Description:
LANCOM Trusted Access (LTA) is the trusted network access security solution for enterprise networks. It enables secure and scalable network access for employees in the office, at home, or on the road, thus protecting modern hybrid working from anywhere at any time.
The LANCOM Trusted Access solution adapts to increasing security requirements in your organization. It supports not only classic full network access as a cloud-managed VPN client, but also the migration to a zero-trust security architecture with comprehensive network security. In the latter case, users receive granular access rights only to those applications that have been assigned to them (zero-trust principle). Existing systems for administering users and user groups (Active Directory) can be fully integrated into the LANCOM Management Cloud (LMC). For smaller networks, the LMC alternatively offers internal user administration.
This article describes how the LMC is used to configure the LTA client using internal user administration.
Requirements:
- Access to the LMC including your own project (subject to charge)
- LANCOM router or LANCOM R&S®Unified Firewall as LTA gateway
- LCOS from version 10.80 REL (download current version)
- LCOS FX as of version 10.13 (download latest version)
- LTA client
- Configured and functional local network including Internet connection
- Any web browser for accessing the LMC
- DynDNS provider for the e-mail domain with support of a “TXT Resource Record”
The DynDNS service integrated in the LMC unfortunately does not support a “TXT Resource Record” and therefore cannot be used.
Procedure:
1) Configuration steps in the LMC:
1.1) Activate the VPN function:
1.1.1) In the LMC, go to the Networks menu and click the network that the LTA client should log in to (in this example INTRANET).
1.1.2) In the Overview, click Edit network.
1.1.3) Modify the following parameters and then click Save:
- Link devices via secure connection (VPN): Set a checkmark to enable the VPN function.
- Central-site IP addresses or DNS names: Enter the public IP address or public DNS name of the router. This must be specified as soon as the VPN function is activated.
1.2) Activate LTA:
1.2.1) In the Security menu, go to the LANCOM Trusted Access tab and click the Activate LTA slider.
1.2.2) Click Activate.
1.3) Client configuration:
The Client configuration is used to store basic parameters such as the address of the LTA gateway. These settings apply globally and cannot be configured for individual users.
1.3.1) Go to the Client configuration tab and modify the following parameters:
- Accessible network: From the drop-down menu, select the network edited in step 1.1 that the LTA client should log in to (in this example INTRANET).
- Gateway IP or domain: Enter the public IP address or DNS name of the router where the LTA client can reach the router (in this example 81.81.81.81).
- Trusted Access Client IP network: Enter the network address of a network in CIDR (Classless Inter Domain Routing) notation. The LTA client is assigned an IP address from this network (in this example 10.0.0.0/8). In most cases the Accessible network is used for this, but it is also possible to specify a different network.
- Tunneled domains for DNS resolution: Enter Domains which should always be transmitted via the VPN tunnel (in this example *.intern).
The * wildcard can be used for the tunneled domains for DNS resolution. This represents any number of characters. Multiple entries can be separated by a comma.
1.3.2) Modify the following parameters if required:
- Allow AVC mode in LTA client: If this option is enabled, the user can switch between the LTA client and the Advanced VPN client. This can be helpful, for example, if there are VPN connections to customers in addition to the LTA access to the company.
- Enable LTA client self-sustaining continued operation: If standalone continued operation is enabled, the LTA client is able to establish a VPN connection for the specified period of time, even if the LMC cannot be reached.
1.3.3) Under Split Tunnel, select the option Only network traffic to configured networks through tunnel (Split Tunnel) and click the “+” icon to specify the target networks.
If the option All network traffic through tunnel is enabled, or if there is no target network configured for the option Only network traffic to configured networks through tunnel (Split Tunnel), then all data traffic is transmitted via the VPN tunnel. This means that local resources in the user's network cannot be reached while a VPN tunnel is established. It may also result in slower transmission of Internet data traffic, as this is all transmitted via the LTA gateway.
1.3.4) Enter the tunneled networks in CIDR notation and click Save.
1.4) Endpoint Security (optional):
Endpoint Security can optionally be activated. The LTA client then checks whether the specified parameters are met and only then will the VPN connection be established. These settings apply globally and cannot be configured for individual users.
1.4.1) Go to the Endpoint Security tab, adjust the following parameters and click Save:
- Enable endpoint verification: Enable the option with the slider.
- Allowed OS: If required, select the permitted operating systems as well as the minimum and maximum build versions (in this example, Windows 10 or Windows 11 is assumed).
- Anti-Virus: If necessary, enable the anti-virus function check on the user's computer (in this example the option used is enabled and up-to-date).
- Firewall: If necessary, enable the firewall function check on the user's computer (in this example the option used is enabled, which checks whether a firewall is active).
1.5) User administration:
The User administration is where you enter your own domain. Users can be connected to an Active Directory, if available, or they can be configured in the LMC.
1.5.1) Go to the User administration tab and enable the option LMC-managed. Then click Copy text next to the TXT resource record field. Enter this as the TXT resource record in the account of your DynDNS provider for the domain.
1.5.2) Use the Domain field to enter the domain you are using (in this example mydomain.com) and click Save.
1.5.3) Click Add user.
1.5.4) Modify the following parameters and then click Save:
- Name: Enter a descriptive name for the user (in this example Admin).
- E-mail: Enter the user name of user’s e-mail address. The domain is already stored.
- Password: Set a password that the user enters when connecting with the LTA client for the first time (the user will then be asked to set their own password).
- Confirm password: Confirm the password.
1.6) Connection targets:
The Connection targets menu is used to create resources that can be assigned to the users (see step 1.7).
1.6.1) Go to the Connection targets tab and click Add connection target.
1.6.2) Modify the following parameters and then click Save:
- Name: Enter a descriptive name for the connection target (in this example Web-Server).
- Hostname / IPv4 address / CIDR notation: Enter a DNS name or the IP address of the connection target (in this example 10.0.0.250). Alternatively, you can provide access to an entire network by entering the network address in CIDR notation (e.g. 10.0.0.0/8).
- Protocol: Select the communications protocol(in this example TCP).
- The following protocols are available:
- TCP
- UDP
- ICMP
- AH
- ESP
- GRE
- TCP+UDP
- All protocols
- The following protocols are available:
- Port: Enter the ports for the communications (in this example 80 and 443). Multiple ports can be separated by a comma (e.g. 80,443). Port ranges can be entered with a hyphen (e.g. 5060-5061).
1.7) Authorization profiles:
The Authorization profiles are used to link users to the connection targets. Different users can be assigned to individual connection targets. The LMC uses these settings as a basis to automatically create firewall rules that allow communication to the connection targets.
1.7.1) Go to the Authorization profiles tab and click Add authorization profile.
1.7.2) Modify the following parameters:
- Profile name: Enter a descriptive name for the profile (in this example Admin).
- Users / Groups: From the drop-down menu, select the user created in step 1.5.4 (in this case Admin). You can optionally select multiple users and assign them the same permissions.
An LTA license is required for every active user.
1.7.3) Under Status enable the necessary connection targets for the user (see step 1.6.2) and click Create.
2) Configuration steps in the LTA client:
2.1) In the LTA client, click Settings and select the option LMC Domain.
2.2) Change the following parameters:
- URL: Enter the URL lancom.de.
- Domain: Enter the e-mail domain that you stored in the LMC in step 1.5.1 (in this example mydomain.com).