cancel
Showing results for 
Search instead for 
Did you mean: 

JumpCloud Managed Pritunl SSL VPN: Great Security, No Hardware

JCDavid
Rising Star II
Rising Star II

Hello my friends (and you are my friends),

You may have noticed a recent post about integrating SSO and zero trust security with Fortinet. I loved my Fortis are my last job, but realize that some organizations operate within very different budgetary parameters. Pritunl is a great way to set up an SSL VPN, sans the expensive hardware (depending upon how you define expensive). You get a cloud-directory managed VPN box.

Why make you wait for the "how-to?" A full blog is in our queue, but here's the "meat". These steps focus on JumpCloud, but Pritunl has pre-built integrations for other authentication providers. The important thing is that you have good security.

JumpCloud Setup

The initial step is to create a custom SSO connector for Pritunl. JumpCloud provides hundreds of free connectors as part of your subscription, and is routinely adding more, so search for it before you move ahead with this project. Continue to the next section if one isn’t available.

Create a SAML Connector

Click the SSO button in the left frame of the administrative console and hit the “plus” sign to start a new SSO connection. Select “Customer SAML App” and begin by filling in the requisite information to label your connector and choose a color scheme and logo. More context is available in JumpCloud’s SAML how-to article should you have any additional requirements.

JCDavid_0-1652459110192.png

Then, navigate to the SSO tab and enter an Entity ID that’s unique to your organization’s environment. The settings on this screen are case-sensitive on both systems; any typo will result in errors and the integration will fail. Your Pritunl FQDNs and JumpCloud IDs may differ, but the fields should be formatted as outlined below:

JCDavid_1-1652459110245.png

Follow the URL/URI formats precisely

JCDavid_2-1652459110201.png

The redirect endpoint ensures that JumpCloud’s console will be used to log users into the VPN

 

JCDavid_3-1652459110195.png

Pritunl requires the “org” attribute for group memberships

Activate the JumpCloud SSO connector once you’re finished and download the certificate. You’ll be required to copy the key into Pritunl’s GUI in a later step.

Setup Groups and Permissions

Click on the User Groups tab and add the group(s) that should have access to the VPN service. The link below is a detailed guide for admins who are unfamiliar with using JumpCloud.

Getting Started: User Groups

JCDavid_4-1652459110202.png

Group membership grants access rights to the VPN

JCDavid_5-1652459110148.png

Pritunl VPN will be available within the JumpCloud User Console

Pritunl SSO Setup

Pritunl has JumpCloud listed as an authentication provider. Pull down the list, select JumpCloud, and select “add provider” to start the process of filling in Identity Provider settings.

JCDavid_6-1652459110149.png

The settings will be identical to what you entered into the JumpCloud admin console. Cut and paste the certificate from a text editor when you open the certificate on your PC. This integration also requires a JumpCloud API key from your console, which will be outlined in the next section. Both of these entries are confidential and should be kept private and carefully controlled.

JCDavid_7-1652459110786.png

Your JumpCloud API key may be reviewed by clicking on your user icon at the top right of your console. Note: Generating a new key will revoke prior keys and could break prior integrations.

JCDavid_8-1652459110145.png

You’re now ready to test your configuration.

Add Zero Trust Security from JumpCloud

Strongly consider adding Zero Trust security controls with JumpCloud’s Conditional Access Policies. These policies extend security beyond strong passwords and MFA alone.

Policies are assigned to existing groups or you may create dedicated groups for your requirements. Different groups may have different policies (or no policies). Policies include:

  • Geofencing: JumpCloud permits you to whitelist selected countries to access your VPN. Any devices that attempt to log in from locations that aren’t specified will be denied access. For instance, an employee may be attempting to access internal resources from unsecured hotel Wi-Fi while on vacation.
  • Managed devices: Limit access exclusively to JumpCloud managed devices. This ensures that IAM isn’t allowing rogue devices into your network.
  • Mandatory MFA: Users must prove who they say they are prior to accessing the VPN by entering a TOTP code or Push MFA through the JumpCloud Protect™ application. This extends MFA beyond initial device/session logins for additional assurance, which is advisable given the current threat landscape.

Tip: Retest your connectivity prior to making changes that could adversely affect user access.

 

4 REPLIES 4

steven
Rising Star II

Hey we're using Pritunl! After some hiccups in the beginning it's a pretty nice VPN so far. The only qualm I have with it, is that after the user downloads their profile to the Pritunl client, the "Mandatory MFA" doesn't activate. It only forces MFA when you log into the web UI the first time. @JCDavid did you also run into this? Or am I misconfiguring something (very possible tbh)

Steven,

This should help:

To set up MFA:

  1. Log in to the Admin Portal: https://console.jumpcloud.com/login
  2. Go to SECURITY MANAGEMENT > MFA Policies.
  3. Enable the MFA factor you want to use in your organization. Read the JumpCloud MFA Factor Guide to figure out which type of MFA to set up. 

When you create a conditional access policy that requires MFA, users who are included in the policy but don’t have MFA set up are required to enroll in MFA the next time they log in to the User Portal. 

 

-d

That's what I have setup currently 😕 A conditional policy that is "Allow authentication & require MFA". It only requires MFA when visiting the UI, not connecting via the Pritunl client. May be time to submit a support ticket?

Sorry this is happening. Support would be a good start to resolving your issue. I'm probably missing something that's totally obvious...