Quelle anzeigen

Description:

LANCOM Trusted Access (LTA) is the trusted network access security solution for enterprise networks. It enables secure and scalable network access for employees in the office, at home, or on the road, thus protecting modern hybrid working from anywhere at any time.

The LANCOM Trusted Access solution adapts to increasing security requirements in your organization. It supports not only classic full network access as a cloud-managed VPN client, but also the migration to a zero-trust security architecture with comprehensive network security. In the latter case, users receive granular access rights only to those applications that have been assigned to them (zero-trust principle). Existing systems for administering users and user groups (Active Directory) can be fully integrated into the LANCOM Management Cloud (LMC). For smaller networks, the LMC alternatively offers internal user administration.

This article describes how the LMC is used to configure the LTA client using internal user administration.

There are several default settings and profiles in VPN (e.g. encryption parameters). These are used to set up a VPN connection and allow for an easier configuration by means of prefabricated parameters.

When using IKEv2 the remote site DEFAULT in the Connection list has a special role, as the initial connection establishment is carried out via this remote site. When the VPN connection is recognized (e.g. on the basis of the identities), a switch to the actual VPN remote site occurs.

The default profiles must not be deleted or modified. Otherwise it is possible, that the VPN connection cannot be established anymore!

You can find scripts to restore the default VPN settings in the following Knowledge Base article:

Restoring default settings in VPN

Requirements:

Access to the LMC including your own project (subject to charge)
LANCOM router or LANCOM R&S®Unified Firewall as LTA gateway
- LCOS from version 10.80 REL (download current version)
- LCOS FX as of version 10.13 (download latest version)
LTA client (download current version)
Configured and functional local network including Internet connection
Any web browser for accessing the LMC
DynDNS provider for the e-mail domain with support of a “TXT Resource Record” (e.g. the DynDNS service integrated in the LMC)

Procedure:

1) Configuration steps in the LMC:

1.1) Activate the VPN function:

1.1.1) In the LMC, go to the Networks menu and click the network that the LTA client should log in to (in this example INTRANET).

An image displaying a dashboard of network settings showing various options such as SSID, Status, Name, IP range, VLAN, Internet, VPN, Hotspot, and Security amidst partially visible site and device information.

1.1.2) In the Overview, click Edit network.

Screenshot of a DY INTRANET configuration panel displaying options for WiFi switches, VLAN settings, VPN connections, and internet access configurations.

1.1.3) Modify the following parameters and then click Save:

Link devices via secure connection (VPN): Set a checkmark to enable the VPN function.
Central-site IP addresses or DNS names: Enter the public IP address or public DNS name of the router. This must be specified as soon as the VPN function is activated.

Image showing a network configuration interface with settings for DHCP, DNS, routing, subnet specifications, and options for secure VPN connections.

1.2) Activate LTA:

1.2.1) In the Security menu, go to the LANCOM Trusted Access tab and click the Activate LTA slider.

Screenshot of a LANCOM Trusted Access security dashboard showing the management of user access to services and applications based on user group associations and authorization profiles.

1.2.2) Click Activate.

This image displays a configuration menu for LANCOM Trusted Access, detailing options for testing the service with a starter license for 30 days and includes notes on license activation and deployment procedures.

1.3) Client configuration:

The Client configuration is used to store basic parameters such as the address of the LTA gateway. These settings apply globally and cannot be configured for individual users.

1.3.1) Go to the Client configuration tab and modify the following parameters:

Accessible network: From the drop-down menu, select the network edited in step 1.1 that the LTA client should log in to (in this example INTRANET).
Gateway IP or domain: Enter the public IP address or DNS name of the router where the LTA client can reach the router (in this example 81.81.81.81).
Trusted Access Client IP network: Enter the network address of a network in CIDR (Classless Inter Domain Routing) notation. The LTA client is assigned an IP address from this network (in this example 10.0.0.0/8). In most cases the Accessible network is used for this, but it is also possible to specify a different network.
Tunneled domains for DNS resolution: Enter Domains which should always be transmitted via the VPN tunnel (in this example *.intern).

The * wildcard can be used for the tunneled domains for DNS resolution. This represents any number of characters. Multiple entries can be separated by a comma.

When using the mode Full Tunnel (see step 1.3.3) the wildcard * has to be entered in the field Tunneled domains for DNS resolution so that all DNS requests are sent via the tunnel (as an alternative the field can also be left empty). Otherwise the DNS resolution is not possible!

Screenshot of an LTA client configuration interface on an intranet system.

1.3.2) Modify the following parameters if required:

Allow AVC mode in LTA client: If this option is enabled, the user can switch between the LTA client and the Advanced VPN client. This can be helpful, for example, if there are VPN connections to customers in addition to the LTA access to the company.
Enable LTA client self-sustaining continued operation: If standalone continued operation is enabled, the LTA client is able to establish a VPN connection for the specified period of time, even if the LMC cannot be reached.

An image of a technical configuration screen displaying options such as 'Allow AVC mode in LTA client', 'Enable LA clients self-sustaining continued operation', and showing the validity period of the LTA client certificate.

1.3.3) Under Split Tunnel, select the option Only network traffic to configured networks through tunnel (Split Tunnel) and click the “+” icon to specify the target networks.

If the option All network traffic (LANCOM Trusted Internet Access - Full Tunnel) is enabled, or if there is no target network configured for the option Only network traffic to configured networks through tunnel (Split Tunnel), then all data traffic is transmitted via the VPN tunnel. This means that local resources in the user's network cannot be reached while a VPN tunnel is established. It may also result in slower transmission of Internet data traffic, as this is all transmitted via the LTA gateway. In return the data traffic can be checked via Content Filter and Antivirus on the LTA gateway.

