Example: creating a policy-based VPN between three offices

An example of a VPN between two or more locations.

Company A has a central office and two remote offices, each with their own Forcepoint NGFW Firewall/ VPN device. The company needs secured communications links between the remote offices and the central office for access to various services, such as file servers, at the central office.

Figure: Company A’s networks



All shared servers are at the central office, and internal emails and other communications are also handled by the central servers. There is no need for secure connectivity between the remote offices.

All Firewalls have a public IP address toward the Internet. The internal networks at each site use private IP addresses. There is no need to translate the VPN traffic, since all offices use their own distinct address space.

The security policy of the company requires certificate-based authentication. The administrators decide to use the Management Server’s Internal RSA CA for Gateways for issuing the VPN certificates.

The administrators:
  1. Select each engine’s public IP address as the VPN endpoint, then activate automatic certificate management.
  2. Add Site elements for all gateways, then add the entire local internal network as the content for each Site.
  3. Create a VPN Profile, and select RSA Signatures as the authentication method. RSA certificates are automatically generated for each gateway.
  4. Create a Policy-Based VPN element called “Inter-Office VPN” that includes the central office gateway as a central gateway and the two remote site gateways as satellite gateways.
  5. Add the following types of Access rules in the policy of the central office firewall:
    Source Destination Action
    Network elements for remote office 1 and remote office 2 internal IP addresses Network elements for central office’s internal networks Select Allow, then open the Action options. Set VPN Action to Enforce VPN, then select the “Inter-office VPN” Policy-Based VPN element.
    Network elements for central office’s internal networks Network elements for remote office 1 and remote office 2 internal IP addresses Select Allow, then open the Action options. Set VPN Action to Enforce VPN, then select the “Inter-office VPN” Policy-Based VPN element.
  6. Add the following types of Access rules in the policies of both remote office firewalls:
    Source Destination Action
    Network element for each remote office’s internal IP addresses Network elements for central office’s internal networks Select Allow, then open the Action options. Set VPN Action to Enforce VPN, then select the “Inter-office VPN” Policy-Based VPN element.
    Network elements for central office’s internal networks Network element for each remote office’s internal IP addresses Select Allow, then open the Action options. Set VPN Action to Enforce VPN, then select the “Inter-office VPN” Policy-Based VPN element.