TABLE OF CONTENTS
- Introduction to RAS
- Deploy RAS
- Remote Access Service Settings
- Grant User Access to the RAS Service
- End Users - RAS Access
- Revoke End User RAS Access
- Remove the RAS Service
Introduction to RAS
The Syneto Central Remote Access Service (RAS) is a turnkey solution for allowing secure VPN connections into the company network. It’s a hybrid cloud service being managed through Syneto Central and running on HYPERSeries appliances.
This document describes the system requirements, deployment process and administrative tasks involved in managing the lifecycle of the RAS service. The appliance on which we’ll deploy the Remote Access Service is called the RAS gateway.
To use the RAS service, the following requirements must be met:
- a HYPERSeries physical or virtual appliance running SynetoOS version 4.6.0 or later
- a Central account for the company
- a RAS Service license activated for the company
- Internet connectivity between the appliance and the Central cloud
Please contact your local Syneto reseller or account manager to purchase and enable the service.
In order to deploy the RAS service, you need:
- SynetoOS version 4.6.0+
- The Hyperseries appliance activated with the Central company account
- a Central user account assigned to the company with rights granted [link] for the Fleet Management service
- Remote support access enabled
When deploying a new machine, execute the Quick Setup process and during it activate the machine with Central.
Remote support access enabled: If the support plan for the RAS gateway includes the Serenity service, and the service was not disabled, the access tunnel is established on every system boot. For support plans without the Serenity service, the tunnel needs to be manually established. To do so, on the HYPER web interface, go to the Help page and click [Enable remote access]. If the procedure is successful, you will see the following message.
Prepare the deployment: Login to Central. Create a new location, if you don’t have one already. Assign the Syneto appliance (which is called a machine) designed as RAS gateway to that location. At this point we are ready to start deploying the service. On the chosen location, click Remote Access Service.
Select the location where you want to deploy RAS.
On the next screen you will configure the settings for the service.
Remote Access Service Settings
RAS Gateway Device. This is the Syneto appliance on which the RAS VM will be installed.
Hostname: Input a FQDN name to be used for naming the RAS VM: eg: vpn.mydomain.com. This name is used only on the RAS virtual machine, to name the guest OS.
Configure the networking settings corresponding to your local environment. Read the section below for details.
The first step is to determine the type of deployment to be used for RAS:
- Behind NAT: The RAS virtual machine will be connected to a single network, which hosts the target LAN services. See example.
- Using DMZ: The RAS virtual machine will be connected to two networks, a public network and a private network. See example.
The network configuration is split into three sections, depending on your network architecture: external virtual network settings, internal virtual network settings and access settings.
Connect to (Internal) Virtual Network: Input the name of the port-group from the ESXi hypervisor to which the RAS VM will be connected. It is usually VM Network.
Connect to External virtual network name: If you have chosen a DMZ type of deployment, input the name of the internet facing (DMZ) port-group from the ESXi hypervisor to which the RAS VM will be connected.
IP / Netmask: The internal IP address and subnet mask which will be assigned to the RAS gateway virtual machine during deployment.
DNS: The DNS to use on the RAS VM. Must be able to resolve internet DNS entries
Gateway: The default gateway for the RAS VM.
Public Endpoint: This is the public IP or hostname + port to which the VPN clients will be connecting to. Eg: vpn.mydomain.com:1194 or 22.214.171.124:21194. Important: You must configure NAT on your company router to allow connections from the public endpoint to the RAS VM on the same port.
Route via VPN tunnel: Choose how data from connected clients is routed through the VPN connection. You can route all traffic or just the Specific Destinations you choose.
Wait for deployment to finish. At the end of the process, the service will be listed as active for the given location. Double-check on the source ESXi in the virtual machines list: you should see a new virtual machine called SynetoRAS.
Grant User Access to the RAS Service
- A Central account for each user that will use VPN
- A two-factor authentication app installed on the user's mobile phone or desktop
User access and download of the VPN configuration file is managed using Central.
For every person who needs access to the RAS service, a Central account manager (with User Management rights) need to create a user. Users will have to install a two-factor authentication app on their mobile phone or desktop. (for example Google Authenticator)
After the user creates an account, grant them RAS access from the ACL tab. Go to the Remote Access page, select the RAS location and click on the ACL tab. Click on Grant Access to select the users.
Select one or more users. Choose to allow unrestricted access to your internal network or to restrict access just to some destinations.
End Users - RAS Access
After a regular user is granted RAS access, they receive an email.
When they connect to Central, they will have a menu item called Remote Access.
For each location click [Download]. For security reasons, the UI will ask for the Central password and MFA PIN.
After downloading the VPN configuration, it can be installed in the preferred VPN client. We have included a brief guide for two of the most common clients (Viscosity and the OpenVPN standard client). Please let us know what your preferred client is and we’ll add instructions for it.
Revoke End User RAS Access
Under the Remote Access menu, select the RAS location, click on the ACL tab and locate the user. Click Edit. Click on Revoke Access to remove that user's access to the service.
Remove the RAS service
Under the Remote Access menu, select the RAS location, click on the Settings tab. Click Edit. At the bottom of the page, click on Undeploy.