Use the Private Networks screen on the vCloud Director tenant portal's SSL VPN-Plus tab to configure the private networks. The private networks are the ones you want the VPN clients to have access to, when the remote users connect using their VPN clients and the SSL VPN tunnel. The enabled private networks will be installed in the routing table of the VPN client.

About this task

The private networks is a list of all reachable IP networks behind the edge gateway that you want to encrypt traffic for a VPN client, or exclude from encrypting. Each private network that requires access through an SSL VPN tunnel must be added as a separate entry. You can use route summarization techniques to limit the number of entries.

Note:
  • SSL VPN-Plus allows remote users to access private networks based on the top-down order the IP pools appear in the on-screen table. After you add the private networks to the on-screen table, you can adjust their positions in the table using the up and down arrows.

  • If you select Enable TCP Optimization for a private network, some applications such as FTP in active mode may not work within that subnet. To add an FTP server configured in active mode, you must add another private network for that FTP server and disable TCP optimization for that private network. Also, the private network for that FTP server must be enabled and appear in the on-screen table above the TCP-optimized private network.

Prerequisites

Verify you have completed the steps described in Create an IP Pool for Use with SSL VPN-Plus on an Edge Gateway.

Open the tenant portal and browse to the SSL-VPN Plus screen as described in Navigate to the SSL-VPN Plus Screen in the Tenant Portal.

Procedure

  1. On the tenant portal's SSL VPN-Plus tab, click Private Networks.
  2. Click the + icon.
  3. In the window that opens, configure the following options for the private network.

    Options

    Description

    Network

    Type the private network IP address in CIDR format, such as 192169.1.0/24.

    Description

    (Optional) Type a description for the network.

    Send Traffic

    Specify whether you want the VPN client to send private network and Internet traffic over the SSL VPN-Plus enabled edge gateway (Over Tunnel) or bypass the edge gateway and send the traffic directly to the private server (Bypass Tunnel).

    Enable TCP Optimization

    (Optional) As a best practice, when you select Over Tunnel for sending the traffic, also select Enable TCP Optimization to best optimize the Internet speed. This option is enabled by default.

    Selecting this option enhances the performance of TCP packets within the VPN tunnel but does not improve performance of UDP traffic.

    Conventional full-access SSL VPNs tunnel sends TCP/IP data in a second TCP/IP stack for encryption over the Internet. This conventional method encapsulates application layer data in two separate TCP streams. When packet loss occurs, which can happen even under optimal Internet conditions, a performance degradation effect called TCP-over-TCP meltdown occurs. In TCP-over-TCP meltdown, two TCP instruments correct the same single packet of IP data, undermining network throughput and causing connection timeouts. Selecting Enable TCP Optimization eliminates the risk of this TCP-over-TCP problem occurring.

    Note:

    When TCP optimization is enabled:

    • You must use the Ports field and specify the port numbers for which traffic should be optimized.

    • The SSL VPN server opens the TCP connection on behalf of the VPN client. When the TCP connection is opened by the SSL VPN server, the first automatically generated edge firewall rule is applied, which allows all connections opened from the edge gateway to get passed. Traffic that is not optimized will be evaluated by the regular edge firewall rules. The default generated TCP rule is allow any any.

    Ports

    When Over Tunnel is selected, type a range of port numbers that you want opened for the remote user to access the internal servers, such as 20-21 for FTP traffic and 80-81 for HTTP traffic.

    To give unrestricted access to users, leave this field blank.

    Status

    Specify whether you want to enable or disable the private network.

  4. Click Keep to add the private network configuration to the on-screen table.
  5. Click Save changes to save the configuration to the system.

What to do next

Add an authentication server. See Configure an Authentication Service for SSL VPN-Plus on an Edge Gateway.

Important:

Add the corresponding firewall rules to allow network traffic to the private networks you have added in this screen. See Add an Edge Gateway Firewall Rule Using the Tenant Portal for information.