Use the Private Networks screen on the SSL VPN-Plus tab to configure the private networks in the VMware Cloud Director Service Provider Admin Portal. The private networks are the ones you want the VPN clients to have access to, when the remote users connect using their VPN clients and the SSL VPN tunnel. The activated private networks will be installed in the routing table of the VPN client.

The private networks is a list of all reachable IP networks behind the edge gateway that you want to encrypt traffic for a VPN client, or exclude from encrypting. Each private network that requires access through an SSL VPN tunnel must be added as a separate entry. You can use route summarization techniques to limit the number of entries.
  • SSL VPN-Plus allows remote users to access private networks based on the top-down order the IP pools appear in the on-screen table. After you add the private networks to the on-screen table, you can adjust their positions in the table using the up and down arrows.
  • If you select to activate TCP optimization for a private network, some applications such as FTP in active mode might not work within that subnet. To add an FTP server configured in active mode, you must add another private network for that FTP server and deactivate TCP optimization for that private network. Also, the private network for that FTP server must be activated and appear in the on-screen table above the TCP-optimized private network.

Prerequisites

Procedure

  1. On the SSL VPN-Plus tab, click Private Networks.
  2. Click the Add (Create button) button.
  3. Configure the private network settings.
    Option Action
    Network Type the private network IP address in a CIDR format, such as 192169.1.0/24.
    Description (Optional) Type a description for the network.
    Send Traffic Specify how you want the VPN client to send the private network and Internet traffic.
    • Over Tunnel

      The VPN client sends the private network and Internet traffic over the SSL VPN-Plus activated edge gateway.

    • Bypass Tunnel

      The VPN client bypasses the edge gateway and sends the traffic directly to the private server.

    Enable TCP Optimization (Optional) To best optimize the Internet speed, when you select Over Tunnel for sending the traffic, you must also select Enable TCP Optimization

    Selecting this option enhances the performance of TCP packets within the VPN tunnel but does not improve performance of UDP traffic.

    Conventional full-access SSL VPNs tunnel sends TCP/IP data in a second TCP/IP stack for encryption over the Internet. This conventional method encapsulates application layer data in two separate TCP streams. When packet loss occurs, which can happen even under optimal Internet conditions, a performance degradation effect called TCP-over-TCP meltdown occurs. In TCP-over-TCP meltdown, two TCP instruments correct the same single packet of IP data, undermining network throughput and causing connection timeouts. Selecting Enable TCP Optimization eliminates the risk of this TCP-over-TCP problem occurring.

    Note: When you activate TCP optimization:
    • You must enter the port numbers for which to optimize the Internet traffic.
    • The SSL VPN server opens the TCP connection on behalf of the VPN client. When the SSL VPN server opens the TCP connection, the first automatically generated edge firewall rule is applied, which allows all connections opened from the edge gateway to get passed. Traffic that is not optimized is evaluated by the regular edge firewall rules. The default generated TCP rule is to allow any connections.
    Ports When you select Over Tunnel, type a range of port numbers that you want opened for the remote user to access the internal servers, such as 20-21 for FTP traffic and 80-81 for HTTP traffic.

    To give unrestricted access to users, leave the field blank.

    Status Activate or deactivate the private network.
  4. Click Keep.
  5. Click Save changes to save the configuration to the system.

What to do next

Add an authentication server. See Configure an Authentication Service for SSL VPN-Plus on an NSX Data Center for vSphere Edge Gateway in the VMware Cloud Director Service Provider Admin Portal.

Important: Add the corresponding firewall rules to allow network traffic to the private networks you have added in this screen. See Add an NSX Data Center for vSphere Edge Gateway Firewall Rule in the VMware Cloud Director Service Provider Admin Portal.