TechNote. Configuring SonicOS for MS Windows Azure

Similar documents
Configuring SonicOS for Microsoft Azure

TechNote. Configuring SonicOS for Amazon VPC

Configuration Procedure

Configuring IPsec VPN between a FortiGate and Microsoft Azure

UTM - VPN: Configuring a Site to Site VPN Policy using Main Mode (Static IP address on both sites) i...

CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC

Biznet GIO Cloud Connecting VM via Windows Remote Desktop

Title: Setting Up A Site to Site VPN Between Microsoft Azure and the Corporate Network

Route Based Virtual Private Network

Create a VPN on your ipad, iphone or ipod Touch and SonicWALL NSA UTM firewall - Part 1: SonicWALL NSA Appliance

Configuring Windows 2000/XP IPsec for Site-to-Site VPN

Network/VPN Overlap How-To with SonicOS 2.0 Enhanced Updated 9/26/03 SonicWALL,Inc.

VMware vcloud Air Networking Guide

How To Industrial Networking

For more information refer: UTM - FAQ: What are the basics of SSLVPN setup on Gen5 UTM appliances running SonicOS Enhanced 5.2?

SonicOS Enhanced Release Notes

SSL-VPN 200 Getting Started Guide

Release Notes. Contents. Release Purpose. Pre-Installation Recommendations. Platform Compatibility. Dell SonicWALL Global VPN Client 4.

Supporting Multiple Firewalled Subnets on SonicOS Enhanced

Contents. Pre-Installation Recommendations. Platform Compatibility. G lobal VPN Client SonicWALL Global VPN Client for 64-Bit Clients

How To Establish IPSec VPN between Cyberoam and Microsoft Azure

Configuring IPsec VPN with a FortiGate and a Cisco ASA

Microsoft Azure Configuration

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall. Overview

AppLoader 7.7. Load Testing On Windows Azure

Using SonicWALL NetExtender to Access FTP Servers

How To Create A Virtual Private Cloud In A Lab On Ec2 (Vpn)

Dell One Identity Cloud Access Manager How To Deploy Cloud Access Manager in a Virtual Private Cloud

How To Create A Virtual Private Cloud On Amazon.Com

This chapter describes how to set up and manage VPN service in Mac OS X Server.

Contents. Platform Compatibility. SonicOS

Virtual Data Centre. User Guide

VPN Configuration Guide SonicWALL with SonicWALL Simple Client Provisioning

vcloud Air - Virtual Private Cloud OnDemand Networking Guide

Global VPN Client Getting Started Guide

SHAREPOINT 2013 IN INFRASTRUCTURE AS A SERVICE

SonicOS Enhanced Release Notes

Cisco QuickVPN Installation Tips for Windows Operating Systems

Scenario: IPsec Remote-Access VPN Configuration

Configuring WAN Failover & Load-Balancing

VPN Consortium Scenario 1: Gateway-to-Gateway with Preshared Secrets

Application Notes for Configuring a SonicWALL VPN with an Avaya IP Telephony Infrastructure - Issue 1.0

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Sonicwall Firewall.

VPN Configuration Guide SonicWALL with SonicWALL Simple Client Provisioning

Connecting your Virtual Machine to the Internet. BT Cloud Compute. The power to build your own cloud solutions to serve your specific business needs

How To Configure Apple ipad for Cyberoam L2TP

DFL-210/260, DFL-800/860, DFL-1600/2500 How to setup IPSec VPN connection

SonicWALL Mobile Connect. Mobile Connect for OS X 3.0. User Guide

Release Notes. Pre-Installation Recommendations... 1 Platform Compatibility... 1 Known Issues... 2 Resolved Issues... 2 Troubleshooting...

