Define Mobile VPNs
In a mobile VPN, a VPN client on a user's device connects to a VPN gateway.
You can use both SSL VPN and IPsec tunnels together in the mobile VPN configuration in the same policy-based VPN.
For more details about the product and how to configure features, click Help or press F1.
Steps
-
Configure VPN Client settings in the Engine Editor.
- Right-click a Firewall element, then select Edit <element type>.
- Browse to .
- Configure the settings.
- (Optional) Configure the settings on the Advanced branch.
- Click Save and Refresh to save the changes to the configuration and refresh the policy on the engine.
- Create a policy-based VPN or edit an existing policy-based VPN.
- On the Mobile VPN tab of the policy-based VPN, specify which VPN Gateways provide mobile VPN access.
- Click Save.
Engine Editor > VPN > VPN Client
Use this branch to change settings that are used when the NGFW Engine acts as a VPN Gateway in a mobile VPN.
Option | Definition |
---|---|
Gateway Display Name | If you want to show a different name for the Gateway to Mobile VPN users, enter the name for the VPN Gateway element. |
VPN Type | Defines the type of tunnels the mobile VPN supports.
|
SSL Port | (When VPN Type is SSL VPN) The port for SSL VPN tunnels. |
TLS Cryptography Suite Set | (When VPN Type is SSL VPN) The cryptographic suite for SSL VPN tunnels. Click Select to select an element.Note: Do not change the default setting unless you have a specific reason to do so.
|
Authentication Timeout | (When VPN Type is SSL VPN) The timeout for Forcepoint VPN Client user authentication. |
Option | Definition |
---|---|
Local Security Checks section (Forcepoint VPN Client for Windows only) | Defines whether the Forcepoint VPN Client for Windows checks for the presence of basic security software to stop connections from risky
computers.
|
Option | Definition |
---|---|
Virtual Address section | Options for configuring the Forcepoint VPN Client with virtual IP addresses assigned by a DHCP server for connections inside the VPN. |
DHCP Mode | Specifies how DHCP requests from VPN clients are sent.
Note: If
SSL VPN or
Both IPsec & SSL VPN is selected from the
VPN Type drop-down list, only the
Direct and
DHCP Relay are shown.
|
Interface | (When DHCP Mode is Direct) The source address for the DHCP packets when querying the DHCP server (the interface toward the DHCP server). |
Interface for DHCP Relay | (When DHCP Mode is Relay) The source address for the DHCP packets when querying the DHCP server (the interface toward the DHCP server). |
DHCP Server (NGFW < 5.9) | (When DHCP Mode is Direct) The DHCP server that assigns IP addresses for the VPN clients.Note: This option is included for backward compatibility with legacy NGFW software versions.
|
DHCP Servers | (When DHCP Mode is Relay) The DHCP server that assigns IP addresses for the VPN clients. Click Add to add an element to the table, or Remove to remove the selected element. |
Add Information
(Optional) |
Specifies what VPN Client user information is added to the Remote ID option field in the DHCP Request packets.
|
Restrict Virtual Address Ranges | When selected, the VPN gateway restricts the VPN clients’ addresses to the specified range, even if the DHCP server tries to assign some other IP address. Enter the IP address range in the field on the right. |
Proxy ARP | When selected, the engine acts as a proxy for the VPN clients’ ARP requests. Enter the IP address range for proxy ARP in the field on the right. |
Option | Definition |
---|---|
Secondary IPsec VPN Gateways section (Optional) |
(When VPN Type is IPsec VPN) Other IPsec VPN gateways to contact in case there is a disruption at the IPsec VPN gateway end (in the order of contact). Click Add to add a row to the table, or Remove to remove the selected row. Click Up or Down to move the selected element up or down. |
Policy-Based VPN editing view
Use this view to create and modify policy-based virtual private networks (VPN).
Option | Definition |
---|---|
Resources | Use this pane to create and add elements to a VPN. |
Search | Opens a search field for the selected element list. |
Up (Backspace) | Returns to the previous folder. |
New | Opens the associated dialog box to create an element. |
Tools |
|
Option | Definition |
---|---|
Editor toolbar | |
Save | Saves the changes. |
Tools menu | |
Properties | Opens the VPN Properties dialog box. |
Sign VPN Client Certificate | Opens the Sign VPN Client Certificate dialog box. |
Filter by Gateway | Shows only tunnels where the selected gateway is used. Only available on the Tunnels tab. |
Filter by Firewall | Shows only tunnels where the selected firewall is used. Only available on the Tunnels tab. |
No Filtering | Disables filtering. |
Option | Definition |
---|---|
Site-to-Site VPN tab | |
Central Gateways list | Specifies which VPN gateways are central gateways in the VPN. Central gateways can establish a VPN with any other gateway in the VPN. |
Satellite Gateways list | Specifies which VPN gateways are satellite gateways in the VPN. Satellite gateways can establish a VPN only with central gateways in the VPN. |
Option | Definition |
---|---|
Mobile VPN tab | |
Select engines that provide Mobile VPN Access | Specifies the gateways that can be selected for mobile VPN access.
|
Option | Definition |
---|---|
Tunnels tab | |
Gateway A or Gateway B | VPN Gateway elements are used for Gateway A; for Gateway B, they can be VPN Gateway or External VPN Gateway elements.
Right-clicking this type of cell opens these menu items:
|
VPN Profile |
To override the default VPN profile for this VPN, select a VPN Profile element for the tunnel. Right-clicking this type of cell opens these menu items:
|
Key | Verifies if the required pre-shared key is properly set. If you use pre-shared keys for authentication with external gateways, either set the key agreed with your partner or
export the keys that have been automatically generated for your partner to use. To view, change, or export the pre-shared key, double-click . Right-clicking this type of cell opens these menu items:
|
Validity | Verifies if the tunnel is valid. If a tunnel has a warning icon in the Validity cell, right-click the tunnel and select View
issues. You must resolve all problems indicated in the messages shown. Right-clicking this type of cell opens these menu items:
|
Forwarding Gateways | Right-clicking this type of cell opens these menu items:
|
Endpoint A or Endpoint B |
Select the endpoint IP addresses. You cannot use the same endpoint in a route-based VPN tunnel and a policy-based VPN tunnel. If loopback IP addresses are defined for a VPN Gateway, you can select a loopback IP address as the endpoint IP address. Right-clicking this type of cell opens these menu items:
|
IPsec Profile | Right-clicking this type of cell opens these menu items:
|
Mode | Determines how the tunnel is used in a Multi-Link VPN. Right-clicking this type of cell opens these menu items:
|
Validity | Verifies if the tunnel is valid. Right-clicking this type of cell opens these menu items:
|
Option | Definition |
---|---|
Panes in the Policy-Based VPN editing view | |
Info pane | Shows information about the selected element. |
Issues pane | Shows issues in the VPN configuration, such as incompatible settings. |
Link Summary pane | Shows a summary of the policy-based VPN configuration. |