Configuring Network Access Resources

Name

A text string. Avoid using global reserved words in the name, such as all, delete, disable, enable, help, list, none, or show.

Name for the network access resource.

Partition / Path

Typically, Common.

Partition under which the network access resource is created. You cannot change this value.

Description

Text.

Text description of the network access resource.

Auto launch

Enable or Disable.

The network access resource starts automatically when the user reaches the full webtop, if this option is enabled. Note: When assigning network access resources to a full webtop, only one network access resource can have auto launch enabled.

Network Tunnel

Enable

When you enable a network tunnel, you configure the network access tunnel to provide network access. Clear the Enable option to hide all network settings and to disable the tunnel.

General Settings

Basic/Advanced

Select Advanced to show settings for Proxy ARP, SNAT Pool, and Session Update.

Supported IP Version

IPV4 or IPV4 & IPV6

Sets the Network Access tunnel to support either an IPv4 lease pool or both IPv4 and IPv6 lease pools. Important: Network access with IPv6 alone is not supported. An IPv6 tunnel requires a simultaneous IPv4 tunnel, which is automatically established when you assign IPv4 and IPv6 lease pools, and set the version to IPv4 & IPv6.

IPv4 Lease Pool

List selection of existing IPv4 lease pools

Assigns internal IP addresses to remote network access clients, using configured lease pools. Select a lease pool from the drop-down list. To create a lease pool within this screen, click the + sign next to Lease Pool.

IPv6 Lease Pool

List selection of existing IPv6 lease pools

Assigns internal IP addresses to remote network access clients, using configured lease pools. Select a lease pool from the drop-down list. To create a lease pool within this screen, click the + sign next to Lease Pool.

Compression

No Compression/GZIP Compression

Select GZIP Compression to compress all traffic between the Network Access client and the Access Policy Manager, using the GZIP deflate method.

Proxy ARP

Enable

Proxy ARP allows remote clients to use IP addresses from the LAN IP subnet, and no configuration changes are required on other devices such as routers, hosts, or firewalls. IP address ranges on the LAN subnet are configured in a lease pool and assigned to network access tunnel clients. When this setting is enabled, a host on the LAN that sends an ARP query for a client address gets a response from Access Policy Manager with its own MAC address. Traffic is sent to the Access Policy Manager and forwarded to clients over network access tunnels.

SNAT Pool

List selection of None, Auto Map, or SNAT pool name

Specifies the name of a SNAT pool used for implementing selective and intelligent SNATs. The default is Auto Map. If you have defined a SNAT on the system, that SNAT is available as an option on this list. The following two options are always available. - None: specifies that the system uses no SNAT pool for this network resource.

• Auto Map: specifies that the system uses all of the self IP addresses as the translation addresses for the pool.

Note: To support CIFS/SMB and VoIP protocols, select None and configure routable IP addresses in the lease pool

Preserve Source Port Strict

Enable

Specifies that the system preserves the value configured for the source port. This setting applies on the last leg of the network access tunnel connection between an internal ACL virtual server and the backend. This setting applies to all traffic passing through the network access tunnel. This setting is disabled by default. - Enabled: select the check box to specify that the system preserves the value configured for the source port. To use this setting, you must select None for the SNAT Pool setting.

• Disabled: when the Enabled is cleared, specifies that the system does not preserve the value configured for the source port.

Session Update Threshold

Integer (bytes per second)

Defines the average byte rate that either ingress or egress tunnel traffic must exceed, for the tunnel to update a session. If the average byte rate falls below the specified threshold, the system applies the inactivity timeout, which is defined in the Access Profile, to the session.

Session Update Window

Integer (seconds)

Defines the time value in seconds that the system uses to calculate the EMA (Exponential Moving Average) byte rate of ingress and egress tunnel traffic.

Client Settings

Basic/Advanced

Select Advanced to configure client proxy, DTLS, domain reconnect settings, and client certificate options.

Force all traffic through tunnel

Enable/disable

Specifies that all traffic (including traffic to or from the local subnet) is forced over the VPN tunnel.

Use split tunneling for traffic

Enable/disable

Specifies that only the traffic targeted to a specified address space is sent over the network access tunnel. With split tunneling, all other traffic bypasses the tunnel. By default, split tunneling is not enabled. When split tunneling is enabled, all traffic passing over the network access connection uses this setting. Note: If you add a large number of addresses for split tunneling, Edge Client cannot establish a tunnel connection. The limits for these addresses are:

• On Windows max limit is 20 KB (each Network Access property).
• macOS max limit is 64 KB (all Network Access properties).
• Linux max limit is 64 KB (all Network Access properties).
• Mobile clients (Android, iOS, Chrome) do not have a limit, but may vary based on what the platforms support.

