Introduction to RAS
The Syneto Central Remote Access Service (RAS) is a turnkey solution for allowing secure VPN connections into the company network. It’s a hybrid cloud service being managed through Syneto Central and running on HYPERSeries software.
This document describes the system requirements, deployment process and administrative tasks involved in managing the lifecycle of the RAS service. The appliance on which we’ll deploy the Remote Access Service is called the RAS gateway.
To use the RAS service, the following requirements must be met:
- a HYPERSeries physical or virtual appliance running SynetoOS version 4.6.0 or later
- a valid Central account with rights granted [link] for the Fleet Management service
- one location created [link] for each site where the RAS service will be deployed
- Internet connectivity between the appliance and the Central cloud
Deploying the RAS service
Upgrade an existing machine to version 4.6.0 or deploy a start a new Syneto installation. If deploying a new machine, execute the Quick Setup process and during it activate the machine with Central.
RAS needs the remote access tunnel to be active. If the support plan for the RAS gateway includes the Serenity service, and the service was not disabled, the access tunnel is established on every system boot. For support plans without the Serenity service, the tunnel needs to be manually established. To do so, on the HYPER web interface, go to the Help page and click [Enable remote access]. If the procedure is successful, you will see the following message.
On Central, if you don’t have one already, create a new location. Assign the machine designed as RAS gateway to that location. At this point we are ready to start deploying the service. On the chosen location, click [Configure RAS].
Toggle the Remote Access Support setting to Enabled, then choose the gateway device. Configure networking (external network, internal network, access settings). Read the section below for details.
Wait for deployment to finish. Hover with mouse to see progress. At the end of the process, the service will be listed as active for the given location. Double-check on the source ESXi in the virtual machines list: you should see a new VM called SynetoRAS.
At this point the RAS deployment is done, we can start granting access to users.
Network configuration for the RAS service
The network configuration is split into three sections: external virtual network settings, internal virtual network settings and access settings.
The first thing we must determine is what type of deployment we’ll be using for RAS: a DMZ type deployment, or a private one. In the first case, the RAS gateway will be connected to two networks, a public network and a private network. In the second case the RAS gateway will be connected to a single network, which hosts the target LAN services.
The External virtual network name and Internal virtual network name refer to the names of ESXi virtual networks to which the RAS gateway will be connected.
The FQDN/Public IP is the public IP or hostname + port which the VPN clients will be connecting to.
Finally, the FQDN field is used for configuring the hostname and domain name of the RAS gateway operating system.
Granting user access to the RAS service
For every person who needs access to the RAS service, we’ll need to create a user. They will have to install a two-factor authentication app on their mobile phone or desktop.
After the user creates an account, grant them RAS access from the Service Access tab. Select the locations where the user must have access.
Validate that access has been granted correctly to the RAS service.
This is it. The user now has access to the service.
Regular user access to the VPN
When a regular user is granted RAS access, they receive an email.
When they connect to Central, they will have a menu item called Remote Access.
For each location click [Download]. For security reasons, the UI will ask for the Central password and MFA PIN.
After downloading the VPN configuration, it can be installed in the preferred VPN client. We have included a brief guide for two of the most common clients (Viscosity and the OpenVPN standard client). Please let us know what your preferred client is and we’ll add instructions for it.
Revoking end user RAS access
Under the user management menu, locate the user, click its Service Access tab, [Edit] the Remote Access service and remove the locations where they shouldn’t get access anymore by clicking on [x]. Alternatively, the entire service access for an user can be disabled. Then click [Update].
Granting end user RAS access to another location
Under the user management menu, locate the user, click its Service Access tab, [Edit] the Remote Access service and add the new locations, then click [Update].
Undeploying RAS service on one location
To undeploy the RAS service on one location, go to the Dashboard, find the location and click [Configure RAS]. Toggle the service to Disabled and then click [Save].