Monitoring SSL VPN Gateways - A Step-by-Step Guide
Virtual private network (VPN) connectivity is one of the most critical services in today’s enterprise IT infrastructure. This is even more true now, with the global pandemic triggering a massive shift towards “work from home” practices.
Being able to know your VPN gateway is available and that users can access resources when connected to the VPN is very important. This is why we have introduced a service that monitors the VPN connectivity for you: FREE VPN CHECK
How Does the Free VPN Check Work?
We periodically initiate a new connection to your VPN Gateway and check if the connection is established and data flows on the VPN tunnel. When we see that the check does not work anymore, we alert you via an email. This way you know immediately whenever there is something wrong with your VPN and you can quickly act on it to keep users happy.
How to Set Up Your Free VPN Check
These are the steps required to configure your vpncheck.io account to monitor your VPN infrastructure.
- Make sure your VPN uses SSL as the underlying transport protocol. VPNs can use either SSL or IPsec as the underlying transport protocol, and the most widely adopted today in Enterprises is SSL VPN. Consumer VPN products like Nord VPN, Private Internet Access VPN, Express VPN, and many others use the IPsec protocol and are not compatible with vpncheck.io.
- Check the VPN gateway type you have, as SSL VPN protocols used by different vendors are proprietary. This is important, as we support the three most widely used VPN Gateways: Cisco AnyConnect, Juniper Pulse Secure, and Palo Alto Global Protect.
- Login. At this point, I am going to assume that you have created an account at https://vpncheck.io and are logged in. This is what you should see once you have created the account and are logged in:
- Create test users and passwords on the VPN Gateway. You must now go to your VPN Gateway and create one or more test users and passwords, that you will use for creating the vpncheck.io checks. Also, we advise that you create a dedicated Authentication Group Profile for these users, with limited privileges, set up specifically for the test. Please consult your VPN Gateway documentation on how to do that.
- Create the CSV configuration file. Once you have provisioned the test users, you are now ready to create the CSV file you will use as a configuration. To get started, download the sample CSV file and open it. Below is a screenshot of how the configuration might look in a CSV viewer (note that the header row is not present in the configuration, it has been added for this example).
Each row in the configuration CSV file represents a check that will be done periodically. You can create up to 5 such checks in the CSV configuration. Each configuration row must contain all the columns separated by commas even if the values are empty. The following properties are being configured for each row:
a. Username: the user used to authenticate to the VPN Gateway
b. Password: the corresponding password to the above user
Note: We advise you to create limited privileged users and dedicated test profiles, but we are taking extra security measures to store the credentials safely. The credentials are not stored in plain text, they are saved encrypted on disk.
c. Auth Group (optional): The Authentication login selection.
d. VPN Gateway: The name of the VPN Gateway to which you want to connect.
e. Server Certificate (optional): This parameter is only needed if the VPN Gateway does not possess a valid signed SSL Certificate. When loading a configuration CSV, all the VPN Gateways are checked for connectivity and valid server certificate. In case your VPN Gateway does not have a valid server certificate, you will be presented with an error that will suggest the server certificate sha256 to fill in this field. If you choose to connect to the VPN Gateway anyway, without a valid certificate, just copy the sha256 value suggested into the server certificate parameter.
f. Protocol (optional): Once the test connects to the VPN gateway, we can verify that traffic is working by checking connectivity with a defined server. You can either leave this field empty, meaning that this check will only verify VPN connectivity, or choose an HTTP or ping (ICMP) test.
g. URL (optional): This parameter works in conjunction with the Protocol parameter previously defined. If choosing HTTP, you must enter an HTTP(S) URL to check connectivity once connected to the VPN. If choosing ICMP you must enter a server name or IP to ping.
h. Gateway Type: This can be one of the 3 gateway types that are supported: CISCO, JUNIPER, or PALO ALTO.
- Load the configuration. Now that you have configured your checks in the CSV file and saved it, press the Browse button to choose the file and load it.
At this point, you should also choose the check frequency and the failure count alert settings or leave the default configured values. The check frequency determines the frequency in minutes at which we run each of the configured checks. The failure count alert determines after how many consecutive failures of a check to notify you.
After loading the CSV configuration file and setting the desired values for frequency and failure count alert, press the Save button. If everything is ok, you will see a message (see below) showing the number of checks that have been read from the CSV configuration file.
- Monitor the results. Now that you have saved your configuration, you should soon start seeing results being populated.
The 3 statistics on the first row provide a quick, high-level overview of the checks you have configured. It will provide the status for the past 24 hours, at a glance: how many checks succeeded, how many failed, and the average connect time.
The VPN Check graph provides a more detailed evolution over the past 24 hours of how many of the checks ran were successful and how many failed. Each point on the graph shows the number of successful checks and the number of failed checks during the “check frequency” interval that you configured.
The Connect Time graph shows the evolution of the VPN connect time over the past 24 hours for each of the distinct VPN Gateways you have configured.
If you configured the Protocol parameter of some of the checks to be HTTP or ICMP and the target URL parameter, then, in the next 2 graphs on the page you will see the evolution of the latency for the ping (ICMP) or HTTP GET checks for the past 24 hours.
- Debugging failures. Sometimes things do not go smoothly, and the next 2 graphs are about this. The Failures graphs will show which of the checks have failed over the past 24 hours and the VPN Errors graph will show the error that was encountered when connecting to the VPN Gateway.
Now, you are all set! Check your inbox daily for the Daily Report email showing you a quick status of what happened over the past 24 hours. Should any of the checks fail, you will receive an Alert email notifying you about it, so you can take quick action.
Keysight’s FREE VPN CHECK is an active monitoring service that checks the availability of your VPN Gateway to accept new connections.
Need Capacity and Performance Testing for your SSL VPN Gateways?
We also offer a turnkey assessment service to validate the capacity of VPN gateways. It proactively validates your VPN capacity and performance with a controlled, realistic performance test that pushes your VPN infrastructure to its limit. Learn more about this service here: SSL VPN GATEWAY ASSESSMENT SERVICE