Karim Elatov

Deploying an RSA SecurID Access IDR in vCloud Air

Blog Post created by Karim Elatov Employee on Oct 13, 2015

We were testing out deploying an IDR in vCloud Air to ensure the setup and configuration worked without any issues. Here is the process we ran through to successfully deploy an IDR in vCloud Air.

 

Import IDR OVA into vCloud Air Catalog

 

After you login into you vCloud Air Private Cloud you can create a VM within your VDC (Virtual Data Center). You can click on the Virtual Machines Tab and you will see the following:

vca-inside-vcd.png

Click on Create your first virtual machine and you will see the new vm wizard:

vca-new-vm-wiz.png

If you click on My Catalog it might be empty:

vca-my-cat-empty.png

At this point you can click on Create My Virtual Machine from Scratch and it will take your vCloud instance:

vca-vcloud-instance.png

From here you can upload the OVA into the default-catalog  (this inside vCloud Director under Catalogs -> default_catalog -> Upload) so you can use it as a template for multiple deployments:

vca-idr-in-catalog.png

Create a SNAT in vCloud Air

By default, most of the traffic is blocked and no NAT is configured so you can't reach the external network. To fix this first let's get a public IP. In vCloud air go to Gateways -> GATEWAY ON VDC1 -> Public IPs and initially it will look like this:

vca-no-pub-ips.png

Then click on Add IP Address and it will warn you about getting charged and after that it will allocate the IP. Now let's create the SNAT, so any machine can reach the internet. Go to Gateways -> GATEWAY ON VDC1 -> NAT Rules -> Add a NAT Rule and fill out the following (make sure it matches your environment):

vca-add-nat-rule.png

The firewall is pretty restrictive as well, so go to Gateways -> GATEWAY ON VDC1 -> Firewall Rules and the following basic rules:

vca-basic-firewall-rules.png

Adding a second Organization Network

vCloud Director offers many different networking options, most of them are covered in vApp Design Considerations . By default there is Direct – External Organization Virtual Datacenter Network (Routed) network created, from the same page:

5.4.1.5. Direct – External Organization Virtual Datacenter Network (Routed)
If the same example vApp with three virtual machines is connected to an organization virtual datacenter network that has a routed connection to an external network, the vApp is connected to an organization virtual datacenter network and is deployed there with the organization virtual datacenter network’s IP addressing. The Edge Gateway device then provides a routed connection between the organization virtual datacenter network and the external network. This scenario is shown in the following figure.

Figure 11. Direct Connection to a Routed External Organization Virtual Datacenter Network

vca-routed-network.png

And it looks like this in vCloud Director (Navigate to Administration -> Virtual Datacenters -> VCD1 -> Org VDC Networks):

vca-def-routed-net.png

So let's another routed network which will be our mgmt network (The IDR comes with two network interfaces, portal and mgmt). So click the green + and it will start the wizard. Choose the routed option:

vca-add-routed-net.png

I then added the following network details on the next page:

vca-new-routed-net.png

And after that you will have two networks:

vca-2-routed-networks.png

I will use 192.168.109.0/24 to be the portal/DMZ (defaulted-routed-network) network and 10.10.10.0/24 as the mgmt/internal (routed-network-2) network.

DNAT for the Portal Interface

Since we want the portal to be reached external let's add a DNAT (or a port forward) from Public IP port 443 to the Internal portal IP port 443. So in vCloud Air navigate to Gateways -> GATEWAY ON VDC1 -> NAT Rules -> Add a NAT Rule and add the following DNAT:

vca-dnat-rule.png

On the next page if you are really organized you can also add a similar rule for 80:

vca-2-dnat-rules.png

Also don't forget to allow the firewall to access port 80 and 443 on the public IP and the internal network. I ended up created the following rules to allow that traffic:

vca-firewall-allow-external-access.png

vca-firewall-internal-access.png

Firewall and NAT Rules prior to Registration

As a sanity check here is a table of my NAT Rules:

 

Type

 

Original IP

Original Port

Translated IP

Translated Port

Protocol

DNAT107.189.120.76443192.168.109.2443TCP
DNAT107.189.120.7680192.168.109.280TCP
SNAT192.168.109.0/24Any107.189.120.76AnyAny
SNAT10.10.10.0/24Any107.189.120.76AnyAny
DNAT107.189.120.76844310.10.10.2443TCP

 

The bottom one (DNAT from 8443 to MGMT_IP 443) is to allow access to the setup.jsp page and can be removed after registration. And the Firewall rules look like this:

 

Name

 

Source

Destination

Protocol

ALLOW_INTERNAL_ICMP_OUTInternal:AnyAny:AnyICMP
ALLOW_INTERNAL_DNS_OUTInternal:AnyAny:53UDP
ALLOW_INTERNAL_HTTP_OUTInternal:AnyAny:80TCP
ALLOW_INTERNAL_HTTPS_OUTInternal:AnyAny:443TCP
ALLOW_INTERNAL_UDP_1194_OUT10.10.10.0/24:AnyAny:1194UDP
ALLOW_EXTERNAL_HTTP_INAny:Any107.189.120.76/32:80TCP
ALLOW_EXTERNAL_HTTPS_INAny:Any107.189.120.76/32:443TCP
ALLOW_INTERNAL_HTTP_INAny:Any192.168.109.0/24:80TCP
ALLOW_INTERNAL_HTTPS_INAny:AnyInternal:443TCP
ALLOW_EXTERNAL_TCP_8443_INAny:Any107.189.120.76/32:8443TCP

The bottom ALLOW_INTERNAL_HTTPS_IN rule can be changed after registration to only allow 443 to the portal interface network (192.168.109.0/24) and not any internal IP. And the Bottom rule can also be removed, since that allows for the port forward from 8443 to the MGMT_IP 443 , if setup.jsp access is no longer required.

Configure IPs on the IDR

First let's assign the vNics of the VM to the appropriate networks (management to default-routed-network and portal to routed-network-2). Click on the VM and then go to Networks:

vca-vm-networks.png

Then click Add a Network and assign the NICs accordingly:

vca-vnic-assign.png

Then go back to the main VM screen and power on the IDR VM :

vca-poweron-vm.png

Then click on the VM and it will take you the properties page of the VM and you can click on Open Virtual Machine Console:

vca-vm-props.png

vca-sharva-console.png

After applying the network settings I was able to access reach the 8443 port without problems:

vca-8443-access-setup-jsp.png

Establishing the IPSec Tunnel To Local Environment

There is a pretty good KB on the process from VMware: Configuring IPsec VPN within VMware vCloud Air to a remote network and there is a pretty good diagram that represents all the networks:

vca-vpn-diag.png

My local networks is the mgmt network which is the 10.10.10.0/24 network and my peer networks is the 10.210.0.0/16 network which allow access to the AD in my internal network. So to start this configuration from vCloud Air go to  Gateways -> GATEWAY ON VDC1, then click on Manage in vCloud director:

vca-gw-config-in-vcloud.png

Once in vCloud Director to Administration -> Virtual Datacenters -> VCD1 -> Edge Gateways and right click on the default GW to choose Edge Gateway Services:

vca-vcloud-edit-services.png

Then go to the VPN tab and click Enable VPN and then Add:

vcd-enable-vpn.png

After clicking Add, the wizard will start and you can configure your VPN settings. The settings depend on your environment, but here are the options broken down:

 

Option

 

Value

Description

Local Network10.10.10.0/24This is the vCloud network (Mgmt Network) we want the remote site to have access to
Peer Networks10.210.0.0/16This is the network we want to access at the remote site
Local Endpoint107.189.120.76 (drop down)This is the Public IP of the Local End Point
Local ID107.189.120.76This can be anything, but it helps to set the IP to keep track of the configuration
Peer ID10.210.0.248This can be anything as well, but they recommend to either set it to the Public IP of the Remote End Point or the Private IP of the Remote End Point
Peer IPX.X.X.XThis is the Public IP of the Remote End Point
Encryption ProtocolAESYou can use AES 256, 3DES, or AES
Shared KeyLeft it as the generated oneWe will have to use that key on the remote VPN side to ensure we can authenticate with each end point to establish the VPN Tunnel
MTU1500Left the Default

Firewall Configuration in vCloud for VPN Connections

I ended up adding the following rules to ensure the VPN connection is established and to allow traffic from and to the internal networks across the VPN tunnel:

 

Name

 

Source

Destination

Protocol

Notes

ALLOW_IP_SEC_ESP_AH_UDPX.X.X.X/32:Any107.189.120.76/32:AnyANYThis is so we can establish the IPSec Tunnel between the two endpoints
The following is necessary:
  • IP Protocol ID 50 (ESP)
  • IP Protocol ID 51 (AH)
  • UDP Port 500 (IKE)
  • UDP Port 4500

Since the only IP protocol allowed in the vCloud UI is ICMP, I decided to use Any to make sure I cover all of the above

ALLOW_VPN_TRAFFIC_L_TO_R10.210.0.0/16:Any10.10.10.0/24:AnyANYThis might be overkill but I am allowing anything from the Internal network to the vCloud MGMT network.
ALLOW_VPN_TRAFFIC_R_TO_L10.10.10.0/24:Any10.210.0.0/16:80ANYThis might be overkill but I am allowing anything from the vCloud MGMT network to the Remote Internal network. For my test, I could've just allowed 389 for the AD connection. But if you are planning to connect to internal webapps then 80 and 443 should be added here

 

After all the above is done, if you go back to vCloud Director you will see the VPN connection is good:

vcd-vpn-established (1).png

After all the above settings, we were able to connect to the AD server and login into the web portal issues.

Outcomes