Installing IBM MaaS360 VPN and configuring the IBM MaaS360 VPN TAP Adapter on Windows Server 2016+

Install IBM® MaaS360® VPN, including the IBM MaaS360 VPN TAP Adapter, on Windows Server 2016+.

1. Log in to the IBM MaaS360 Portal, select Setup > Services, and confirm that the IBM MaaS360 VPN service is enabled.
   Note: Contact IBM Support if the IBM MaaS360 VPN feature is not enabled.
2. Download the Cloud Extender and obtain the license key.
3. Follow the steps in the installation wizard to install the Cloud Extender on your Windows Server 2016+.
   The IBM MaaS360 VPN module is automatically downloaded to the user agents.
4. From the Cloud Extender Configuration Tool, select VPN, and select Setup a new VPN cluster.
   Note: After you install the Cloud Extender, the IBM MaaS360 VPN module might take a few minutes to download. If the VPN option is not displayed in the Cloud Extender Configuration Tool window, close the Cloud Extender Configuration Tool, wait a few minutes, and then start the Cloud Extender Configuration Tool again.
5. Click Install Tap Adapter to install the IBM MaaS360 VPN TAP Adapter.
   Important: Install the IBM MaaS360 VPN TAP Adapter before you configure settings for IBM MaaS360 VPN.
6. Select Yes to any security prompt.
   The adapter takes a few minutes to install on your system.

   Note:

   • If Windows Server 2016+ updates are pending on your system, restart your system, and then apply those updates before you install the IBM MaaS360 VPN TAP Adapter.
   • If you receive an error message during installation of the IBM MaaS360 VPN TAP Adapter, follow the steps in Troubleshooting issues with IBM MaaS360 VPN to remove the TAP adapter from your system. Restart your system, and if necessary, apply any updates, and then try to install the TAP adapter again.
   After you install the IBM MaaS360 VPN TAP Adapter, the window displays a warning message that the Routing and Remote Access Service (RRAS) is not configured properly. Enable Network Address Translation (NAT) on the outgoing interface of the IBM MaaS360 VPN to configure the Routing and Remote Access Service (RRAS).
   Follow the steps to enable Network Address Translation (NAT) on the outgoing interface for the IBM MaaS360 VPN.
   1. From the Windows Start menu, select Routing and Remote Access.
      If Routing and Remote Access is not listed, make sure that you followed the steps to install this role from the procedure provided in Installing the routing and remote access role on Windows Server 2016+.
   2. Right-click on the name of the server, select Configure and Enable Routing and Remote Access, and click Next.
      The Routing and Remote Access Server Setup Wizard displays the Configuration window.
   3. Select Network address translation (NAT), and click Next.
      The Routing and Remote Access Server Setup Wizard displays the NAT Internet Connection window.
   4. Make sure that Use this public interface to connect to the Internet is enabled.
   5. From the Network Interfaces list, select the network adapter that uses NAT for all outgoing traffic from VPN users.
      • This adapter must be an adapter on the server that is connected to a subnet that can reach both internal and external resources that you want your VPN users to access over the IBM MaaS360 VPN.
      • Do not select the IBM MaaS360 VPN TAP Adapter. This adapter is listening for traffic only and translates all traffic to the Ethernet adapter.
      • If you do not have the option to select an adapter, or if MaaS360VPNTap is not listed, make sure that you used the Cloud Extender Configuration Tool to configure IBM MaaS360 VPN and installed the IBM MaaS360 VPN TAP Adapter from that tool. This option is available only if you have more than one adapter on the server (MaaS360 always installs a second virtual adapter for the VPN). In NAT mode, you can use one interface for all traffic that accesses any resources from connected VPN tunnels.
        • For one-arm mode setup, the server uses only one physical adapter that is used by all traffic.
        • If you have multiple physical adapters (multi-arm mode setup), the adapter that is selected for the NAT interface must have routes available to reach any network resources (internal or external) that need to be accessed over the VPN. This type of setup can cause issues with routing public internet traffic, since the default gateway is used for routing internet traffic (you should only use one default gateway in Windows).

