Scanning the Internet traffic of a VPN client via the HTTP Proxy of a LANCOM R&S®Unified Firewall in the headquarter

Description:

If the Internet traffic of a mobile worker should be checked by the Unified Firewall all traffic has to be routed via the Firewall.

This article describes how the Internet traffic of a mobile worker who establishes a dial-in VPN connection to the company can be scanned by the HTTP Proxy of the Unified Firewall. 

Requirements:

• LANCOM R&S® Unified Firewall  with  LCOS FX as of version 10.4
• LANCOM Advanced VPN Client   as of version 4.1
  
• A configured and functional Internet connection on the Unified Firewall
• Configured and functional HTTP Proxy on the Unified Firewall.
• Web browser for configuring the Unified Firewall.
  
  The following browsers are supported:
  • Google Chrome
  • Chromium
  • Mozilla Firefox

Scenario:

• A mobile worker establishes an IKEv2 connection with the Advanced VPN Client to the company.
• For the Internet traffic of the mobile worker to be encrypted it is routed via the VPN connection to the Unified Firewall.
• The Internet traffic of the mobile worker is to be scanned by the HTTP Proxy of the Unified Firewall.

Procedure:

1) Configuring the Advanced VPN Client connection:

1.1) Open the configuration of the Unified Firewall in a browser and set up an IKEv2 connection for the Advanced VPN Client.

1.2) In step 1.5 for Local Networks enter the address 0.0.0.0/0 instead of the local network. This address represents any network and thus makes it possible for the entire data traffic to be routed via the VPN connection.

Screenshot of a LANCOM Advanced VPN Client interface showing the IKEv2 AVC connection settings with options for security profiles, authentication, local and remote networks, and IP pools.

1.3) The configuration of the Advanced VPN Client connection is now complete.

2) Manual configuration steps:

2.1) Go to the menu VPN → IPSec → Virtual IP Pools and edit the IP Pool used for the VPN connection (in this example Default Virtual-IP pool).

An image of a technical configuration interface displaying options such as Firewall, IPsec, Monitoring Statistics, Network Settings, Virtual IP Pools, Security Profiles, and VPN settings.

2.2) For Preferred DNS Server enter the IP address of a DNS server and click Save. This server is assigned to the VPN client during the dial-in process and enables resolving DNS names via the VPN connection.

Image displays a configuration screen for IP pool settings in a virtual environment, detailing options like Default Virtual IP pool, DNS servers, WINS servers, and a reset option. Changes are effective only after a manual restart of related connections.

2.3) On the desktop click on the VPN host created in step 1 (in this example AVC-IKEv2), select the Connection Tool and click on the Internet object to set up firewall rules. 

Screenshot showing a partially visible user interface with labels including 'LANCOMIntesnetAccesy' and 'WebpageExceftion' suggestive of network settings or troubleshooting options.

2.4) Add the protocols HTTP, HTTPS and DNS.

Screenshot showing a complex settings menu for network management, featuring sections for connection defaults, application filters, routing rules, and security settings.

2.5) For the protocols HTTP and HTTPS under Options click on NAT consecutively.

Screenshot of a technical configuration interface showing settings for internet access, application filters, and routing, indicating that changes will be preserved until reset or logout.

2.6) For HTTP and HTTPS activate the option Enable proxy for this service and click OK.

Screenshot of a network configuration interface showing settings for NAT Masquerading, DMZ Port Forwarding, and fields for external and destination IP addresses and ports.  Image showing a network configuration interface with options for NAT masquerading, DMZ port forwarding, and settings for external and destination IP addresses and ports.

2.7) Click Save for the firewall rules to be created.

Screenshot of a network configuration interface showing options for internet access, content filtering, application routing, and settings for always-on proxy NAT with a reset function option.

2.8) Click Activate in order for the changes to be implemented by the Unified Firewall.

Screenshot of a user interface showing firewall monitoring statistics and network configurations.

3) Importing the HTTP proxy certificate into the computer with the Advanced VPN Client:

Export the HTTP proxy certificate and import it into the computer with the Advanced VPN client. The procedure is explained in step 3 in this Knowledge Base article. 

4) Configuring additional UTM functions (optional):

Additional UTM functions, which require the HTTP proxy can now be configured.

• LANCOM R&S®Unified Firewall: Configuring the antivirus feature
• LANCOM R&S®Unified Firewall: Configuring the URL/Content Filter