Skip to content

VMware NSX SSL VPN Setup

SSL VPN is a brilliant under utilised feature of VMware NSX. Easy to setup, allowing users access to an environment, you can even do more advanced setups by coupling with the context-aware micro-segmentation features of NSX.

This tutorial will explain how to setup a NSX SSL VPN. NSX 6.4.5 was used for this tutorial, other NSX versions follow the same setup but you may notice some differences as you go along.

You can use an existing NSX ESG (edge services gateway) or create one specifically for the VPN. Open the ESG and navigate to Configure -> Certificates.

NSX SSL VPN Certificates Before

Click CSR ACTIONS -> Generate CSR, populate fields with required values before pressing OK.

NSX SSL VPN Certificates Generate CSR

Click on the generated CSR to see the details.

NSX SSL VPN Certificates View CSR

Copy the certificate request to a file and save as {cert}.csr ready for submitting to a CA.

Run the command: certreq -submit -attrib "CertificateTemplate:VMware" {cert}.csr {cert}.cer

Click CSR ACTIONS -> Import Certificate, paste the contents of {cert}.cer and press OK.

NSX SSL VPN Certificates Import

Click ADD -> CA Certificate, paste the CA certificate and press OK.

NSX SSL VPN Certificates CA

Certificates should now show the CA certificate and your generated signed certificate.

NSX SSL VPN Certificates After

Now to setup the SSL VPN you need to use the flash based web client as even with vCenter 6.7 & NSX 6.4.5 the feature is not available in the HTML5 UI.

Click Manage -> SSL VPN-Plus and select Server Settings.

NSX SSL VPN Server Settings Before

Add an additional IP address to the ESG if required before clicking “Change” to edit the server settings. Select the IP address you want to bind to the service along with the port and select the previously generated certificate before pressing OK.

NSX SSL VPN Change Server Settings

Server settings will now show the updated settings.

NSX SSL VPN Server Settings After

Select IP Pools.

NSX SSL VPN IP Pools Before

Click + to add a new pool, enter values for IP Range, Netmask, Gateway & DNS then press OK.

NSX SSL VPN Add IP Pool

The configured IP pool can now be seen.

NSX SSL VPN IP Pools After

Select Private Networks.

NSX SSL VPN Networks Before

Click + to add a new private network, enter CIDR value for Network, select to Send Traffic “Over Tunnel” and tick “Enable TCP Optimization” then press OK. Repeat for any additional required networks.

NSX SSL VPN Add Network

The configured private network(s) can now be seen.

NSX SSL VPN Networks After

Select Authentication.

NSX SSL VPN Authentication Before

Click + to add an authentication server. Select the required Authentication Server Type such as “AD”. If authenticating against AD then populate values for IP Address, port, Search base, Bind DN, Bind Password & Login Attribute Name. Optionally populate Search Filter (E.G. memberOf={Group DN}) to limit users. Once populated press OK.

You should really use LDAPS (port 636) instead of LDAP (port 389) by ticking the "Enable SSL" box. This encrypts the LDAP communication so AD information can't be inspected over the network.
There is however currently a VMware bug which means authentication will not work if you tick to "Enable SSL" so for now leave it unticked. Details to follow regarding the bug, it is an open case with VMware.
NSX SSL VPN Add Authentication Server

The configured authentication server can now be seen.

NSX SSL VPN Authentication After

Select Installation Package.

NSX SSL VPN Installation Package Before

Click + to add an installation package configuration, enter values for Profile Name, Gateway (which should be a DNS entry) & Port. Tick the required Installation Parameters then press OK.

NSX SSL VPN Add Installation Package

The configured installation package can now be seen.

NSX SSL VPN Installation Package After

Select Client Configuration and change options to your requirements.

NSX SSL VPN Client Configuration

Select General Settings and change options to your requirements.

NSX SSL VPN General Settings

Select Portal Customization and change branding options to your requirements.

NSX SSL VPN Branding

Select Dashboard. Make sure the SSL VPN is enabled.

Now you are ready to navigate to your configured gateway address and port, login and download the SSL VPN Client. Once downloaded, install and then reboot your machine. After the reboot you will see the SSL VPN client in your taskbar, open it to connect and login to the VPN.

NSX SSL VPN Client
NSX SSL VPN Client Login
Published inNSX

One Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.