SonicWALL strongly recommends you follow these steps before installing Global VPN Client (GVC) 4.0.0:

Configuring an IPsec VPN to provide ios devices with secure, remote access to the network

HOWTO: How to configure IPSEC gateway (office) to gateway

Scenario: Remote-Access VPN Configuration

Windows XP VPN Client Example

MATLAB Distributed Computing Server with HPC Cluster in Microsoft Azure

Configuring a VPN for Dynamic IP Address Connections

Initial Access and Basic IPv4 Internet Configuration

Platform Compatibility... 1 Key Features... 2 Known Issues... 4 Upgrading SonicOS Image Procedures... 6 Related Technical Documentation...

Using IPsec VPN to provide communication between offices

How to Setup PPTP VPN Between a Windows PPTP Client and the DIR-130.

Firewall Defaults and Some Basic Rules

Configure an IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1

VPN Configuration Guide. Dell SonicWALL

Gateway-to-Gateway VPN with Certificate

Use Shrew Soft VPN Client to connect with IPSec VPN Server on RV130 and RV130W

VPN Consortium Scenario 1: Gateway-to-Gateway with Preshared Secrets

Establishing a VPN tunnel to CNet CWR-854 VPN router using WinXP IPSec client

Connecting an Android to a FortiGate with SSL VPN

Fireware How To VPN. Introduction. Is there anything I need to know before I start? Configuring a BOVPN Gateway

Fujitsu Global Cloud Platform Basic System Setup Windows VM

TechNote. Contents. Introduction. System Requirements. SRA Two-factor Authentication with Quest Defender. Secure Remote Access.

How to Open HTTP or HTTPS traffic to a webserver behind the NetVanta 2000 Series unit (Enhanced OS)

Chapter 9 Monitoring System Performance

The VPNaaS Plugin for Fuel Documentation

Workflow Guide. Establish Site-to-Site VPN Connection using RSA Keys. For Customers with Sophos Firewall Document Date: November 2015

VNS3 to Cisco ASA Instructions. ASDM 9.2 IPsec Configuration Guide

VPN Configuration Guide. ZyWALL USG Series / ZyWALL 1050

Creating a Client-To-Site VPN. BT Cloud Compute. The power to build your own cloud solutions to serve your specific business needs.

Configuring TheGreenBow VPN Client with a TP-LINK VPN Router

Using Public IP Settings

Configuring a FortiGate unit as an L2TP/IPsec server

Installing Intercloud Fabric Firewall

Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation

Device LinkUP + Desktop LP Guide RDP

How to Configure a High Availability Cluster in Azure via Web Portal and ASM

Configuring SSH Sentinel VPN client and D-Link DFL-500 Firewall

Configuring Internet Authentication Service on Microsoft Windows 2003 Server

KeyControl Installation on Amazon Web Services

Windows Server 2008 R2 Initial Configuration Tasks

Setting up D-Link VPN Client to VPN Routers

Lab - Configure a Windows Vista Firewall

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

How To Setup Cyberoam VPN Client to connect a Cyberoam for remote access using preshared key

In this lab you will explore the Windows XP Firewall and configure some advanced settings.

MacroLan Azure cloud tutorial.

How To Load balance traffic of Mail server hosted in the Internal network and redirect traffic over preferred Interface

Configuring PA Firewalls for a Layer 3 Deployment

VPN Wizard Default Settings and General Information

Cox Managed CPE Services. RADIUS Authentication for AnyConnect VPN Version 1.3 [Draft]

Transcription:

Network Security SonicOS Contents Overview...1 Deployment Considerations...2 Supported Platforms...2 Configuring a Policy-Based VPN...2 Configuring a Route-Based VPN...17 Overview This TechNote details how to configure a policy-based or route-based VPN between Windows Azure and a Dell SonicWALL Firewall running SonicOS. Windows Azure is a cloud computing platform and infrastructure created by Microsoft. It is used for building, deploying, and managing applications and services through a global network of Microsoft managed datacenters. For SonicOS platforms, Windows Azure provides site-to-site Virtual Private Network (VPN) connectivity between a Dell SonicWALL Next-Generation (NG) Firewall and virtual networks hosted in the Windows Azure cloud.

