VPN Deployment Guide
vSpace Pro Enterprise Edition with RX300, LEAF OS, and vSpace Client
RX300 & Leaf OS are vSpace Pro end point devices, which are optimized for VPN secured WAN deployment, however, success in the deployment will depend on planning and implementing, especially in the network infrastructure.
Please note that vSpace protocol (UXP 2.0) is designed and optimized for the WAN environment. RX-series, vSpace Pro Client or LEAF OS which support vCAST streaming for videos. Video streaming will take higher bandwidth based on the streaming content. We recommend have good broadband internet at the home user device. (e.g. a desktop session with productivity application takes less than 256Kb/s application). or shared Wi-Fi connections with many other home devices, the vSpace session may experience significant delay or temporarily screen freeze.
Also please keep in mind that once you pass the line of a common LAN or WAN, most troubleshooting and problem solving relies on your local staff, since configurations on hardware, logic, and security are implemented by your IT and beyond the typical scope of NComputing support.
As part of the overall implementation mentioned in the KB article above, there four key components required to connect vSpace Pro over VPN connection.
NComputing Virtualization Platform: vSpace Pro Enterprise Edition on Windows Platform
Standard hardware or software-based VPN solution supports.
Std H/w or S/w-based VPN Solution Supports.
Sufficient Internet bandwidth must be available at Datacenter and Home users.
Windows Server Hosted at the data center/cloud we recommend installing vSpace Pro Enterprise Edition Virtualization Software. vSpace Pro Enterprise Edition is with new UXP 2.0 protocol helps in reduction of network traffic by 43%, to provide a faster, efficient desktop experience and performances for WAN user. It also now with wider Peripheral support. (vSpace Pro Enterprise install video user guide: http://vimeo.com/370172631 )
vSpace Pro Enterprise key Features and Benefits.
Note:
vSpace Pro LTS is not recommended for WAN deployment.
Server Hosted at Data Center / Cloud (hardware sizing depends on the number of users and their application requirement planned to deploy)
Any Industry-standard hardware or software-based VPN solutions like OpenVPN, OpenConnect, and PPTP are supported.
Why VPN?
VPN uses the public Internet to create an economical, isolated, and secure private network, VPN reduces security risk by preventing unauthorized access to specific network resources. Encryption ensures privacy on untrusted Wi-Fi and other public access networks Extends centralized unified threat management to remote networks.
In this article, we have taken the OpenVPN server for a VPN connection.
Below is the link which provides a complete guide on the OpenVPN deployment documentation.
( Paid Business version simple and easy to deploy with OpenVPN support) https://openvpn.net/vpn-server-resources/
(Free OpenVPN community version, Requires multiple pre-configuration and technical skilled IT Admin professionals )
OpenVPN - Post configuration:
We assume you have successfully deployed the OpenVPN server.
Ref to Link: https://openvpn.net/community-resources/installing-openvpn/
2.a) Specific steps for enabling port forward and VPN gateway (public IP) service config is depend on the firewall you're using, so you'll need to search online for your firewall instructions. To configure your firewall to route the OpenVPN client public request. Configured the OpenVPN default port (1194) on your firewall IP address (your public IP) to the port and IP address of the OpenVPN Server.
Example: VPN server (1194) Port forward config (FortiGate).
Example: VPN gateway service config (FortiGate)2.b) At the VPN server add (push route) for the vSpace Server deployed on local network and subnets to access via VPN gateway. Ref to link: https://openvpn.net/community-resources/setting-up-routing/
Below is the sample OpenVPN server configuration of push route. (/etc/openvpn/server.conf)
2.c) Generate OpenVPN client config an .ovpn file (authentication key) (make sure your required singed certificates configured with VPN server) to Link: https://openvpn.net/community-resources/static-key-mini-howto/
The OpenVPN connection can be configured to let the home user provide the configuration file (an .ovpn file).
With successful VPN port forward and gateway configured, you will be able to connect to your the corporate network of your organization’s via VPN server gateway using a valid OpenVPN client config file.
3. Internet bandwidthSize the internet bandwidth at the data center based on the number of current user sessions and applications used.
3.a) Data Center (Bandwidth utilization estimates): Bandwidth utilization will vary with respect to user session resolution and application function (fast scrolling) or GUI with heavy graphics. We strongly recommend conducting POC prior to deployment. At the data center we recommend the following:
- For basic productivity application (e.g. for text-based applications like Word, Excel, PowerPoint), we recommend a minimum 256 – 512 Kbps per user session,
- For audio conferencing and screen sharing (e.g. Microsoft Teams, Skype, Zoom, GoToMeeting, WebEx conferencing applications), we recommend a minimum 1-2 Mbps per user session.
- Video conferencing involves in two-way or multi-way video calls is not recommended as the amount of traffic generated will be greater than 30-40 Mbps per user session.
- For graphic based application bandwidth requirement may vary based on the applications.
3.b) Home user bandwidth requirement User END: Home user should have:
- For basic productivity application (e.g. for text-based applications like Word, Excel, PowerPoint), we recommend at least 1Mbps bandwidth to deliver virtual desktops,
- For audio conferencing plus screen sharing (e.g. Microsoft Teams, Skype, Zoom, GoToMeeting, WebEx conferencing applications), we recommend 2-3 Mbps per user session.
