All | Shows the value of the Trust All option. | 
| Trust only selected | Shows the value of the Trust only selected option. | 
Engine Editor > VPN > VPN Client
Use this branch to change settings that are used when the NGFW Engine acts as a VPN Gateway in a mobile VPN.
| Option | Definition | 
|---|---|
| Gateway Display Name | If you want to show a different name for the Gateway to Mobile VPN users, enter the name for the VPN Gateway element. | 
| VPN Type | Defines the type of tunnels the mobile VPN supports. 
 | 
| SSL Port | (When VPN Type is SSL VPN)The port for SSL VPN tunnels. | 
| TLS Cryptography Suite Set | (When VPN Type is SSL VPN)The cryptographic suite for SSL VPN tunnels. Click Select to select an element. Note: Do not change the default setting unless you have a specific reason to do so. | 
| Authentication Timeout | (When VPN Type is SSL VPN)The timeout for Forcepoint VPN Client user authentication. | 
| Option | Definition | 
|---|---|
| Local Security Checks section (Forcepoint VPN Client for Windows only) | Defines whether the Forcepoint VPN Client for Windows checks for the presence of basic security software to stop connections from risky
							computers. 
 | 
| Option | Definition | 
|---|---|
| Virtual Address section | Options for configuring the Forcepoint VPN Client with virtual IP addresses assigned by a DHCP server for connections inside the VPN. | 
| DHCP Mode | Specifies how DHCP requests from VPN clients are sent. 
 Note: If 
				  SSL VPN or 
				  Both IPsec & SSL VPN is selected from the 
				  VPN Type drop-down list, only the 
				  Direct and 
				  DHCP Relay are shown. 
				 | 
| Interface | (When DHCP Mode is Direct)The source address for the DHCP packets when querying the DHCP server (the interface toward the DHCP server). | 
| Interface for DHCP Relay | (When DHCP Mode is Relay)The source address for the DHCP packets when querying the DHCP server (the interface toward the DHCP server). | 
| DHCP Server (NGFW < 5.9) | (When DHCP Mode is Direct)The DHCP server that assigns IP addresses for the VPN clients. Note: This option is included for backward compatibility with legacy NGFW software versions. | 
| DHCP Servers | (When DHCP Mode is Relay)The DHCP server that assigns IP addresses for the VPN clients. Click Add to add an element to the table, or Remove to remove the selected element. | 
| Add Information (Optional) | Specifies what VPN Client user information is added to the Remote ID option field in the DHCP Request packets. 
 | 
| Restrict Virtual Address Ranges | When selected, the VPN gateway restricts the VPN clients’ addresses to the specified range, even if the DHCP server tries to assign some other IP address. Enter the IP address range in the field on the right. | 
| Proxy ARP | When selected, the engine acts as a proxy for the VPN clients’ ARP requests. Enter the IP address range for proxy ARP in the field on the right. | 
| Option | Definition | 
|---|---|
| Secondary IPsec VPN Gateways section (Optional) | (When VPN Type is IPsec VPN)Other IPsec VPN gateways to contact in case there is a disruption at the IPsec VPN gateway end (in the order of contact). Click Add to add a row to the table, or Remove to remove the selected row. Click Up or Down to move the selected element up or down. | 
Engine Editor > VPN > Advanced
Use this branch to change advanced VPN settings.
| Option | Definition | 
|---|---|
| Gateway Settings | The Gateway Settings element that defines performance-related VPN options. | 
| Gateway Profile | The Gateway Profile in use. | 
| Translate IP Addresses Using NAT Pool | When selected, the specified IP address range and port range are used for translating IP addresses of incoming Forcepoint VPN Client
							connections to internal networks. Enter the ranges in the IP Address Range and Port Range fields. Note: This option is an
								alternative to using virtual IP addresses for VPN Clients. |