Use the Private Networks screen on the SSL VPN-Plus tab in the vCloud Director tenant portal to configure the private networks. The private networks are the ones you want the VPN clients to have access to, when the remote users connect using their VPN clients and the SSL VPN tunnel. The enabled private networks will be installed in the routing table of the VPN client.
The private networks is a list of all reachable IP networks behind the edge gateway that you want to encrypt traffic for a VPN client, or exclude from encrypting. Each private network that requires access through an SSL VPN tunnel must be added as a separate entry. You can use route summarization techniques to limit the number of entries.
SSL VPN-Plus allows remote users to access private networks based on the top-down order the IP pools appear in the on-screen table. After you add the private networks to the on-screen table, you can adjust their positions in the table using the up and down arrows.
If you select to enable TCP optimization for a private network, some applications such as FTP in active mode might not work within that subnet. To add an FTP server configured in active mode, you must add another private network for that FTP server and disable TCP optimization for that private network. Also, the private network for that FTP server must be enabled and appear in the on-screen table above the TCP-optimized private network.
- On the SSL VPN-Plus tab in the tenant portal, click Private Networks.
- Click the Add () button.
- Configure the private network settings.
Type the private network IP address in a CIDR format, such as 192169.1.0/24.
(Optional) Type a description for the network.
Specify how you want the VPN client to send the private network and Internet traffic.
The VPN client sends the private network and Internet traffic over the SSL VPN-Plus enabled edge gateway.
The VPN client bypasses the edge gateway and sends the traffic directly to the private server.
Enable TCP Optimization
(Optional) To best optimize the Internet speed, when you select Over Tunnel for sending the traffic, you must also select Enable TCP Optimization
Selecting this option enhances the performance of TCP packets within the VPN tunnel but does not improve performance of UDP traffic.
Conventional full-access SSL VPNs tunnel sends TCP/IP data in a second TCP/IP stack for encryption over the Internet. This conventional method encapsulates application layer data in two separate TCP streams. When packet loss occurs, which can happen even under optimal Internet conditions, a performance degradation effect called TCP-over-TCP meltdown occurs. In TCP-over-TCP meltdown, two TCP instruments correct the same single packet of IP data, undermining network throughput and causing connection timeouts. Selecting Enable TCP Optimization eliminates the risk of this TCP-over-TCP problem occurring.Note:
When you enable TCP optimization:
You must enter the port numbers for which to optimize the Internet traffic.
The SSL VPN server opens the TCP connection on behalf of the VPN client. When the SSL VPN server opens the TCP connection, the first automatically generated edge firewall rule is applied, which allows all connections opened from the edge gateway to get passed. Traffic that is not optimized is evaluated by the regular edge firewall rules. The default generated TCP rule is to allow any connections.
When you select Over Tunnel, type a range of port numbers that you want opened for the remote user to access the internal servers, such as 20-21 for FTP traffic and 80-81 for HTTP traffic.
To give unrestricted access to users, leave the field blank.
Enable or disable the private network.
- Click Keep.
- Click Save changes to save the configuration to the system.
What to do next
Add an authentication server. See Configure an Authentication Service for SSL VPN-Plus on an Edge Gateway.
Add the corresponding firewall rules to allow network traffic to the private networks you have added in this screen. See Add an Edge Gateway Firewall Rule Using the Tenant Portal.