How do I set up an IPSEC VPN to access my Vista database directly?

Author: Eric Vasbinder

IMPORTANT

Our new TLS Database Endpoint technology can often be simpler to set up and more compatible with your environment than an IPSEC VPN.

IPSEC VPNs are now only necessary for integrations that push automated imports to the Vista pickup directory (e.g. CSV or PDF imports); all other integrations can use the TLS Database Endpoint.

Please review this link to learn more about it: TLS Database Endpoint

CRITICAL NOTE: The TLS Database Endpoint (TLS VPN) is ONLY available for customers who are hosted in our Trimble Construction One (TC1), Viewpoint One (VP1), Vista SaaS, or Viewpoint Enterprise Cloud (VEC - RDP).

Viewpoint For Cloud (VFC) customers cannot use the TLS Database Endpoint (TLS VPN)

VPN Technical Specifications

When Vista is hosted with Viewpoint, we use Microsoft Azure's VPN Gateway.

Security Standards:

The specific standard we support are IPSEC Site to Site VPNs using IKEv2 for key exchange and AES256 for encryption.

Connection / Bandwidth Standards:

Standard VPN Gateway: 2500 persistent connections, and 2.22-Mbps throughput

IMPORTANT - Direct Connectivity to the Internet (NO PROXIES OR ZSCALER TYPE SOLUTIONS) IS REQUIRED

Proxy servers and zScaler type solutions are designed to add an additional layer of security onto network traffic. As part of their standard operations, however, they modify the flow and addressing of network packets. While this can be acceptable for HTTPS traffic, for more advanced connectivity, such as ODBC over a VPN, problems can ensue. We have seen multiple occasions where the way these solutions operate causes issues with our security mechanisms used for the TLS Database Endpoint (TLS VPN) and the IPSEC VPN, including IP address pre-approvals ("whitelisting").

As such, we require that ALL TRAFFIC intended for our cloud VPNs (DOES NOT APPLY TO VISTA CLIENT or HFF/TEAM/ANALYTICS/KEYSTYLE) be forced to be routed directly to the Internet, through a single network interface on your gateway device that is assigned a static, public IP address, with NO PROXY or zSCALER style solutions in between.

This applies to each site that you would like to use the IPSEC VPN or TLS Database Endpoint (TLS VPN) to connect to Vista in our cloud. For example, if you have a site in Chicago and a site in Phoenix that you would like to have direct access to the Vista database, you'll need to ensure that both Chicago and Phoeix have a static, public IP address for their Internet gateway and that traffic intended for our cloud is forced to be direct routed to the Internet, avoiding all proxies and / or zScaler type solutions.

By routing your traffic in this way, you can avoid these networking incompatibilities entirely and dramatically improve the reliability of the connection.

Fortunately, due to the high trust nature of the traffic coming from the Trimble Viewpoint cloud and the defined characteristics of connections to our cloud, there are few negative aspects to exempting our traffic from zScaler or proxy solutions.

Pre-Requisites

To connect an IPSEC VPN between your environment and our Azure hosting, you need to ensure a few pre-requisites are address first:

- You will need to have purchased our VPN add-on - contact your account rep for more details.
  - NOTE: This might already be on your contract and included as part of your VP 1 bundle.
- Your VPN device needs to be supported by Azure: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices
  - NOTE: We have seen problems in the past with Meraki devices. As such, for Cisco devices, we recommend true Cisco IOS devices such as the ASA firewall appliance. Please reach out to your networking expert (e.g. CCNP / CCIE) for more details.
- Your VPN device needs to support IKEv2

Steps to Obtain VPN Connection

Please submit a cloud support request to have a VPN stood up between your environment and ours. You will need to supply the following information:
- Make and model of your VPN device
- Version of the firmware on the VPN device
- Your external, public IP address
- Your local, internal network IP address range and subnet information (e.g. 192.168.1.0/24)
Viewpoint will then set up our end of the Azure IPSEC VPN Gateway
Viewpoint will send you the information you need to set up your side of the VPN tunnel
- Your VPN needs to be configured to allow the appropriate connectivity for the VPN. Please use the configuration guides in the Microsoft article linked to above for more information on how to configure your VPN to connect to our VPN.
Configure your firewall to allow for the IPSEC VPN to communicate; you don't want the firewall to block it. At the very minimum, you (or an appropriate networking export) needs to configure your firewall to allow the following traffic to and from our network:

- - Protocol: UDP, port 500 (for IKE, to manage encryption keys)
  - Protocol: UDP, port 4500 (for IPSEC NAT-Traversal mode)
  - Protocol: ESP, value 50 (for IPSEC)
  - Protocol: AH, value 51 (for IPSEC)
  - NOTE: you may also need to allow outgoing port 1701 traffic

NOTE: The above information on firewall configuration is only a best practices guide.

SPECIFIC FIREWALL CONFIGURATION SETTINGS MAY BE DIFFERENT IN YOUR ENVIRONMENT.

We strongly recommend that you enlist the help of a networking or security expert who can assist with your specific situation.

changelog

Tuesday, 16 April 2024 at 03:19PM:

Added bandwidth and connection standards.

Friday, 24 June 2022 at 10:15AM

Added note about proxy and zScaler solutions breaking IPSEC VPNs and our requirement for a direct connection

Saturday, 07 May 2022 at 03:23PM

Added caveat about TLS Database Endpoint (TLS VPN) not being available for VFC customers.

Update: Wednesday, 05 May 2021 at 09:24AM