Assigning IP addresses to VPN clients connecting to IAG

  • Article

Applies To: Intelligent Application Gateway (IAG)

When configuring Whale Communications Intelligent Application Gateway (IAG) 2007 Network Connector, you must define the IP pool from which remote virtual private network (VPN) clients connecting to Network Connector are assigned IP addresses for use in the internal network.

Configuring an IP address pool for network connector

Configure an IP address pool for remote VPN clients as follows:

To configure an IP address pool for remote VPN clients

  1. In the IAG Configuration console, on the Admin menu, click Network Connector Server.

  2. In Network Connector Server, select the IP Provisioning tab.

  3. In Pool Type, do one of the following:

    • Select Corporate IP Addresses to specify that IP addresses that belong to the IP address range configured on the Network Segment tab should be assigned to remote VPN clients. Ensure that you exclude the specified range from your internal Dynamic Host Configuration Protocol (DHCP) server. IAG cannot use a DHCP server in order to assign IP addresses to remote VPN clients.

    • Select Private IP Addresses to specify that IP addresses that do not belong to the IP address ranges specified on the Network Segment tab should be assigned to remote VPN clients, select Private IP Addresses. For example: if the corporate segment is configured to
      192.168.0.0/255.255.248.0, an example of a "corporate pool" would be 192.168.6.2-192.168.6.200, and an example of a "private pool" would be 10.16.16.2-10.16.16.200.

  4. In Address Pool, define IP address ranges that can be assigned to remote clients. You can enter up to 10 ranges of IP addresses. All the defined addresses must use the same subnet mask. You cannot define both IP addresses that belong to the corporate network and private IP addresses. The subnet for the IP ranges you defined is displayed in Pool Subnet.

  5. At the bottom left corner of the Network Connector Server window, select the Activate Network Connector check box. Clearing this option disables an active Network Connector.

  6. Once you complete the configuration of the server, click OK in the Network Connector Server window in order to activate Network Connector.

  7. In the IAG Configuration console, click the Activate icon to save and activate the configuration, and then click Activate in the Activate Configuration window. The configuration settings you have defined are applied to the Network Connector server. The Network Connector Windows service (Whale Network Connector Server) is started and is set to automatic startup mode.

Notes

  • IAG assigns the first IP address from the defined pool.

  • Ensure that the defined IP address pool is sufficient for your needs and consists of enough IP addresses for remote VPN clients. Note that IP addresses ending with zero or 255 are not used for IP assignment. For example: if you define the pool 192.168.0.0-192.168.0.9, the network connector server will be able to support up to eight concurrent clients, since 192.168.0.0 will not be used, and 192.168.0.1 will be used by the server itself.

  • If you have selected Private IP addresses, configure the corporate gateway to route the private pool's subnet from the gateway's internal network adapter to the IP address of the network connector server. In addition, if your corporate firewall filters traffic on its internal interface, configure the firewall to allow bi-directional traffic between the private pool subnet and the corporate subnet defined in the Network Segment tab. In order to enable access to the wide area network (WAN) or Internet, configure the firewall to allow bidirectional traffic between the private pool subnet and the WAN, and define the private pool permissions. In addition, if you are using Network Address Translation (NAT) in order to enable access to the WAN or Internet, define the subnet of the private pool as an additional internal interface.

  • If the IP address pool is a corporate pool, make sure to exclude the IP address range you define here from your organization's DHCP server in order to avoid IP address conflict with network connector clients.

  • IP address conflicts between corporate computers and endpoint computers will result in idle sessions, in which remote clients launch the network connector application with no errors but have no access to the network connector server or to the resources that should be enabled to them via the server.

  • If the IP address pool consists of private addresses and the Internet access level, defined in the Access Control tab, is set to SplitTunneling or No Internet Access, in order to enable access to the corporate network, you must add the corporate network as an additional network. If you do not add the corporate network, remote clients are granted access only to other clients and cannot access the corporate network. For instructions about defining additional networks, see Adding networks for VPN client access to IAG.

  • When a domain client logs in using an IP address allocated from the pool, an A record for the address is created on the internal network DNS server. A new address may be allocated each time the client connects, and this may lead to clients having multiple A records on the DNS server.