[Dr.WoW] [No.43] Network Extension-part 2 Highlighted

Latest reply: Jan 31, 2020 19:03:28 2868 8 1 0

4 Configuring Network Extension

The configuration of the network extension service can be divided into the following steps:

8.         Create a virtual gateway.

9.         Under the virtual gateway, create and configure the authentication method for remote users and configure role authorization.

10.      Configure the network extension service.

Figure 1-7 shows the detailed configuration page.

Figure 1-7 Configuring network extension

[Dr.WoW] [No.43] Network Extension-part 2-1308879-1 

The network extension service only requires two IP address segments to be configured; there are few items to be configured, so this is very simple. However, selecting these two IP address segments is complicated.

Parameter 1: The scope of assignment for the IP address pool

In the theoretical section above, I explained that after a remote user enables the network extension function, the virtual gateway will assign an IP address for the remote user's virtual network card, but where does this address come from? Clever readers have probably already guessed that this is randomly selected from the address pool we are about to configure.

This address pool is unilaterally designated by the network administrator. When designating the address pool it is important to pay attention to the relationship between this address pool's network segment and the internal network's segment. If this address segment is configured on the same subnet as the internal network segment, then after the remote user obtains this address assigned by the virtual gateway, it will be as if the remote user and the internal network server were connected together by a Layer Two switch―the remote user will be able to directly access the server, and so there will be no issues with routing. If the address pool and the internal network server are not in the same network segment here (in the example they aren't in the same network segment), then a route with a destination address that is the address pool network segment ( and an outbound interface that is a public interface linked to the Internet needs to be configured on the firewall. This route is only used for determining relationships between security zones and does not direct packet forwarding.

[FW] ip route-static GigabitEthernet0/0/2

Additionally, if a server that specially assigns IP addresses to users has been set up inside a company (such as a DHCP server, a third party authentication server, etc.), this will be acceptable so long as the address pool used in network extension does not conflict with the address segments assigned by the server―each can assign their own IP addresses without affecting each other.

Parameter 2: An accessible internal network segment list

I stated above that a remote user that enables network extension can access all IP resources in a company internal network, but if this is true, why is there still an "accessible internal network segment"? This is ultimately done for control, as if we don't configure this parameter, default remote users will be able to access all resources on the internal network; we add this function in order to flexibly control remote users' scope of access.

Whether or not we configure this parameter not only affects the scope to which users can access the company internal network, but also affects other network statuses for the remote user.

l   If the "accessible internal network segment" is configured as for network extension, then the virtual gateway will send a detailed route to the remote user's PC, with a destination address that is the internal network segment The outbound interface is the virtual gateway card's address (the company internal network's private IP address obtained by the remote user)

C:\> route print


IPv4 Routing Table


Active routes:

Network Destination            Netmask                      Gateway            Interface            Metric           10        On-Link       1      On-Link       257

l   If the "accessible internal network segment" parameter is not configured for network extension, what would the remote user's route be like? In the below table we can see that the virtual gateway has sent a default route to the remote user, and that the outbound interface is the virtual network card's address (the company internal network's private IP address obtained by the remote user)

C:\> route print


IPv4 Routing Table


Active Routes:

Network Destination       Netmask                    Gateway                Interface             Metric                On-Link       1

Don't underestimate the differences between the two kinds of routes shown just above. When configuring "the accessible internal network segment", the virtual gateway only issues a route to some company internal network segments to the remote user, and this route will not affect other routes. This is to say that if the remote user wants to access the company internal network, he/she can access the company internal network, and if the remote user wants to access the Internet, he/she can access the internet―this kind of access will not be affected at all, meaning that the user can accomplish whatever should be accomplished.

If we choose not to configure this parameter then problems arise. Normally a remote user's route for accessing the Internet is a default route, but now the virtual gateway is sending another default route, and this default route sent by the virtual gateway has the highest priority (the hop count is 1). This will make the remote user's original default route invalid, meaning that the remote user will have no way to access the Internet. If the remote user must access the Internet, then he/she can only temporarily disconnect from the network extension connection, and then re-enable network extension when they want to access the internal network. Therefore the choice of which network extension configuration method to choose depends upon the corporate user's needs.

Configuration of the network extension service has been completed, and below we'll look at how the remote user should use the network extension function to access internal network resources.

