Rescale VPN Setup Workflow

Connect Rescale with your on-premise resources

This document will guide you through the preparation work and the steps to establish a VPN connection to the customer’s on-premise network.

Contents

Introduction

Establishing a VPN connection enables Rescale servers to communicate with customer corporate networks. Communication with customer corporate networks is common to connect Rescale to a customer license server, to provide access to a Remote Desktop in the Rescale cloud for remote visualization, or for additional access security to a company’s Rescale accounts. Please reach out to support@rescale.com for getting more information about the associated cost for VPN setup

vpn-image

The process for establishing a VPN connection requires access to the VPN Gateway and company firewall administration settings. Rescale recommends that prior to starting the VPN setup, customer IT/Network does the following:

  1. Establish a Company Administrator account. To do this, if the administrator already has a Rescale account, simply connect with support via chat or send an email to support@rescale.com to request Company Administrator rights. To establish a new account, navigate to www.rescale.com, select “Log In” and then select “Sign Up.” Once the account is established, either connect with support via chat or send an email to support@rescale.com to request Company Administrator rights.
  2. Gather the VPN gateway IP address and the private IP address(es) of the license server(s). These will be used in Step 2 of Setup Workflow.

Supported Devices and Exceptions

Given the number of make/model/software version combinations that are prevalent, it is important to be aware of the devices that are typically supported by VNS3 for the the VPN setup.

VNS3 supports most IPsec data center solutions, these solutions include but are not limited to:

  • Most models from Cisco Systems*
  • Juniper
  • Watchguard
  • Dell SONICWALL
  • Netgear
  • Fortinet
  • Barracuda Networks
  • Check Point*
  • Zyxel USA
  • McAfee Retail
  • Citrix Systems
  • Hewlett Packard
  • D-Link
  • WatchGuard
  • Palo Alto Networks
  • OpenSwan
  • pfSense
  • Vyatta/VyOS

Recommended IPsec Devices:

Any IPsec device that supports:

  • IKE1 or IKE2
  • AES256 or AES128 or 3DES
  • SHA1 or MD5
  • NAT-Traversal standards.

Notable Exceptions to Supported Devices:

Checkpoint R65+ requires native IPSec connections. This is due to the fact that Checkpoint does not conform to NAT-Traversal Standards, Cisco ASA 8.4(2)-8.4(any) and Cisco ASA-X 9.2(any)-9.6.1. There are complications present that prevent a stable connection from being maintained.

Setup Workflow

1) Customer primary POC establishes connection with Rescale support

The primary point of contact on the customer side should initiate the VPN setup process by establishing a person-to-person link with a Rescale support engineer that will assist with the setup. The customer primary contact can reach Rescale support via support chat on the Rescale platform or at support@rescale.com.

2) Rescale proposes a IP subnet range of customer’s Dedicated Company Private Network

The Rescale support engineer will propose a tentative IP subnet range for the customer’s dedicated company private network to the customer IT/Network contact. The customer IT/Network contact should ensure that this subnet range should not overlap with the on-premise infrastructure. If the proposed subnet range overlaps with the customer’s on-premise infrastructure, Rescale support and the customer IT/Network team will work together to negotiate the IP subnet range and come up with a range that works for both sides

3) Customer provides VPN Gateway IP address and License Server’s private IP address, cloud provider and Endpoint information

After appropriate negotiations and agreement on the proper IP range, the customer IT/Network team will provide: 1) Their VPN gateway IP address for the VPN connection and 2) The private IP address(es) of the license server(s) 3) What license softwares and services they are using along with the port information 4) What cloud provider are they using for the VPN tunnel setup 5) How many endpoints are they willing to have and send the above information to the dedicated Rescale support engineer contact or to support@rescale.com.

Note : We support various deployment options like, Single cloud single region, Single cloud multi region, Multi-cloud single region and Multi-cloud multi region along with high availability (HA) options.

4) Rescale provisions the customer resources

Rescale support will provision the VPN related resources stack after receiving the information above.

5) Rescale sends out the VPN checklist to customer IT/Network team

Next, a Rescale HPC Engineer will reach out to the customer Network/IT contact in the company and share a VPN checklist, which should be completed by the customer IT/Network team.

6) Customer configures the VPN connection

Next, the customer IT/Network team will use the configuration script/file and pre-shared keys provided by Rescale’s HPC Engineer to configure the VPN tunnels in the VPN gateway device. With the VPN configuration file and pre-shared keys retrieved, the customer will configure the VPN tunnels and establish the connection in the VPN gateway device.

7) Customer configures on-premises firewall

In order for the nodes launched in the dedicated company private network and to checkout licenses from the on-premise license server through the VPN connection, license and vendor ports (aka vendor daemon port) need to be allowed for inbound on customer-side firewall. The customer IT/Network team should update firewall rules to enable this action.

Please note that if the license server is using floating licenses, the floating vendor port needs to be fixed in the license file (instructions to fix the vendor port are here). Upon completion of these actions, please send an email to the Rescale support engineer.

8) Rescale tests VPN connectivity and license checkout

After the VPN connection is established, Rescale will launch a test node in dedicated company private network to test the connectivity to customer’s on-premise license server. If the license server status can be successfully queried from the test node, the VPN connection is established successfully.

Please Note: Rescale support engineer should have permissions to create a test account in the company for testing. This should be confirmed before the testing is initiated and to avoid any delay in the setup completion

Advantages of the VPN Setup

1) Improved monitoring and visibility – Rescale can provide Ipsec logs (of up to 14 week) history to the connecting party on-demand

There are also different alert mechanisms that are supported and available, like connection alerts (tunnel connect or disconnect event), which could be sent to connecting party via webhook (AWS SNS, OpsGenie, PagerDuty,Slack,Webex Teams), Application alerts, Ping Host, Ipsec Tunnel Monitoring, Network Sniffer.

2) Better Interoperability – We can connect to any device that supports the following:

  • Policy-based VPN
  • Route-based VPN
  • Encapsulating Security Packet (ESP) wire level protocol
  • Tunnel Mode
  • Internet Key Exchange (IKE)
  • Main Mode
  • Preshared Key (PSK)

3) Fast and easy troubleshooting

  • Live 24/7 troubleshooting in case of priority level 1 interruptions
  • Independent troubleshooting
  • Application and Network control and proactive troubleshooting

4) Follow latest industry best practices

  • Support latest Ipsec parameters including AES with larger key sizes like 512 bit, AES-GCM,SHA-2 hash and many more
  • IKEv1 or IKEv2 depending on remote hardware device support
  • Native Ipsec or NAT-Traversal (depending on remote hardware device support) some do not support
  • VTI Route-based, Policy-based, or GRE Route-based Ipsec tunnels
  • BGP over Ipsec – for highly available active-active Ipsec solutions

5) Additional NAT capability

In order to avoid private IP address overlap (RFC1918) when creating IPsec connection between two organizations, Rescale supports the option of using a non-routable Public IP for the Rescale HPC encryption domain. Using public IPs as the remote encryption domains ensures no address overlap between internal and other remote connections

Links to Platform Integrations Pages

Should you require a region specific Integration page, the following table of links will take you to the desired Platform.

Platform RegionIntegrations link
United StatesUS Integrations
European UnionEU Integrations
JapanJP Integrations
South KoreaKR Integrations