Deployment Considerations TechNote Please consider the following before deploying Windows Azure: The Windows Azure Management Portal uses different terminology for VPNs than the SonicOS Management Interface, see the following for comparison: Windows Azure Dynamic Routing Static Routing SonicOS Route-Based Policy-Based Windows Azure supports Dynamic Routing (route-based) and Static Routing (policy-based) site-to-site VPNs. For authentication, only Pre-Shared Key (PSK) is currently supported, certificate based site-to-site VPNs are not yet supported. Supported Platforms Windows Azure is supported with the following Dell SonicWALL appliances: SuperMassive E10000 Series SuperMassive 9000 Series E-Class NSA Series NSA 2600 / 3600 / 4600 / 5600 / 6600 NSA 220 / 220W / 240 / 250M / 250MW / 2400 / 2400MX / 3500 / 4500 / 5000 TZ 100 / 100W / 105 / 105W / 200 / 200W / 205 / 250W / 210 / 210W / 215 / 215W Configuring a Policy-Based VPN To configure a policy-based VPN between the Dell SonicWALL Firewall and Windows Azure, perform the following tasks on each side of the deployment (Windows Azure and SonicOS), then test the connectivity between them: Windows Azure Configuration Tasks 1. Creating a Virtual Network 2. Define the SonicWALL Network 3. Configure a Virtual Network Address 4. Create a Virtual Network Gateway SonicWALL Configuration Tasks 1. Create an Address Object for the Virtual Network 2. Create a Policy-Based VPN Test the Connectivity 2

Windows Azure Configuration Tasks Perform the following tasks in the Windows Azure Management Portal. Creating a Virtual Network 1. Log into the Windows Azure Management Portal. 2. In the left-hand navigation menu, click Networks. 3. In the bottom left-hand corner of the screen, click New. The NEW menu displays: 4. Click Networks > Virtual Network > Custom Create. 3

The Create A Virtual Network wizard displays: 5. On the Virtual Network Details page, enter the following information: Name Name your virtual network. Affinity Group Select an affinity group from the dropdown if you already created one, or create a new one. Region Select a region. This option only appears if you create a new affinity group. Affinity Group Name Name the new affinity group. This option only appears if you create a new affinity group. 6. Click the Right Arrow button to continue to the next page. 4

Define the SonicWALL Network The DNS Servers and VPN Connectivity page displays: 7. Click the Configure site-to-site VPN checkbox. For the purpose of this TechNote we skip entering the DNS server name or the IP address. For more information about the settings on this page, refer to this MSN article on DNS Servers and VPN Connectivity. 8. Click the LOCAL NETWORK drop-down menu and either select a network (if it has been created already) or select Specify a New Local Network. The Local network here would be the network behind the Dell SonicWALL Firewall. 9. Click on the Right Arrow button to proceed to the next page. 5

The Site-to-Site Connectivity page displays: TechNote 10. Enter the following information: Name The name you want to call your local network site. This is the network behind the Dell SonicWALL Firewall. VPN Device IP Address This is the WAN IPv4 address of the Dell SonicWALL Firewall. Note: The firewall cannot be located behind a NAT device. The Address Space (including Starting IP and CIDR) is the internal network behind the Dell SonicWALL Firewall. You can add additional networks behind the Dell SonicWALL Firewall by clicking the add address space button. For more information about the settings on this page, see Site-To-Site Connectivity. 11. Click on the Right Arrow button to proceed to the next page. 6

Configure a Virtual Network Address The Virtual Network Address Spaces page displays: 12. Enter the virtual network name in the cloud. Note: Address space must be a private address range, specified in CIDR notation. For Example, 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16 (as specified by RFC 1918). For more information about the settings on this page, see Virtual Network Address Spaces page in About Configuring a Virtual Network using the Management Portal. 13. Click the STARTING IP drop-down menu, and then enter the network ID (private address range). 14. Click the CIDR drop-down menu, and then select the desired subnet bit. The add gateway subnet will be automatically populated based on the address space entered above. Microsoft runs a gateway service to enable cross-premises connectivity. To this end, they require 2 IP addresses from the virtual network to enable routing between the physical premises and the cloud. At least a /29 subnet must be specified from which they can pick IP addresses for setting up routes. 15. Click the Checkmark button to create your network. 7