- Video conferencing involves in two-way or multi-way video calls is not recommended as the amount of traffic generated will be greater than 30-40 Mbps per user session, with potential degraded user experience (delay and/or interrupted audio).
- For multimedia applications and/or vCAST streaming, more home bandwidths may be required depending on the content to provide a good user experience.
4. NComputing Endpoint SolutionRX300 and Leaf OS are VPN enabled for secured connection, it supports OpenVPN, OpenCconnect and PPTP VPN.
Please refer to RX300 & Leaf OS installation guide.
vSpace Pro Client:To connect vSpace Pro Client over VPN, install the OpenVPN Windows client app on the vSpace Pro Client installed PC/Laptop. First run the OpenVPN Windows client app to connect corporate VPN network (required OpenVPN client config) and then run the vSpace Pro Client to connect the respective vSpace Pro Server (IP or server name).4.a) Configuring VPN connections in RX300 & Leaf OS:
To enable a VPN connection the Enable VPN connection checkbox must be selected. The desired VPN type must be selected in the combo-box. All VPN types can be configured in a way allowing the device to automatically establish the VPN connection (with the VPN credentials stored in device configuration) after booting up and connecting to Ethernet or Wi-Fi network. The devices can also be configured to establish the VPN connections with credentials provided by the user on the VPN logon screen. The OpenVPN connections can additionally be configured in a way allowing the user to provide the configuration file on a USB memory stick.
Following device settings must be configured to enable OpenVPN and allow the user to provide the OpenVPN configuration file: screen shot below.
4.b) Configuring OpenVPN connection with configuration file provided by the user
The OpenVPN connection can be configured to let the user provide the configuration file (an .ovpn file) on a USB memory stick. The provided configuration file must be located in the root directory of a FAT-, NTFS-, ext3- or ext4-formatted USB stick. If the configuration (.ovpn) file refers to any other files, like client certificates, Certification Authority certificates, or private keys, then all those files must be copied to the root directory of the USB memory stick too. All files must be available as separate files. Compressed archives (ZIP, RAR, 7z, etc.), containing all files, are not supported.
OpenVPN connections using the user-provided configuration files can use following authentication methods:
- username and password,
- client certificate password,
- private key password,
- and combinations of them.
4.c) Following settings must be configured to enable OpenVPN and allow the user to provide the OpenVPN configuration file:
- Enable VPN Connection – this checkbox must be selected.
- VPN type – OpenVPN must be selected.
- Let user provide the .ovpn and certificate files – this checkbox must be selected.
Cache the .ovpn and certificate files – when selected, the device will copy from the USB memory stick to internal storage the user-provided .ovpn file and its associated certificate and/or key files, if necessary. This will allow reestablishing the VPN connection without the necessity to provide the memory stick with the files again.
Cache the client certificate password and/or user credentials – when selected, the device will store the credentials provided by the user on the VPN logon screen and will automatically establish the VPN connection after reboot, without asking the user for any credentials. This option can only be used when the Cache the .ovpn and certificate files option is selected too.
Note: Enabling the above options opens the VPN connection to anybody who will have physical access to the device, thus keeping them disabled increases the security of the VPN connection.
4.d) Main screen GUI when a VPN connection is enabled
Following VPN logon screen appears on a device with OpenVPN enabled with the option letting the user to provide the configuration file, but without any files cached on the device yet:User can always click the [Skip VPN] button to immediately proceed to the main screen appropriate for the selected device operation mode, without trying to establish the VPN connection. The device will only be able to communicate with servers accessible through the LAN or Wi-Fi connection, if the VPN connection will be skipped.
4.e) To import the OpenVPN configuration file from a USB memory stick the user should click the [Import .ovpn] button. The GUI will show a list of connected USB storage devices on the left-hand side. On the right-hand side there will be the list of OpenVPN configuration files (files with .ovpn extension) found in the root directory of the USB memory stick selected on the left-hand side:
The [Refresh] button can be clicked to refresh the lists, if a USB memory stick was connected after clicking the [Import .ovpn] button.After selecting the appropriate OpenVPN configuration file, the user must click the [Add] button to copy the file(s) to the internal storage of the device.4.f)Depending on the contents of the imported OpenVPN configuration file, a VPN logon screen containing the OpenVPN server address and the input fields appropriate for the determined authentication mode will be displayed. If a client certificate requiring a password has been cached on the device, then an information about the certificate subject will appear too.For example:
The [Connect VPN] button initiates the VPN user authentication process and, in case of successful authentication, starts the VPN connection. The [Import .ovpn] button in this situation can be used to replace the currently cached OpenVPN configuration file with a new one.
4.g) With a successful VPN connection, the GUI shows the two VPN icons .
The VPN icon ( ) at the top of the screen indicates successful VPN connection. Hovering the mouse pointer over this icon displays the current IP address of the VPN interface. The exit icon () at the top of the screen allows disconnecting the VPN connection and returning the VPN logon screen.
Also you can check the About device see VPN IP info.
4.h) Now you are ready to connect the hosted vSpace Server in the VPN network. Provide vSpace Server IP address or name and click connect.