How VIA Works
VIA Initial setup and working details.
It is important to understand how VIA works before you begin deployment and configuration. The following steps explain how a VIA connects to a controller and establishes a secure connection back to the corporate network.
1. VIA can be preinstalled on the laptop by the network administrators, or the users can download and install VIA.
NOTE: You can download the VIA setup file from https://<public ip of the controller>/VIA. Log in using the authentication credentials to get the file.
2. After the VIA client is installed, it prompts for the IP address or fully qualified domain name (FQDN) of the remote server and the username and password.
3. After successful authentication, VIA downloads the VPN client configuration that belongs to the user and initiates a secure IPsec 4500 or SSL 443 (if IPsec fails) connection back to the controller in the DMZ. If the VIA auto upgrade feature is enabled, the VIA image on the user device is upgraded to match the image on the controller or the external hosting server after the IPsec connection is established.
NOTE: First, the VIA client must be installed on the user device. After the VIA client has been installed on the user machine, the VIA bootstrap process occurs. The VIA bootstrap process consists of these steps:
a. The VIA client prompts the user for the controller IP address or FQDN and user credentials.
b. The VIA client retrieves the VIA web authentication list and allows the user to select the VIA authentication profile, which will be used to authenticate the user credentials for the configuration download.
c. The VIA client makes an HTTPS POST request to the controller to authenticate the users.
d. If the user is successfully authenticated, the VIA client makes a request to download the VIA configuration. The VIA configuration is tied to the role that is assigned to the user as a part of the authentication process in step c.
e. If certificates are provisioned in the downloaded VIA configuration, the VIA client requests and checks the CA cert.
f. IKE is performed using the IKE settings received in VIA configuration and an IPsec connection is established using the IPsec settings in the VIA configuration.
g. If the VIA auto upgrade feature is enabled, the VIA client checks for a new VIA image or the external image hosting server. If a new image is available, the VIA client downloads the new image and notifies the user about the pending upgrade. The VIA client upgrades after the user disconnects the current VIA session.
4. After this initial process, whenever a user connects to an untrusted network, VIA automatically detects the untrusted network connection and establishes a secure connection to the corporate network without any user intervention.
NOTE: Remember, the VIA client automatically detects whether the user is connected to a trusted or untrusted network by sending a HTTPS HEAD request to the internal IP of the controller <https:// <controller’s internal ip>/via >. If the VIA client receives a HTTPS response with the expected X-VIA header, the user is considered to be on a trusted network. An IPsec connection is established only if the user is connected to an untrusted network.
5. Sometimes, VIA might be unable to establish a secure connection due to changes in IKE preshared key, username and password, or IPsec crypto map parameters. If the user credentials have changed, VIA prompts for the new credentials and establishes the connection. However, if the IKE pre-shared key or the IPsec crypto map parameters of the VIA client configuration have changed, the VIA client configuration must be cleared and downloaded again.