Skip to main content

 

 

 

 
Language:

 

 

 

 
 
OutSystems

Set up a VPN using LifeTime 11.6.0 or earlier

Template:OutSystems/Documentation_KB/ContentCollaboration
  • Edit
    Collaborate with us
    Edit this page on GitHub
  • This topic describes the procedure to set up a site-to-site VPN (virtual private network) connection to your OutSystems Cloud when running LifeTime Management Console 11.6.0 or earlier.

    Before proceeding, check the Set up a VPN to your OutSystems Cloud to understand the details of a VPN connection between OutSystems Cloud and your on-premises network, and the specifications for that VPN.

    Set up the first VPN to your OutSystems Cloud

    The procedure below applies only to OutSystems Cloud running LifeTime Management Console 11.6.0 or earlier. For LifeTime 11.6.1 or later, follow the procedure in Set up a VPN to your OutSystems Cloud.

    Before you begin

    Before you begin setting up your VPN, make sure you comply with the requirements and that you gather the necessary information to proceed:

    Check the VPN gateway requirements

    Your VPN gateway can be a physical or software device. Check the list provided by AWS to know if AWS tested your VPN gateway with the site-to-site VPN. If your VPN gateway isn't in the previous list, it must meet the following requirements:

    • Maintains the same static public IP address.

    • Establishes IKE v1 or IKE v2 Security Association using pre-shared keys.

    • Establishes IPSec Security Associations in Tunnel mode.

    • Uses IPsec Dead Peer Detection (DPD).

    • Uses AES128-bit or AES256-bit encryption function.

    • Uses the SHA-1 or SHA-256 hashing function.

    • Uses the Diffie-Hellman Perfect Forward Secrecy in groups 2 (1024 bit), 5 (1536 bit), 14-18 (2048 bit), 22, 23, or 24 (2048 bit).

    Gather the necessary information

    Before requesting a VPN connection, make sure you have the following information:

    • The public IP of your VPN gateway. If your VPN gateway is behind a network address translation (NAT) device that's enabled for NAT traversal (NAT-T), use the public IP address of your NAT device.

    • The brand, model, and software version of your VPN gateway.

    • The internal IP range of the on-premises network that will access the VPN.

    • The type of routing that your VPN gateway supports: if the gateway supports Border Gateway Protocol (BGP), use dynamic routing, otherwise use static routing.

    Check your on-premises network

    Your on-premises network internal IP address range must not overlap with the internal IP address range of your OutSystems Cloud. Check out how to find out internal IP address range of your OutSystems Cloud

    Make sure you have the necessary permissions

    To request a VPN you must have the Administrator role in LifeTime.

    An Infrastructure Administrator must approve the VPN request in the Support Portal.

    Setup overview

    VPN setup overview

    Make sure you read the previous section before you continue.

    Step 1. Request the first VPN

    To request the first VPN to your OutSystems Cloud follow these steps:

    1. Open LifeTime by accessing https://<lifetime_environment>/lifetime, where <lifetime_environment> is the address of your LifeTime environment.

    2. Select the ENVIRONMENTS tab, open Options and select Activate VPN.

    Activate VPN in LifeTime

    1. Fill in the form by entering the values for each field:

      • Your email address.

      • The email address of the Network Engineer. If you are the Network Engineer enter your email.

      • The public IP of your VPN gateway. If your VPN gateway is behind a network address translation (NAT) device that's enabled for NAT traversal (NAT-T), use the public IP address of your NAT device.

      • The internal IP range of the on-premises network that will access the VPN.

      • The brand, model, and software version of your VPN gateway.

      • The type of Routing that your VPN gateway supports. If your VPN gateway supports Border Gateway Protocol (BGP), select Dynamic routing, otherwise select Static routing.

    2. To send your request for a VPN, select Activate VPN Service. This creates a support ticket with the information you provided in the form.

    Step 2. OutSystems creates the VPN connection and contacts you

    After validating all the required information, OutSystems creates the VPN connection on your OutSystems Cloud. When the VPN connection is ready, OutSystems sends you the VPN Peer Address and the information needed to configure the VPN gateway on your on-premises network, including a configuration file created by AWS.

    The type of configuration file you receive depends on your VPN gateway:

    Step 3. Configure your VPN gateway

    This step must be performed by your Network Engineer.

    After receiving the required information to set up your VPN connection, complete the configuration of your VPN gateway by following the instructions in the communication sent by the OutSystems Support and in the configuration file.

    During the VPN gateway configuration you should use the values provided in the configuration file.

    If you want to use your own configuration, make sure your VPN gateway configuration values respect the following AWS requirements:

    Phase 1 Parameters
    Protocol IKE v1 or IKE v2
    Authentication Method Pre-shared Key
    Protocol Communications Encapsulated UDP port 500, NAT-T (UDP port 4500)
    Encryption Algorithm AES-128, AES-256
    Diffie-Hellman Group 2 (1024 bit), 14-18 (2048 bit), 22, 23, and 24 (2048 bit)
    Perfect Forward Secrecy (PFS) Yes
    Hashing Algorithm for Integrity SHA-1, SHA-256
    Re-negotiation time 28800 seconds
    Mode Main
    Phase 2 Parameters
    Protocol IKE Phase II (IPSEC SA)
    IPSec Protocol ESP; UDP port 500; NAT-T is supported on your side
    Encryption Algorithm AES-128, AES-256
    Encryption Mode Tunnel
    Diffie-Hellman Group 2 (1024 bit), 5 (1536 bit), 14-18 (2048 bit), 22, 23, and 24 (2048 bit)
    Hashing Algorithm for Integrity SHA-1, SHA-256
    Lifetime Measurement Time
    Time Lifetime 3600 seconds

    Step 4. Configure your firewall

    This step must be performed by your Network Engineer.

    If your on-premises network includes a firewall between the Internet and your VPN gateway, implement the following rules in the firewall:

    • Allow UDP traffic on port 500 between your VPN gateway and each of the VPN tunnels to the OutSystems Cloud to enable the transmission of IKE packets. There should be four rules: a pair of inbound and outbound rules for each VPN tunnel.

    • Allow Encapsulating Security Payload (ESP) traffic - IP protocol number 50 - between your VPN gateway and each of the VPN tunnels to the OutSystems Cloud to enable the transmission of IPSec packets containing the encrypted network traffic. There should be four rules: a pair of inbound and outbound rules for each VPN tunnel.

    • If your OutSystems Cloud needs to access systems on your on-premises network add other inbound and outbound firewall rules. Make sure to create inbound and outbound rules for each of the VPN tunnels.
      For example, to access a SQL Server database, allow TCP traffic on port 1433, and to access an Oracle database, allow TCP traffic on port 1521.

    • If you are using NAT-T on your VPN gateway, allow UDP traffic on port 4500. Add outbound and inbound firewall rules.

    Requesting additional VPN connections to your OutSystems Cloud

    If you need additional VPN connections, contact your Account Manager to obtain more information.