VPN client settings in the Management Client

Several settings for Forcepoint VPN Client are available in the Management Client.

Table 1. Forcepoint VPN Client settings in the Management Client
Location	Setting	Explanation
Engine Editor > VPN > Advanced	TCP Tunneling Port	This option is included for backward compatibility with legacy NGFW software versions.
Engine Editor > VPN > Advanced	Translate IP Addresses Using NAT Pool	Address range for translating IP addresses of incoming Forcepoint VPN Client connections for internal networks Alternative to using the Virtual Adapter (next setting in this table)
Engine Editor > VPN > VPN Client	VPN Type	Defines the type of tunnels the mobile VPN supports. IPsec VPN — The mobile VPN only supports IPsec tunnels. SSL VPN — The mobile VPN only supports SSL VPN tunnels. Both IPsec & SSL VPN — The mobile VPN supports IPsec and SSL VPN tunnels.
	SSL Port (SSL VPN types only)	The port for SSL VPN tunnels.
	TLS Cryptography Suite Set (SSL VPN types only)	The cryptographic suite for SSL VPN tunnels.
	Authentication Timeout (SSL VPN types only)	The timeout for Forcepoint VPN Client user authentication.
	Local Security Checks	Defines whether Forcepoint VPN Client checks for the presence of basic security software to stop connections from risky computers.
	Virtual IP address (Using Virtual Adapter)	Options for configuring Forcepoint VPN Client with a second, virtual network adapter with a DHCP-assigned IP address for connections inside the VPN. Alternative to using the NAT Pool (previous setting in this table).
	Secondary IPsec VPN Gateways	IPsec VPN gateways to contact in case there is a disruption at the IPsec VPN gateway end (in the order of contact).
VPN Profile element properties > IKE SA tab	Versions	IKE versions used in IKE SA negotiations
	Cipher Algorithms Message Digest Algorithms	The supported algorithms for the current version of Forcepoint VPN Client.
	Diffie-Hellman Groups	Diffie-Hellman groups used in IKE SA negotiations.
	Authentication Method	This settings has no effect on Forcepoint VPN Client connections. See IPsec Client tab instead.
	SA Lifetime in Minutes	The time limit after which IKE SA negotiations are done again in a continuously used VPN. This setting also defines the authentication timeout for the Forcepoint VPN Client.
	IKEv1 Negotiation Mode	This settings has no effect on Forcepoint VPN Client connections.
VPN Profile element properties > IPsec SA tab	IPsec Type	Only ESP is supported.
	Cipher Algorithms Message Digest Algorithms	The supported algorithms for the current version of Forcepoint VPN Client.
	Compression Algorithm Deflate
	Use PFS with Diffie-Hellman Group	Diffie-Hellman group used in IKE SA negotiations when PFS can be used.
VPN Profile element properties > IPsec Client tab	Authentication Method	The selected authentication method used with Forcepoint VPN Client.
	Allow Hybrid/EAP Authentication	Forcepoint VPN Client users authenticate by user name and password (or other type of passcode), and the gateway authenticates itself to the client with a certificate.
	Allow CN authentication	Allows authentication using the common name in the certificate as the user name. The CN is checked against a value entered in the User elements.
	Allow Pre-Shared Key Authentication with IKEv1	This setting has no effect on Forcepoint VPN Client connections, as pre-shared key authentication is not supported.
	IPsec Security Association Granularity	Defines whether SAs are negotiated per network or per each connecting IP address. Forcepoint VPN Client only supports the SA Per Net setting.
Policy-Based VPN element > Tunnels tab	Pre-shared Key fields	This setting has no effect on Forcepoint VPN Client connections. Pre-shared keys for Forcepoint VPN Client connections are defined per-user account in the User elements.

VPN Client - Properties dialog box

Use this dialog box to view the VPN Client settings that are configured in the Engine Editor.

Option	Definition
General tab
Name	Specifies the unique name of the element.
Gateway Profile	Shows the selected gateway profile.
Select	Opens the Select Element dialog box.
Comment	An optional comment for your own reference.

Option	Definition
Endpoints tab
Search	Opens a search field for the selected element list.
New	This option is not available in this dialog box.
Tools	Expand All — Expands all elements. Collapse All — Collapses all elements. Refresh View — Refreshes the list of elements.

Option	Definition
Sites tab
Search	Opens a search field for the selected element list.
Up	Navigates up one level in the navigation hierarchy. Not available at the top level of the navigation hierarchy.
New	This option is not available in this dialog box.
Tools	Show Deleted Elements — Shows elements that have been moved to the Trash. Expand All — Expands all levels of the interface tree. Collapse All — Collapses all levels of the interface tree. Refresh View — Updates the view.

Option	Definition
Trusted CAs tab
Trust All	Shows the value of the Trust All option.
Trust only selected	Shows the value of the Trust only selected option.