5 Login Process

The SSL VPN network extension function provides remote users with two kinds of paths to access the internal network―one uses the IE browser, and the other uses an independent network extension client.

l   IE Browser

a.         The remote user inputs the virtual gateway's access address into the IE browser's address bar.

b.         After the virtual gateway's login interface appears, the user name and password are entered.

c.         Users that have successfully logged in can see the "network extension" tab on the virtual gateway's resource page, and can single click "Enable" under network extension. As shown in Figure 1-8, the remote user will obtain the company internal network IP address assigned for it by the virtual gateway, and in this way can directly access the company's internal network resources.

Figure 1-8 Network extension―initiation

[Dr.WoW] [No.43] Network Extension-part 2-1308879-2 

When introducing the principles of packet encapsulation, I mentioned that the establishment of an SSL VPN tunnel is divided into two modes (reliable transport and fast transport), and the default mode when establishing the SSL VPN tunnel between the IE browser and the virtual gateway is the fast transport mode.

l   Independent client

a.         The remote user downloads and installs the network extension independent client

After the remote user successfully logs in to the virtual gateway, he/she then single clicks "user options" in the upper right corner of the interface, after which the network extension client download link can be seen, as shown in Figure 1-9. Installation is very simple―all that needs to be done is to follow the instructions in single clicking "Next."

Figure 1-9 Downloading the network extension client software

[Dr.WoW] [No.43] Network Extension-part 2-1308879-3 

The advantage of using the independent client is that the network extension client can initiate automatically when a device turns on, and has a function to automatically reconnect when a connection is lost. On the other hand, when using the IE browser method, the virtual gateway must be logged in to each time, which is relatively cumbersome.

b.         Log in to the virtual gateway.

Address: virtual gateway address

User name and password: the virtual gateway login user name and password assigned to the remote user by the administrator.

As shown in Figure 1-10, by single clicking on "login", the remote user can access internal network resources in the same way as internal network users.

Figure 1-10 Logging in to the virtual gateway

 [Dr.WoW] [No.43] Network Extension-part 2-1308879-4

When using the independent client to establish an SSL VPN tunnel, the SSL VPN's tunnel's establishment mode can be configured. On the login interface, single click "Options." A choice can then be made in "Tunnel Mode" to use either the reliable transport mode or the fast transport mode. Within Tunnel Mode there is also a "Self-adapting Mode", meaning that the client will automatically select whether to use reliable transport mode or fast transport mode to establish the SSL VPN tunnel according to network conditions.

If the network extension function has already been enabled, how can the remote user determine if their network extension function is working? Two methods can be used here. First, the ipconfig command needs to be used to look at whether the remote user has obtained the private IP address assigned by the virtual gateway. According to the above example, if, after network extension is enabled, you as a remote user obtain an IP address within the network segment, then congratulations! You've already successfully connected into the enterprise's internal network.

The second method is for the remote user to test and see whether or not they can access the company internal network's resources.

We frequently encounter the following circumstance: a remote user has already obtained the IP address assigned by the virtual gateway, but cannot access internal network resources. Why is this? There are generally two reasons why this kind of situation occurs:

l   The first is that the remote user did not have service permissions to access this internal network resource (for example R&D staff not having permissions to access the finance system);

l   The second is that when we configured network extension, the network segment in which the internal network resource(s) the remote user wants to access is located was not included in the "accessible internal network segment."

These two problems are easily resolved. Either the remote user applies to the network administrator for service permissions or the network administrator does an inspection on the firewall to confirm whether the internal network resources have all been added.




To view the list of all Dr. WoW technical posts, click here.

  • x
  • convention:

Created Oct 21, 2015 10:15:20 Helpful(0) Helpful(0)

Thank you.
  • x
  • convention:

Created Dec 24, 2019 19:46:34 Helpful(0) Helpful(0)

@dr.wow good day.

Excellent contribution, I think this will help me to present my H12-721 HCIP-Security-CISN V3.0 certification exam.

  • x
  • convention:

Senior Cybersecurity Engineer
Created Jan 19, 2020 22:45:14 Helpful(0) Helpful(0)

  • x
  • convention:

Created Jan 30, 2020 23:35:47 Helpful(0) Helpful(0)

Came here for the rest. Thanks
  • x
  • convention:

Created Jan 31, 2020 17:12:11 Helpful(0) Helpful(0)

Thank you.
  • x
  • convention:

Created Jan 31, 2020 17:50:29 Helpful(0) Helpful(0)

  • x
  • convention:

Created Jan 31, 2020 17:50:38 Helpful(1) Helpful(1)

  • x
  • convention:

Created Jan 31, 2020 19:03:28 Helpful(1) Helpful(1)

  • x
  • convention:


You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits