The endpoint device registers with NGFW automatically after connecting to the VPN server whose data are entered on the first screen of the application GUI. UserGate Client's built-in VPN client uses the following settings to establish a VPN connection:
-
IKE mode (when IKEv1 is used): main
-
Dead Peer Detection (DPD): On idle mode.
-
Diffie-Hellman groups: Group 2 (Prime 1024), Group 14 (Prime 2048), Group 16 (Prime 4096)
-
Authentication and encryption algorithm pairs (phases 1 and 2): SHA1/AES128, SHA256/AES128, SHA384/AES128, SHA1/AES256, SHA256/AES256, SHA384/AES256, SHA1/3DES, SHA256/3DES, SHA384/3DES;
-
Key lifesize (phase 2): unlimited.
To connect the endpoint:
|
Name |
Description |
|---|---|
|
Step 1. Allow connection of endpoints in the zone. |
In the zone used for VPN connections, allow the Connecting endpoints service. |
|
Step 2. Specify information to establish an SSL connection between the endpoint and NGFW. |
In the UserGate ➜ Settings section, specify the certificate and profile to establish an SSL connection. When connecting, the endpoint will check the validity of the certificate. If you change the certificate on the NGFW and there are already connected endpoints, you must distribute the root certificate of the certification authority (Root CA). The certificate must be placed in the local computer store Trusted Root Certification Authorities. TCP port 4045 is used for interaction between the endpoint and NGFW. |
|
Step 3. Configure NGFW as a VPN server. |
Configure VPN on NGFW to which the enpoint will connect. Once the VPN connection is established, the endpoint will register automatically. Security policies configured on NGFW will also be applied to the endpoints. Important! To check compliance, the endpoint will send telemetry to NGFW every 1 minute. |
The endpoint will attempt to register each time it connects to a new VPN server.