IPV4 LAN Address Space

IPv4 IP address in CIDR notation

Provides a list of endpoint IP addresses or network addresses in a CIDR notation. This box only appears if you use split tunneling. When using split tunneling, only the traffic to these addresses and network segments goes through the tunnel configured for Network Access. You can add multiple address spaces to the list, one at a time. For each address space, enter the IP address or network address in the CIDR field and click Add. In CIDR notation, the IP address is written as a prefix, and the suffix indicates how many bits are in the address - for example, 192.0.1.0/24.

IPV6 LAN Address Space

IPv6 IP address in CIDR notation

Provides a list of endpoint IP addresses or network addresses in a CIDR notation. When using split tunneling, only the traffic to these addresses and network segments goes through the tunnel configured for Network Access. You can add multiple address spaces to the list, one at a time. For each address space, enter the IP address or network address in the CIDR field and click Add. In CIDR notation, the IP address is written as a prefix, and the suffix indicates how many bits are in the address - for example, 192.0.1.0/32. This box only appears when you selectIPV4 & IPV6 in the Supported IP Version setting and use split tunneling.

DNS Address Space

Domain names, with or without wildcards

Provides a list of domain names describing the target LAN DNS addresses. This field only appears if you use split tunneling. You can add multiple address spaces to the list, one at a time. For each address space, type the domain name, in the form site.siterequest.com or *.siterequest.com, and click Add.

IPV4 Exclude Address Space / IPV6 Exclude Address Space

IP address in CIDR notation

Specifies address spaces whose traffic is not forced through the tunnel. For each address space that you want to exclude, enter the IP address or network address in the CIDR field and click Add.

DNS Exclude Address Space

Domain names, with or without wildcards

Specifies DNS address spaces for which traffic is not forced through the tunnel. For each address space, type the domain name, in the form site.siterequest.com or *.siterequest.com, and click Add.

Dynamic LAN Address Spaces

List selection of Selected /Available address spaces

Specifies the dynamic address spaces for which the traffic passes through the tunnel. Dynamic address spaces use auto-discovery URL for selecting IP addresses and DNS names. For each address space that you want to exclude, move the address space from the Available list to the Selected list by clicking the << button. Similarly, to deselect the address space, click the << button to move the address space from the Selected list to the Available list.

Dynamic Exclude Address Spaces

List selection of Selected /Available address spaces

Specifies the dynamic address spaces for which the traffic is not forced through the tunnel. Dynamic address spaces use auto-discovery URL for selecting IP addresses and DNS names. For each address space that you want to exclude, move the address space from the Available list to the Selected list by clicking the << button. Similarly, to deselect the address space, click the << button to move the address space from the Selected list to the Available list.

Allow Local Subnet

Enable/disable

Select this option to enable local subnet access and local access to any host or subnet in routes that you have specified in the client routing table. When you enable this setting, the system does not support integrated IP filtering.

Client Side Security > Prohibit routing table changes during Network Access connection

Enable/disable

This option closes the network access session if the client’s IP routing table is modified during the session. The client, however, does permit routing table changes that do not affect the traffic routing decision.

Client Side Security > Integrated IP filtering engine

Enable/disable

Select this option to protect the resource from outside traffic (traffic generated by network devices on the client’s LAN), and to ensure that the resource is not leaking traffic to the client’s LAN.

Client Side Security > Allow access to local DHCP server

Enable/disable

This option appears when the Integrated IP filtering engine option is enabled. This option allows the client access to connect through the IP filtering engine, to use a DHCP server local to the client to renew the client DHCP lease locally. This option is not required or available when IP filtering is not enabled because clients can renew their leases locally. Important: This option does not renew the DHCP lease for the IP address assigned from the network access lease pool; this applies only to the local client IP address.

Client Traffic Classifier

List selection

Specifies a client traffic classifier to use with this network access tunnel, for Windows clients.

Client Options > Client for Microsoft Networks

Enable/disable

Select this option to allow the client PC to access remote resources over a VPN connection. This option is enabled by default. This allows the VPN to work as a traditional VPN, so a user can access files and printers from the remote Microsoft network.

Client Options > File and printer sharing for Microsoft networks

Enable/disable

Select this option to allow remote hosts to access shared resources on the client computer over the network access connection. This allows the VPN to work in reverse, and a VPN user to share file shares and printers with remote LAN users and other VPN users.

Provide client certificate on Network Access connection when requested

Enable/disable

If client certificates are required to establish an SSL connection, this option must always be enabled. However, you can disable this option if the client certificates are only requested in an SSL connection. In this case, the client is configured not to send client certificates.

Reconnect to Domain > Synchronize with Active Directory policies on connection establishment

Enable/disable

When enabled, this option emulates the Windows logon process for a client on an Active Directory domain. Network policies are synchronized when the connection is established, or at logoff. The following items are synchronized: - Logon scripts are started as specified in the user profile.