After your virtual network is created, the Management Portal > Networks page displays the Status as Created : At this point in the configuration, a virtual network is created in the cloud and a remote network is specified (the Dell SonicWALL network). To view the configuration details, click on the name of the virtual network (in this case MyCloud) in the NAME column. A dashboard displays, click CONFIGURE to view the details: 8

Create a Virtual Network Gateway 16. Click DASHBOARD. TechNote 17. Click the CREATE GATEWAY button, and then select Static Routing. 18. When prompted to confirm the gateway creation, click YES. Depending on your connection, it may take about 15 minutes for the gateway to be created. 9

The updated DASHBOARD page displays: TechNote The public facing IPv4 address will not be generated until the gateway has been created. Once the gateway is created, you will be able to see the public facing IPv4 address of your virtual network under GATEWAY IP ADDRESS. This IP address must be entered under IPsec Primary Gateway Name or Address in the SonicWALL. Note: The gateway IP address may change if the gateway is deleted and recreated. 10

SonicOS Configuration Tasks Perform the following in the SonicOS Management Interface of your Dell SonicWALL appliance: Create an Address Object for the Virtual Network 1. Navigate to the Network > Address Objects page. 2. Click the Add button to create a new Address Object. The Add Address Object window displays: Note: The information displayed in this screenshot is for example only, and may vary depending on your network. 3. Enter the address object information in the text-fields. This needs to be the same information that was previously entered/configured in the Windows Azure Management Portal. 4. Click the OK button. 11

Create a Policy-Based VPN 5. Login to the SonicOS Management Interface as an administrator. 6. Navigate to the VPN > Settings page. 7. Click the Add button. The VPN Policy pop-up window displays: 8. Enter the following information: Policy Type Select Site to Site from the drop-down menu. Authentication Method select the desired method. Name Enter a name for the policy (we are using Azure in this example). IPsec Primary Gateway Name or Address Enter the GATEWAY IP ADDRESS displayed on the Virtual Network page of the Windows Azure Management Portal. Shared Secret This is auto-generated by Windows Azure. Copy it from the Windows Azure Virtual Network dashboard, under Manage Key, and then enter it into this text-field. 12

9. Click the Network tab. TechNote 10. Click the Choose local network from list radio button, and then select the desired local network (this may vary depending on your network, we are using the X0 Subnet in this as an example). Note: This needs to be the same local network that was previously entered in the Azure Management Portal under the Starting IP text-field. Please refer to step 13 in the Windows Azure Configuration Tasks section to obtain this IP address. 11. Click the Choose destination network from list radio button, and then select Azure Network from the drop-down menu. 12. Click the Proposals tab. 13

13. Click the Exchange drop-down menu, and then select Main Mode. Windows Azure supports only Main Mode for static-routing site to site VPN. For more information about the Proposals supported in Windows Azure, see About VPN Devices for Virtual Network. 14. Click the Advanced tab. 15. Click the VPN Policy bound to: drop-down menu, and then select the appropriate interface (the WAN interface on the SonicWALL Security Appliance). For example: Interface X1. 16. Click the OK button. 14

Test the Connectivity Now that we have completed the configuration on both sides, it is time to initiate the VPN connection. 1. In the Windows Azure Management Portal, navigate to Networks, and then click on your virtual network to go to its Dashboard page. 2. At the bottom of this page, click on CONNECT. 3. Log into the SonicOS management interface, and navigate to the VPN > Settings Page. In the VPN Policies table, the VPN will show as connected: 15

It may take a while for the VPN tunnel to show as connected in the Windows Azure Management Portal. Once the tunnel is established, the portal will look like this: 4. To test traffic flow from the Dell SonicWALL side to the Azure cloud, perform either of the following: Try to establish an RDP connection to a VM in the cloud on port 3389 from a host behind the Dell SonicWALL Firewall. Try to ping a VM in the cloud from a host behind the Dell SonicWALL Firewall. Note: By default a Virtual Machine (VM) in the Azure cloud will have inbound ICMP blocked by Windows Firewall and needs to be enabled using this command: netsh advfirewall firewall add rule name="all ICMP V4" protocol=icmpv4:any,any dir=in action=allow 16

