Example: creating a policy-based VPN for mobile users

An example of a policy-based VPN that allows mobile users to authenticate and connect to internal networks.

Company A has service technicians and salespeople who must be able to connect to their office networks to access information when they are on customer visits. The administrators need to add VPN client access to the existing VPN infrastructure. The administrators decide to use Forcepoint VPN Client. As the authentication method, the administrators decide to use passwords stored in the Management Server’s internal database.

The administrators also want to provide only one point of access so that the users do not have to select which gateway to connect to. The central office has site-to-site VPN tunnels to both remote offices that can be used for forwarding traffic to those sites as needed. The existing DHCP server at the central office can be used for assigning IP addresses to the VPN clients’ Virtual Adapter. A Virtual Adapter is required for this type of forwarding.

The administrators:

Edit the central office firewall element, then activate the Virtual Adapter method for VPN client address management.
Edit the VPN Profile to use Hybrid Authentication for authenticating the VPN client users.
Create a Policy-Based VPN element called “Remote User VPN” that includes the central office gateway as a Central Gateway.
Select the Only central Gateways from overall topology option on the Mobile VPN tab.
Create a “Forward Addresses” Site element under the central office gateway.
Populate the site with the remote office networks to route those IP addresses through the “Remote User VPN”.
Disable the “Forward Addresses” Site in the existing “Inter-Office VPN” between the central office and the remote offices. Sites are global for all policy-based VPNs, so this Site must be disabled to avoid a misconfiguration in the Inter-Office VPN.
Create User Group and User elements to define the user names and passwords for the VPN client users.

Add the following Access rules in the policy of the central office firewall:

Source	Destination	Action	Authentication	Source VPN
ANY	Central office internal networks	Select Allow, then open the Action options. Set VPN Action to Enforce VPN, then select the “Remote User VPN” Policy-Based VPN element.	Users tab: “VPN Client Users” User Group Authentication Methods tab: “User Password” Authentication Service
VPN Client DHCP addresses	Remote offices’ internal IP addresses	Select Allow, then open the Action options. Set VPN Action to Forward, then select the “Inter-office VPN” Policy-Based VPN element.		Rule matches traffic from any VPN client

Source

Destination

Action

Authentication

Source VPN

ANY

Central office internal networks

Select Allow, then open the Action options. Set VPN Action to Enforce VPN, then select the “Remote User VPN” Policy-Based VPN element.

Users tab: “VPN Client Users” User Group

Authentication Methods tab: “User Password” Authentication Service

VPN Client DHCP addresses

Remote offices’ internal IP addresses

Select Allow, then open the Action options. Set VPN Action to Forward, then select the “Inter-office VPN” Policy-Based VPN element.

Rule matches traffic from any VPN client

Create a customized Forcepoint VPN Client installation package for Windows. A customized installation package allows users of Forcepoint VPN Client for Windows to install using a silent installation package that does not require their input. The administrators include the gateway contact information in the package so that the users do not need to enter it manually even when they use the Forcepoint VPN Client for the first time.