• Drives are mapped as specified in the user profile.
• Group policies are synchronized as specified in the user profile. Group Policy logon scripts are started when the connection is established, and Group Policy logoff scripts are run when the network access connection is stopped.

Reconnect to Domain > Run logoff scripts on connection termination

Enable/disable

This option appears when Synchronize with Active Directory policies on connection establishment is enabled. Enable this option if you want the system to run logoff scripts, as configured on the Active Directory domain, when the connection is stopped.

Client Interface Speed

Integer, bits per second

Specifies the maximum speed of the client interface connection, in bits per second.

Display connection tray icon

Enable/disable

When enabled, balloon notifications for the network access tray icon (for example, when a connection is made) are displayed. Disable this option to prevent balloon notifications.

Client Power Management

Ignore, Prevent, or Terminate

Specifies how network access handles client power management settings, for example, when the user puts the system in standby or closes the lid on a laptop. - Ignore - ignores client settings for power management.

• Prevent - prevents power management events from occurring when the client is enabled.
• Terminate - terminates the client when a power management event occurs.

DTLS

Enable/disable

When enabled, specifies that the network access connection uses Datagram Transport Level Security (DTLS). DTLS uses UDP instead of TCP, to provides better throughput for high-demand applications like VoIP or streaming video, especially with lossy connections.

DTLS Port

Port number

Specifies the port number that the network access resource uses for secure UDP traffic with DTLS. The default is 4433.

Client Proxy Settings

Enable/disable

Enables several additional settings that specify client proxy connections for this network resource. Client proxy settings apply to the proxy behind the Access Policy Manager and do not affect the VPN tunnel transport, or interact with the TLS or DTLS configuration. Use client proxy settings when intranet web servers are not directly accessible from the Access Policy Manager internal subnet. Client proxy settings apply only to HTTP, HTTPS, and FTP connections. SOCKS connections can also be proxied, with a custom PAC file.

Use Local Proxy Settings

Enable/disable

Select this option to continue to use the proxy settings, as configured on the client, after establishing a network access connection.

Client Proxy Uses HTTP for Proxy Autoconfig Script

Enable/disable

Some applications, like Citrix MetaFrame, can not use the client proxy autoconfig script when the browser attempts to use the file:// prefix to locate it. Select this option to specify that the browser uses http:// to locate the proxy autoconfig file, instead of file://.

Client Proxy Autoconfig Script

URL

The URL for a proxy auto-configuration script, if one is used with this connection.

Client Proxy Address

IP address

The IP address for the client proxy server that network access clients use to connect to the Internet.

Client Proxy Port

Port number

The port number of the proxy server that network access clients use to connect to the Internet.

Bypass Proxy For Local Addresses

Enable/disable

Select this option if you want to allow local intranet addresses to bypass the proxy server.

Client Proxy Exclusion List

IP addresses, domain names, with wildcards

Specifies the web addresses that do not need to be accessed through your proxy server. You can use wildcards to match domain and host names, or addresses. For example, www.*.com, 128.*, 240.8, 8., mygroup.*, *.*.

Primary Name Server

IP address

Type the IP address of the DNS server that network access conveys to the remote access point.

Secondary Name Server

IP address

Type a second IP address for the DNS server that network access conveys to the remote access point.

Primary WINS Server

IP address

Type the IP address of the WINS server in order to communicate to the remote access point. This address is needed for Microsoft Networking to function properly.

Secondary WINS Server

IP address

Type the IP address of the WINS server to be conveyed to the remote access point. This address is needed for Microsoft Networking to function properly.

DNS Default Domain Suffix

domain suffix

Type a DNS suffix to send to the client. If this field is left blank, the controller will send its own DNS suffix. For example, siterequest.com. Tip: You can specify multiple default domain suffixes separated with commas.

Register this connection’s addresses in DNS

check box

If your DNS server has dynamic update enabled, select this check box to register the address of this connection in the DNS server. This check box is cleared by default.

Use this connection’s DNS suffix in DNS registration

check box

If your DNS server has dynamic update enabled, select this check box to register the default domain suffix when you register the connection in the DNS server. This check box is cleared by default.

Enforce DNS search order

check box

When this setting is enabled, Access Policy Manager (APM) continuously checks the DNS order on the network interface and sets the network access-supplied entries first in the list if they change during a session. To use your local DNS settings as primary and the network access-supplied DNS settings as secondary, clear this setting. This might be useful when split tunneling is in use and a client connects remotely. This check box is selected by default.

Static Hosts

host name/IP address pairs

To add host and IP addresses manually to a connection-specific hosts file, type the Host Name and the IP Address for that host, and click Add. APM supports static hosts for Windows, Mac, and Linux clients for network access. Rights requirements: Windows (with DNS Relay Proxy installed): admin rights not required. Windows (without DNS Relay proxy): admin rights required. Mac: admin rights required. Linux: admin/root privilege required.