Engine Editor > VPN > VPN Client

Use this branch to change settings that are used when the NGFW Engine acts as a VPN Gateway in a mobile VPN.

Option	Definition
Gateway Display Name	If you want to show a different name for the Gateway to Mobile VPN users, enter the name for the VPN Gateway element.
VPN Type	Defines the type of tunnels the mobile VPN supports. IPsec VPN — The mobile VPN only supports IPsec tunnels. SSL VPN — The mobile VPN only supports SSL VPN tunnels. Both IPsec & SSL VPN — The mobile VPN supports IPsec and SSL VPN tunnels.
SSL Port	(When VPN Type is SSL VPN) The port for SSL VPN tunnels.
TLS Cryptography Suite Set	(When VPN Type is SSL VPN) The cryptographic suite for SSL VPN tunnels. Click Select to select an element. Note: Do not change the default setting unless you have a specific reason to do so.
Authentication Timeout	(When VPN Type is SSL VPN) The timeout for Forcepoint VPN Client user authentication.

Option	Definition
Local Security Checks section	Defines whether the Forcepoint VPN Client checks for the presence of basic security software to stop connections from risky computers. Anti-Virus is enabled — Requires anti-virus software to be enabled on the computers of mobile VPN users. Firewall is enabled — Requires firewall software to be enabled on the computers of mobile VPN users. Windows Update is enabled — Requires the Windows Update service to be enabled on the computers of mobile VPN users.

Option

Definition

Local Security Checks section

Defines whether the Forcepoint VPN Client checks for the presence of basic security software to stop connections from risky computers.

Anti-Virus is enabled — Requires anti-virus software to be enabled on the computers of mobile VPN users.
Firewall is enabled — Requires firewall software to be enabled on the computers of mobile VPN users.
Windows Update is enabled — Requires the Windows Update service to be enabled on the computers of mobile VPN users.

Option	Definition
Virtual Address section	Options for configuring the Forcepoint VPN Client with virtual IP addresses assigned by a DHCP server for connections inside the VPN.
DHCP Mode	Specifies how DHCP requests from VPN clients are sent. Disabled (IPsec VPN type only) — DHCP is not enabled. Direct — When selected, the engine sends a normal DHCP client broadcast message to a DHCP server located in a directly connected network. Note: This option is included for backward compatibility with legacy NGFW software versions. Relay — When selected, the engine sends unicast DHCP relay messages for VPN clients’ DHCP requests. Note: If SSL VPN or Both IPsec & SSL VPN is selected from the VPN Type drop-down list, only the Direct and DHCP Relay are shown.
Interface	(When DHCP Mode is Direct) The source address for the DHCP packets when querying the DHCP server (the interface toward the DHCP server).
Interface for DHCP Relay	(When DHCP Mode is Relay) The source address for the DHCP packets when querying the DHCP server (the interface toward the DHCP server).
DHCP Server (NGFW < 5.9)	(When DHCP Mode is Direct) The DHCP server that assigns IP addresses for the VPN clients. Note: This option is included for backward compatibility with legacy NGFW software versions.
DHCP Servers	(When DHCP Mode is Relay) The DHCP server that assigns IP addresses for the VPN clients. Click Add to add an element to the table, or Remove to remove the selected element.
Add Information (Optional)	Specifies what VPN Client user information is added to the Remote ID option field in the DHCP Request packets. Add User Information — When selected, VPN Client user information (in the form user@domain) is automatically added to the Remote ID option field in the DHCP Request packets. Add Group Information — When selected, VPN Client user information (in the form group@domain) is automatically added to the Remote ID option field in the DHCP Request packets. None — When selected, no user or user group information is added to the Remote ID option field in the DHCP Request packets.
Restrict Virtual Address Ranges	When selected, the VPN gateway restricts the VPN clients’ addresses to the specified range, even if the DHCP server tries to assign some other IP address. Enter the IP address range in the field on the right.
Proxy ARP	When selected, the engine acts as a proxy for the VPN clients’ ARP requests. Enter the IP address range for proxy ARP in the field on the right.

Option	Definition
Secondary IPsec VPN Gateways section (Optional)	(When VPN Type is IPsec VPN) Other IPsec VPN gateways to contact in case there is a disruption at the IPsec VPN gateway end (in the order of contact). Click Add to add a row to the table, or Remove to remove the selected row. Click Up or Down to move the selected element up or down.

Engine Editor > VPN > Advanced

Use this branch to change advanced VPN settings.

Option	Definition
Gateway Settings	The Gateway Settings element that defines performance-related VPN options.
Gateway Profile	The Gateway Profile in use.
Translate IP Addresses Using NAT Pool	When selected, the specified IP address range and port range are used for translating IP addresses of incoming Forcepoint VPN Client connections to internal networks. Enter the ranges in the IP Address Range and Port Range fields.