An image displaying a user interface for configuring LANCOM Trusted Internet Access with options for all network traffic and tunneled networks in full tunnel mode.

1.3.4) Enter the tunneled networks in CIDR notation and click Save.

Image displaying a configuration menu for LANCOM network traffic tunnel settings, including options for Trusted Internet Access Full Tunnel and Split Tunnel.

1.4) Endpoint Security (optional):

Endpoint Security can optionally be activated. The LTA client then checks whether the specified parameters are met and only then will the VPN connection be established. These settings apply globally and cannot be configured for individual users.

1.4.1) Go to the Endpoint Security tab, adjust the following parameters and click Save:

Enable endpoint verification: Enable the option with the slider.
Allowed OS: If required, select the permitted operating systems as well as the minimum and maximum build versions (in this example, Windows 10 or Windows 11 is assumed).
Anti-Virus: If necessary, enable the anti-virus function check on the user's computer (in this example the option used is enabled and up-to-date).
Firewall: If necessary, enable the firewall function check on the user's computer (in this example the option used is enabled, which checks whether a firewall is active).

Screenshot of a security configuration interface showing settings for endpoint verification, operating system compatibility, antivirus requirements, and firewall status.

1.5) User administration:

The User administration is where you enter your own domain. Users can be connected to an Active Directory, if available, or they can be configured in the LMC.

1.5.1) Go to the User administration tab and enable the option LMC-managed. Then click Copy text next to the TXT resource record field. Enter this as the TXT resource record in the account of your DynDNS provider for the domain.

When using the DynDNS service integrated in the LMC it is sufficient to enter the selected Dynamic DNS subdomain .

An image of a technical interface showing options for authorization profiles, connection targets, endpoint security, and client configuration settings.

1.5.2) Use the Domain field to enter the domain you are using (in this example mydomain.com ) and click Save.

Image displaying a technical user interface with options for IdP-managed, LMC-managed, Copy text, and Discard.

1.5.3) Click Add user.

Diagram highlighting user configuration settings in a technical interface.

1.5.4) Modify the following parameters and then click Save:

Name: Enter a descriptive name for the user (in this example Admin).
E-mail: Enter the user name of user’s e-mail address in lower case letters. The domain is already stored.
Password: Set a password that the user enters when connecting with the LTA client for the first time (the user will then be asked to set their own password).
Confirm password: Confirm the password.

Make absolutely sure, that only lower case letters are used for the E-mail. Otherwise, this will prevent the LTA login from working!

Image of a technical configuration screen with commands for adding a user and copying a password.

1.6) Connection targets:

The Connection targets menu is used to create resources that can be assigned to the users (see step 1.7).

1.6.1) Go to the Connection targets tab and click Add connection target.

Image showing a blurry or partially obscured screenshot of a technical user interface related to network connections or settings.

1.6.2) Modify the following parameters and then click Save:

Name: Enter a descriptive name for the connection target (in this example Web-Server).
Hostname / IPv4 address / CIDR notation: Enter a DNS name or the IP address of the connection target (in this example 10.0.0.250). Alternatively, you can provide access to an entire network by entering the network address in CIDR notation (e.g. 10.0.0.0/8).
Protocol: Select the communications protocol(in this example TCP).
- The following protocols are available:
  - TCP
  - UDP
  - ICMP
  - AH
  - ESP
  - GRE
  - TCP+UDP
  - All protocols
Port: Enter the ports for the communications (in this example 80 and 443). Multiple ports can be separated by a comma (e.g. 80,443). Port ranges can be entered with a hyphen (e.g. 5060-5061).

A screenshot showing the option to 'Create New Connection Target' in a software interface.

1.7) Authorization profiles:

The Authorization profiles are used to link users to the connection targets. Different users can be assigned to individual connection targets. The LMC uses these settings as a basis to automatically create firewall rules that allow communication to the connection targets.

1.7.1) Go to the Authorization profiles tab and click Add authorization profile.

LANCOM Support Knowledge Base EN > Using the LMC to configure the LTA client with internal user administration > 17.png

1.7.2) Modify the following parameters:

Profile name: Enter a descriptive name for the profile (in this example Admin).
Users / Groups: From the drop-down menu, select the user created in step 1.5.4 (in this case Admin). You can optionally select multiple users and assign them the same permissions.

An LTA license is required for every active user.

Screenshot of an authorization profile configuration menu, showing options to define access for user groups to various services and applications, with areas to manage connection targets and activate profiles.

1.7.3) Under Status enable the necessary connection targets for the user (see step 1.6.2) and click Create.

LANCOM Support Knowledge Base EN > Using the LMC to configure the LTA client with internal user administration > 19.png (Screenshot of a configuration interface for setting up an authorization profile, displaying fields for profile name, users groups, and connection targets with options for status, name, hostname/IP address, protocol, and port.)

2) Configuration steps in the LTA client:

2.1) In the LTA client, click Settings and select the option LMC Domain.

Screenshot of the BLANCoMTrusteaAccessClient user interface on a technical configuration screen.

2.2) Change the following parameters:

URL: Enter the URL lancom.de .
Domain: Enter the e-mail domain that you stored in the LMC in step 1.5.1 (in this example mydomain.com ).

Screenshot of a technical user interface displaying options for configuring 'URL Domain'.

Thank you for your feedback! You can also send us constructive suggestions for improving our knowledge base or ideas for new articles by email to knowledgebase@lancom.de.