How to Implement Client-to-Site VPN Using McAfee NGFW

Version 1



    This document will demonstrate how to configure Client-to-Site VPN and detail how a remote user authenticates to the McAfee VPN Gateway, which is located at the main site.



    You can also watch the steps described in this document by viewing the video below.


    I - Background Information


    The images below illustrate how the remote user securely connects to the main site. Fist, the user will first open a VPN client on their machine and attempts to connect to the VPN gateway. The VPN gateway queries the authentication server to verify the user credentials. Once the authentication is successful, a secure VPN tunnel between the user and their machine to the main office network is created.

    ClientSiteVPN 1.png


    Once the user is logged in, the User/Application-Based Rules which we have already created will strictly apply to these users. Let user “LMAJORS” log into the main office from home. When this user wants to access a website such as "," the request will follow the VPN hairpin route. The request goes to the main office firewall, which already has a role for user “LMajors.” Based on the sub-policy rule 15.5.1, the connection will be discarded.

    ClientSiteVPN 2.png


    Below is the VPN configuration page. In this case, we have two VPN gateways, "SantaClara Internal" gateway is the main office VPN gateway, and "IPsec Client" is the remote user's endpoint.

    ClientSiteVPN 3.pngClientSiteVPN 4.png


    Drag-and-drop the "SantaClara Internal" gateway to the "Central Gateway" tab and drag-and-drop the "IPsec Client" to the "Satellite Gateways" tab. This will create a tunnel between the two gateways.

    ClientSiteVPN 5.pngClientSiteVPN 6.png


    If the gateways are configured correctly, the status of the tunnel will be green. The status of the firewall will turn green when any user logs in via the VPN.

    ClientSiteVPN 7.pngClientSiteVPN 8.png


    II - Demo


    Let's do a simple test before we connect to the VPN gateway by trying to reach in a web browser. We can indeed successfully connect to and other sites like

    ClientSiteVPN 9.pngClientSiteVPN 10.png


    The user is allowed to visit and since the connection request is not going through the hairpin route yet; rather it is going straight out to the Internet. Now let's connect to the VPN gateway. Below is an image of what the VPN client installed on the user's machine looks like.

    ClientSiteVPN 11.png

    ClientSiteVPN 12.png


    We can see that the connection has been established successfully and that “LMAJORS” is securely connected to the corporate main office. ClientSiteVPN 13.png


    Now let's go back and try to connect to, but before that, let's start the logs.

    ClientSiteVPN 14.png

    We can see that the connection to was discarded. This connection was discarded based on the sub-policy rule 15.5.1 which we configured earlier. This proves that the connection request is now using the hairpin route.

    ClientSiteVPN 15.png


    We can right click and view the rule. It will take us exactly to the rule that is discarding this connection.

    ClientSiteVPN 16.png


    As you can see, sub-policy rule 15.5.1 is in effect, which is discarding the connection.

    ClientSiteVPN 17.png