This concept demonstration shows how enterprise administrators can enforce business policies to branch and roaming users through the use of the VMware SD-WAN Gateway.

The demonstration makes use of the following components to achieve this goal:

• VMware SD-WAN Gateway: SD-WAN gateway has cloud presence and provide book end solution to SD-WAN overlay tunnel from SD-WAN edge device. SD-WAN gateway also initiates a secure IPsec tunnel to Azure network (access globalretal1.labs.velocloud.org company site) and Menlo security for secure web isolation.
• VMware SD-WAN Orchestrator: To configure SD-WAN edge devices and gateway, manage and monitor WAN link status, application recognition, tunnel configuration and monitor tunnel status to Azure resources and Menlo security.
• VMware SD-WAN Edge: SD-WAN edge device installed at branch site to recognize application, giving IP Address to client and redirecting user traffic over SD-WAN over lay tunnel to VMware SD-WAN gateway.
• VMware UAG: Unified Access Gateway provides secure access to enterprise application and detects whether the client is connected to untrusted or trusted network.
• VMware UEM: Unified End point management help enterprises secure and control the entire IT environment and all its endpoints, including smartphones, tablets, laptops and desktops, plus their users, apps, content and data. UEM also helps to configure SSL tunnel configuration. This tunnel gets established when the end user device is external and on untrusted network. This SSL tunnel gets initiated from End user device to UAG. UAG is placed in the VMware pop location.
• Microsoft Azure vNet: Enterprise website ("Global Retail" enterprise) website is hosted.
• Menlo Security gateway is installed in the cloud and managed by Menlo orchestrator.
• Client device: For the purpose of the demo a Microsoft Windows 10 laptop is used, equipped with a VMware Airwatch agent.
• VMware Airwatch agent: Airwatch agent or intelligent hub along with tunnel software is gets installed and configured on user end device when the connection from end device is made to UAG. Also used to configure Tunnel configuration

Demo use cases covered are User in Trusted and Untrusted Network accessing private and Internet resources. In the demo,

• User accessing enterprise website hosted in Azure network. Web site running globalretail1.labs.velocloud.org
• User also accessing internet. All internet traffic is inspected by Menlo Security. Sites like sports category inspected and blocked by Menlo security.

<BRANCH CASE>

User in Trusted Network. showcase access to Private resources on Azure network and internet traffic getting redirected to Menlo Security in cloud for secure access.

Access to Private Resources from a branch

• Click to show the path the clients device will take from the branch site when accessing a enterprise private resources hosted on a Microsoft Azure vNet.
• SD-WAN overlay tunnel gets established securely from Edge device to VMware SD-WAN gateway.
• From SD-WAN gateway, traffic goes over the IPsec tunnel to Azure vNET.

• Click on the Wi-fi. End user device from branch site shows Wifi connected to enterprise network.
• Click and select the Enterprise network, in this case Globalretail-wifi
• Workspace1 tunnel software installed on the end user device also detects Trusted network and tunnel status as disconnected. Tunnel software installed at the end device communicates with the UAG and detects that the user is connected on trusted network.
• Click on the tunnel sofware from the task bar. End device tunnel UI shows Tunnel status as disconnected.
• From Client device browser > Click on Monitor Edges > Click the Global Retail Branch 01 > showcase the WAN connection, edge status, detected bandwidth and service provider
• click the + sign on the browser tab and access the private resource running on Azure vNET.
  • click on the shortcut on browser to access globalretail1. labs.velocloud.org.
• From the VMware SD-WAN Orchestrator (VCO) , show case the tunnel status (IPSec tunnel from VMware SD-WAN Gateway to Azure vNET)
  • Click on browser tab with VCO (VMware SD-WAN Orchestrator) > Monitor > Network Services >
  • Click on Network services to advance. 
  • Click on Azure Tunnel GR-Azure-SecureTunnel to show case the IPSec tunnel configuration.
• Click the close button on Network services.

Secure Internet Access through Menlo Security (Web Isolation) from a branch

• Slide showing internet traffic getting redirected to Menlo Security. 
  • Click on the slide to advance to Internet traffic 
• Access the FB app. Click on the shortcut to access facebook app. This is blocked because of the stateful firewall rule mentioned in the SD-WAN edge device.
• Click on the Orchestrator (VCO) tab to show the stateful firewall rule blocking FB.
  • Click Configure > Firewall Icon on the right > click on the Firewall shortcut > Stateful firewall shows blocked
• Now, lets show case web isolation through Menlo Security
• From the web browser (web browser connection is accessed from end user device connected to trusted network),
  • click on the shortcut to access website related to sports category in this case espn.com. This is blocked as per the configuration on Menlo security UI. Next step would be to show the configuration from Menlo Security UI
• Click on Menlo security UI browser tab > click on Web policy > Click on Categories > filter out sports category > UI shows Sports category Blocked action.
• Next showcase the secure IPSec tunnel from VMware SD-WAN gateway to Menlo secure IPsec Gateway.
  • click VCO > Monitor > Network services shows the tunnel status from SD-WAN gateway to Menlo.
  • Next is to check the business policy on the SD-WAN edge device for internet traffic redirection.
    • Click on Configure in VCO browser tab >
    • Click Business policy shows port 80 and 443 getting redirected to IPSec tunnel 

<MOBILE USER CASE> User in Untrusted Network.

Showcase access to Private resources on Azure network and internet traffic getting redirected to Menlo Security in cloud for secure access.

Access to Private Resources from a mobile client

• Slide shows traffic path with User connected to External Network (Untrusted network) accessing company private resources hosted on Azure vNet. Click on the user icon in the slide to advance 
• From End user device > click on WiFi connection to show Untrusted/External Network >
• Click on Wi-fi > Click on Connect VMwareGuest SSID.
• Click on Workspace 1 tunnel software from task bar. This will show the tunnel status as Connected.
  • Workspace1 tunnel software installed on the end user device detects UnTrusted network and tunnel status as connected. Tunnel gets established when the end user opens up the chrome browser and clicks on browser tab window and access company resources like VMware.com. Secure Tunnel gets established from End device on untrusted network to UAG in the VMware pop.
• From Client device browser > Click on UEM Tunnel to show case tunnel configuration. Click on Configuration or anywhere on the page to proceed. This will showcase tunnel hostname velouag.labs.velocloud.org. This is hostname of the UAG.
• Next check the device profile for trusted network detection configuration and domains.
  • click on devices
  • Click on profiles and resources > Click Profiles > Click RSAdemo-VPN-win-Laptop > Click VPN > config.
  • Open a new browser tab by clicking the + sign to access private resources hosted on Azure vNEt.
    • click the + sign on browser tab
  • End user clicks on the shortcut on browser to access globalretail1.labs.veocloud.org.
• From the SD-WAN orchestrator showcase the tunnel status to Azure vNET.
  • Monitor > Network services > clicking on Azure Tunnel GR-Azure-SecureTunnel to show case the IPSec tunnel configuration.
  • Click close
• Next execute the web isolation use case executed by Menlo security.
  • From the browser tab access stanford.edu > show case bottom right pop up button /bulb icon with web isolation getting executed by Menlo Security. Also show case the source page for Stanford.edu. This show case page getting redirected, inspected and generated by Menlo security.