XPRESSO

Lab VPN Access

About Lab VPN Access

You can enable Lab VPN access in XPRESSO to connect to networks and equipment deployed in labs located in a DMZ. You only need to enable the VPN connections for testbeds or topologies that require a VPN to access them or for any other application where a VPN connection is required.

The VPN Service configuration is provided by the host facility Lab Admin to enable XPRESSO to configure ASA for user access through the VPN. They are responsible for maintaining a firewall between the DMZ Lab(s) and the Internet using (virtual) ASA.

NOTE:
XPRESSO does not validate the VPN Service configuration in any way (no pings or checks are made); data is passed blindly. The onus is on the facility Lab Admin to ensure any servers/devices interfacing with XPRESSO has ASA configured correctly to ensure the VPN Service configuration is validated.

VPN configuration of a DMZ lab can be enabled/disabled at a Group level to ensure privacy/security.

By enabling a VPN Service, you have the option to select the Lab VPN Access plugin as part of a testbed reservation. The Lab VPN Access plugin provides the means to enter the default settings used by XPRESSO to connect to the ASA firewall, and create/establish the User VPN credentials.

When the Reservation is in an "Active" state, a VPN and a VNC session is created; you will receive both an email and a message with the VPN credential details. You can then use the credentials to reserved devices in the DMZ'ed labs. When the reservation terminates, the VPN session is revoked.

You can also optionally create a VNC session to remotely control the network device; the settings are based on a standard Linux environment and set the default settings associated with a Linux-supported web browser based on Ubuntu.

How to Enable Lab VPN Access?

Enabling Lab VPN Access for a reservation is a two-step process in XPRESSO:

  1. Configure the Lab VPN Access settings associated with your Group; see the "Viewing or Configuring Lab VPN Access Settings" procedure below for details. This is a one-time requirement but adjustments to the VPN connection settings can be made at any time.

  2. When you create a reservation, you set the option to use the Lab VPN connection details when setting the Reservation Option details associated with the reservation. See the "To Use a Lab VPN Connections with your Reservations" procedure below for details. This is an ongoing requirement each time you create a reservation that requires a VPN connection.

Viewing or Configuring Lab VPN Access Settings

This action is performed by the Group Administrator.

To View or Configure Lab VPN Setting:

  1. From the Main Navigation Bar, choose Settings, Contacts & Help→Group Management to open the Group Membership page.

  2. Click the My Groups menu if required. The My Group page displays all the Groups you currently belong to.

  3. Click on the Group of interest that you want to view or set the Lab VPN Access Settings for. The Group Details page opens displaying the Group Overview details.

  4. Click the Guest→Lab VPN Access menu from the Left menu bar. Both the VPN Configuration and VNC Session sub-menus appear.

  5. In the VPN Configuration sub-menu, click the Enable Lab VPN Service Plugin parameter checkbox to initiate Lab VPN services for Reservations. All related parameters appear.

  6. Configure the following parameters:

  • VPN Hostname: Enter the VPN hostname that appears in the CLI prompt.
  • VPN Connection: Enter the VPN connection string required to telnet or SSH to the remote device.
  • VPN Username: Enter the VPN username used to login.
  • VPN Line Password: Enter the VPN Line credentials (password) to allow XPRESSO to add users for VPN access/ASA.
  • VPN Enable Password: Enter the VPN console/management credentials (password) to allow XPRESSO to add users for VPN access/ASA.
  • VPN Address: Enter the VPN Access address (external facing) IP/hostname users are required to enter into the anyconnect host field for connecting.

  1. Click the Save button. Proceed to the next step if you want set the default settings associated with a Linux-supported web browser for a VNC session; otherwise no other steps are required.

  2. In the VPN Session sub-menu, click the Create a VNC to a standard Linux environment parameter checkbox to initiate the VNC session configuration. All related parameters appear.

  3. Configure the following parameters:

  • Linux Hostname: Enter the Linux VPN hostname that appears in the CLI prompt.
  • Linux Connection: Enter the Linux VPN connection string required to telnet or SSH to the remote device.
  • Linux Username: Enter the Linux VPN username used to login.
  • Linux Password: Enter the Linux VPN password used to login.
  • VNC Server: Enter the hostname/IO IP address of the device/interface where VNC will be run.

  1. To back out from any changes made, you can revert to the last previous "saved" Lab VPN settings by clicking the Reset button (this button appears when a change is made).

  2. Click the Save button.

Using a Lab VPN Connection with your Reservations

You only need to enable a Lab VPN connection for your topologies/testbeds reservations that require a VPN connection. For all other connections, XPRESSO handles them automatically.

To Use a Lab VPN with your Reservations:

NOTE:
This procedure is a precis of a much larger procedure that outlines how to configure testbed and topology reservations. The focus of this procedure is to only highlight how to use a Lab VPN with your Reservations. See "Reserving a Testbed" for all other details associated with creating a reservation for a testbed and topology.

  1. Choose one of the following to initiate a new reservation on a testbed:
  1. From the Main Navigation Bar, choose Main Menu→EVENTS→Reservations to open the Reservations page and click the Reserve Testbeds button. This provides a quick link to the Registered Testbeds page.
  2. From the Main Navigation Bar, choose Main Menu→RESOURCES→Testbeds to open the Registered Testbeds page.

  1. Locate and highlight the testbed that you want to create the reservation for and click the Reserve floating action button located to the right of the highlighted testbed. The New reservation on Name-of-Selected-Testbed wizard opens.

  2. In the Reservation Options wizard step, configured the following parameters as required:

  • Lab VPN Access:

    • VPN Configuration: Toggle the checkbox to allow/disallow a VPN Connection to be initiated in an active state and disconnected in a terminal state.

    • VNC Session: Toggle the checkbox to allow/disallow a VNC Session to be initiated in an active state and disconnected in a terminal state.

    NOTE:
    You can see both the VPN Connection and VNC Session details by clicking on Show Details button next to parameter.

If the Lab VPN settings are properly configured for the group, the system will do the following as your reservation becomes active:

  • Generate VPN credentials/ create a VPN session and a VNC session.
  • Create an on-demand Linux container for remote-desktop access.
  • Email the above information to the requesting user.
Next