          If the default gateway is not set on the interface that is selected for NAT, and if there is not an explicit route defined for the resource that is requested, then users cannot access that resource over the VPN. See IBM MaaS360 VPN deployment scenarios for options on how to configure routing and interfaces.

      • If your Windows Server 2016+ uses more than two adapters, select the adapter that NAT uses. Select MaaS360VPNTap, and then click Next.
   6. Click Next, and then click Finish to complete NAT enablement on the IBM MaaS360 VPN server.
7. After you configure the Routing and Remote Access Service (RRAS), click Refresh.
   If the configuration is successful, a green checkmark is displayed next to the list of adapters and you can continue with the installation.
8. Enter the following network settings for the IBM MaaS360 VPN.

   Setting	Description
   Cluster Name	The name of the IBM MaaS360 VPN cluster that is available to the MaaS360 policies.
   VPN External Hostname	The external DNS name or the IP address, and the port that is used to configure external user connections to connect to the IBM MaaS360 VPN. The public IP address is assigned directly to an interface on the Windows Server or translated to the private address of the Windows Server by using a router, firewall, load balancer, or reverse proxy (highly recommended).
   VPN Port	The default port is 1194. You can change this port. IBM MaaS360 VPN currently uses the UDP protocol, which you cannot change. Make sure that the port that you entered is open to the server that is provisioning IBM MaaS360 VPN. Block other ports for security reasons.
   VPN Internal URL/IP	The private IP address or URL of the IBM MaaS360 VPN server host.
   Server Port	Any available open port on the IBM MaaS360 VPN server host.
   Virtual IP Address and Virtual Subnet Mask	One or more valid subnets (IP address and netmask) that are used to assign IP addresses to inbound user connections for the VPN tunnel. Use subnets in a private range that include enough IP addresses to handle all users that connect to each IBM MaaS360 VPN server. One subnet is needed for each IBM MaaS360 VPN server. The subnet must include enough IP addresses to handle the maximum number of users that can connect to the server at a single instance. Since Network Address Translation (NAT) is used on outgoing traffic from the server, you can use the same subnet for each IBM MaaS360 VPN server. However, this setup might impede troubleshooting efforts. Use unique subnets in the network that do not create overlap or confusion with the network routing.
   DNS Servers	One or more DNS servers that are used by user agents. The DNS server must be accessible from the network interface that the IBM MaaS360 VPN is installed on. The DNS server must resolve public and private addresses, even if split tunneling is used (or add a second public DNS to the list).
   Enable Split Tunneling	Enable this option if you configured at least one network destination for the VPN client to tunnel traffic to the IBM MaaS360 VPN servers. Note: Make sure that you disable the Enable Split Tunneling checkbox if you are routing all traffic through the VPN.
   Networks	A list of subnets (IP address and netmask) that are used to route through the IBM MaaS360 VPN (if you are using split tunneling). Note: If you are not using split tunneling, all traffic (private and public) is routed through the tunnel, which might increase the load on the server with non-corporate traffic.

9. Click Next. When the IBM MaaS360 VPN is configured, a certificate (p12 format) is generated for you to use if you are planning to set up multiple servers in a load-balancing scenario. Click Download VPN Certificate and store the certificate file for future use. Follow the steps in Setting up a cluster for IBM MaaS360 VPN.
10. Perform a ping test or an HTTP web request to validate VPN activity.
11. From the IBM MaaS360 Portal home page, select Setup > Cloud Extender, and then select the Cloud Extender where you installed the IBM MaaS360 VPN service. The Cloud Extender configuration settings are displayed in the Summary section.
12. From the drop-down list, select IBM MaaS360 VPN. The IBM MaaS360 VPN configuration settings and the latest statistics (a snapshot of the connected clients and statistics of those connections) are displayed.