Configuring a Route-Based VPN TechNote To configure a route-based VPN between the Dell SonicWALL Firewall and Windows Azure, perform the following tasks on each side of the deployment (Windows Azure and SonicWALL), then test the connectivity between them. Windows Azure Configuration Tasks 1. Creating a Virtual Network 2. Define the SonicWALL Network 3. Configure a Virtual Network Address 4. Create a Virtual Network Gateway SonicWALL Configuration Tasks 1. Create a Route-Based VPN 2. Create an Address Object for the Virtual Network 3. Create a Static Route Policy Note: While SonicOS supports dynamic routing protocols over VPN tunnels, Windows Azure dynamic routing VPN is currently in preview mode and does not support dynamic routing protocols. Until this is supported, routing must be configured manually using static routes. Test the Connectivity Windows Azure Configuration Tasks Perform the following tasks in the Windows Azure Management Portal. Creating a Virtual Network 1. Log into the Windows Azure Management Portal. 2. In the left-hand navigation menu, click Networks. 3. In the bottom left-hand corner of the screen, click New. 17

The NEW menu displays: 4. Click Networks > Virtual Network > Custom Create. The Create A Virtual Network wizard displays: 5. On the Virtual Network Details page, enter the following information: Name Name your virtual network. Affinity Group Select an affinity group from the dropdown if you already created one, or create a new one. Region Select a region. This option only appears if you create a new affinity group. Affinity Group Name Name the new affinity group. This option only appears if you create a new affinity group. 6. Click the Right Arrow button to continue to the next page. 18

Define the SonicWALL Network The DNS Servers and VPN Connectivity page displays: 7. Click the Configure site-to-site VPN checkbox. For the purpose of this article we skip entering the DNS server name or the IP address. For more information about the settings on this page, refer to this MSN article on DNS Servers and VPN Connectivity. 8. Click the LOCAL NETWORK drop-down menu and either select a network (if it has been created already) or select Specify a New Local Network. The Local network here would be the network behind the Dell SonicWALL Firewall. 9. Click on the Right Arrow button to proceed to the next page. 19

The Site-to-Site Connectivity page displays: TechNote 10. Enter the following information: Name The name you want to call your local network site. This is the network behind the Dell SonicWALL Firewall. VPN Device IP Address This is the WAN IPv4 address of the Dell SonicWALL Firewall. Note: The firewall cannot be located behind a NAT device. The Address Space (including Starting IP and CIDR) is the internal network behind the Dell SonicWALL Firewall. You can add additional networks behind the Dell SonicWALL Firewall by clicking the add address space button. For more information about the settings on this page, see Site-To-Site Connectivity. 11. Click on the Right Arrow button to proceed to the next page. 20

Configure a Virtual Network Address The Virtual Network Address Spaces page displays: 12. Enter the virtual network name in the cloud. Note: Address space must be a private address range, specified in CIDR notation 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16 (as specified by RFC 1918). For more information about the settings on this page, see Virtual Network Address Spaces page in About Configuring a Virtual Network using the Management Portal. 13. Click the STARTING IP drop-down menu, and then enter the network ID (private address range). 14. Click the CIDR drop-down menu, and then select the desired subnet bit. The add gateway subnet will be automatically populated based on the address space entered above. Microsoft runs a gateway service to enable cross-premises connectivity. To this end, they require 2 IP addresses from the virtual network to enable routing between the physical premises and the cloud. At least a /29 subnet must be specified from which they can pick IP addresses for setting up routes. 15. Click the Checkmark button to create your network. 21

