How to Implement Client-to-Site VPN Using McAfee NGFW

Version 1

    Introduction

     

    This document will demonstrate how to configure Client-to-Site VPN and detail how a remote user authenticates to the McAfee VPN Gateway, which is located at the main site.

     

    Video


    You can also watch the steps described in this document by viewing the video below.

    Process

    I - Background Information

     

    The images below illustrate how the remote user securely connects to the main site. Fist, the user will first open a VPN client on their machine and attempts to connect to the VPN gateway. The VPN gateway queries the authentication server to verify the user credentials. Once the authentication is successful, a secure VPN tunnel between the user and their machine to the main office network is created.

    ClientSiteVPN 1.png

     

    Once the user is logged in, the User/Application-Based Rules which we have already created will strictly apply to these users. Let user “LMAJORS” log into the main office from home. When this user wants to access a website such as "Amazon.com," the request will follow the VPN hairpin route. The request goes to the main office firewall, which already has a role for user “LMajors.” Based on the sub-policy rule 15.5.1, the connection will be discarded.

    ClientSiteVPN 2.png

     

    Below is the VPN configuration page. In this case, we have two VPN gateways, "SantaClara Internal" gateway is the main office VPN gateway, and "IPsec Client" is the remote user's endpoint.

    ClientSiteVPN 3.pngClientSiteVPN 4.png

     

    Drag-and-drop the "SantaClara Internal" gateway to the "Central Gateway" tab and drag-and-drop the "IPsec Client" to the "Satellite Gateways" tab. This will create a tunnel between the two gateways.

    ClientSiteVPN 5.pngClientSiteVPN 6.png

     

    If the gateways are configured correctly, the status of the tunnel will be green. The status of the firewall will turn green when any user logs in via the VPN.

    ClientSiteVPN 7.pngClientSiteVPN 8.png

     

    II - Demo

     

    Let's do a simple test before we connect to the VPN gateway by trying to reach amazon.com in a web browser. We can indeed successfully connect to Amazon.com and other sites like Facebook.com.

    ClientSiteVPN 9.pngClientSiteVPN 10.png

     

    The user is allowed to visit Amazon.com and Facebook.com since the connection request is not going through the hairpin route yet; rather it is going straight out to the Internet. Now let's connect to the VPN gateway. Below is an image of what the VPN client installed on the user's machine looks like.

    ClientSiteVPN 11.png

    ClientSiteVPN 12.png

     

    We can see that the connection has been established successfully and that “LMAJORS” is securely connected to the corporate main office. ClientSiteVPN 13.png

     

    Now let's go back and try to connect to Amazon.com, but before that, let's start the logs.

    ClientSiteVPN 14.png

    We can see that the connection to Amazon.com was discarded. This connection was discarded based on the sub-policy rule 15.5.1 which we configured earlier. This proves that the connection request is now using the hairpin route.

    ClientSiteVPN 15.png

     

    We can right click and view the rule. It will take us exactly to the rule that is discarding this connection.

    ClientSiteVPN 16.png

     

    As you can see, sub-policy rule 15.5.1 is in effect, which is discarding the connection.

    ClientSiteVPN 17.png