After your virtual network is created, the Management Portal > Networks page displays the Status as Created : At this point in the configuration, a virtual network is created in the cloud and a remote network is specified (the Dell SonicWALL network). To view the configuration details, click on the name of the virtual network (in this case MyCloud) in the NAME column. A dashboard displays, click CONFIGURE to view the details: 22

Create a Virtual Network Gateway 16. Click DASHBOARD. TechNote 17. Click the CREATE GATEWAY button, and then select Dynamic Routing. 18. When prompted to confirm the gateway creation, click YES. Depending on your connection, it may take about 15 minutes for the gateway to be created. 23

The updated DASHBOARD page displays: TechNote Once the gateway has been created, you will be able to see the public facing IPv4 address of your virtual network under GATEWAY IP ADDRESS. This IP address must be entered under IPsec Primary Gateway Name or Address in the SonicOS management interface. 24

SonicOS Configuration Tasks Perform the following in the SonicOS management interface of the Dell SonicWALL appliance: Create a Tunnel Interface VPN 1. Login to the SonicOS management interface as an administrator. 2. Navigate to the VPN > Settings page. 3. Click the Add button. The VPN Policy pop-up window displays: 4. Enter the following information: Policy Type Select Tunnel Interface from the drop-down menu. Authentication Method select the desired method. Name Enter a name for the policy (we are using Azure in this example). IPsec Primary Gateway Name or Address Enter the GATEWAY IP ADDRESS displayed on the Virtual Network page of the Windows Azure Management Portal. Shared Secret This is auto-generated by Windows Azure. Copy it from the Windows Azure Virtual Network dashboard, and then enter it in this text-field. 25

5. Click the Proposals tab. TechNote 6. Click the Exchange drop-down menu, and then select IKEv2 Mode. Windows Azure supports only IKEv2 Mode for route-based site to site VPN. For more information about the Proposals supported in Windows Azure, see About VPN Devices for Virtual Network. 7. Click the Advanced tab. 8. Click the VPN Policy bound to: drop-down menu, and then select Interface X1. 9. Click the OK button. 26

Create an Address Object for the Virtual Network 10. Navigate to the Network > Address Objects page. 11. Click the Add button to create a new Address Object. The Add Address Object window displays: 12. Enter the following information: Name Enter a name for the Address Object (we are using Azure Network in this example) Zone Assignment Click the drop-down, and then select VPN. Type Click the drop-down, and then select Network. Network Enter the network IP address. Netmask/Prefix Length Enter the netmask. 13. Click the OK button. 27

Create a Static Route Policy 14. Navigate to the Network > Routing page. TechNote 15. Click the Add button to create a new Route Policy. The Add Route Policy pop-up window displays: Note: The information displayed in this screenshot is for example only, and may vary depending on your network. 16. Enter the route policy information in the text-fields. This needs to be the same information that was previously entered/configured in the Windows Azure Management Portal. 17. Click the Disable route when the interface is disconnected checkbox. 18. Click the Auto-add Access Rules checkbox. 19. Click the OK button. 28

Test the Connectivity Now that we have completed the configuration on both sides, it is time to initiate the VPN connection. 1. In the Windows Azure Management Portal, navigate to Networks, and then click on your virtual network to go to its Dashboard page. 2. At the bottom of this page, click on CONNECT. 3. Log into the SonicOS Management Interface, and navigate to the VPN > Settings Page. In the VPN Policies table, the VPN will show as connected: 29

It may take a while for the VPN tunnel to show as connected in the Windows Azure Management Portal. Once the tunnel is established, the portal will look like this: 4. To test traffic flow from the SonicOS side to the Azure cloud, perform either of the following: Try to establish an RDP connection to a Virtual Machine (VM) in the cloud on port 3389 from a host behind the Dell SonicWALL Firewall. Try to ping a VM in the cloud from a host behind the Dell SonicWALL Firewall. Note: By default a VM in the Azure cloud will have inbound ICMP blocked by Windows Firewall and needs to be enabled in Windows using this command: netsh advfirewall firewall add rule name="all ICMP V4" protocol=icmpv4:any,any dir=in action=allow Last updated: 10/4/2013 30

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information