次の方法で共有


IAG Network Connector Configuration Prerequisites

Network connector configuration is pretty much documented in IAG user guides. I dont want to reinvent the wheel here but have noticed that it tends to take a lot of effort to make the NC work when split tuneling is configured. Apperently the network connector UI explains that what you need to do but at times it doesnt give the desired results. Non Split tunnel setup is straight forward as the traffic is routed through corp gateway but it gets tricky if traffic has to be routed through the client itself (split tunnel). The confusion is only due to lack of documentation for setting this up. I will share with you the steps that are prerequisites in case you are wondering why split tunnel setup is not working though you have followed all the steps as per TechNet documentation.

Infrastructure setup

On ISA the only change needed to make Network Connector work properly is to configure the “Internal” networks in ISA to include the Internal and Whale Network Connector adapters. In Windows, persistent routes need to be created for every internal network or external networks that need to be accessible to clients and or routed via the corporate network. Those persistent routes should have a gateway set to the IAG’s internal network’s gateway. Those changes need to be made manually as IAG doesnt set this up for you. Single NIC configuration of IAG is an unsupported scenario, and will break Network Connector.

There are two types of pools and each type of pool has unique configuration and details.

Corporate IP Address Pool

Corporate IP Address pool are IP addresses that belong to subnet that the network connector adapter binding is configured to (usually the internal network, NEVER the external interface).

For example: if the corporate segment is configured to 192.168.0.0/255.255.248.0, an example of a "corporate pool" would be 192.168.6.2-192.168.6.200. Ensure that you exclude the specified range of IPs from your internal Dynamic Host Configuration Protocol (DHCP) server. IAG cannot use a DHCP server in order to assign IP addresses to remote VPN clients. Persistent routes MUST be configured on IAG of the corporate networks that IAG will communicate with.

 

Private IP Address Pool

Private IP Address pools are IP addresses that do not belong to the subnet that the network connector adapter binding is configured to.

For example: If the corporate segment is configured to 192.168.0.0/255.255.248.0, "private pool" would be 10.16.16.2-10.16.16.200. Ensure that you exclude the specified range of IPs from your internal Dynamic Host Configuration Protocol (DHCP) server. IAG cannot use a DHCP server in order to assign IP addresses to remote VPN clients.

If the Internet access level, defined in the Access Control tab, is set to Split Tunneling or No Internet Access, in order to enable access to the corporate network, you must add the corporate network as an additional network on the Additional Networks tab. If you do not add the corporate network, remote clients are granted access only to other clients and cannot access the corporate network.

Some router on the corporate network MUST be configured to route the private pool's subnet to the IP address that the network connector adapter binding is configured to usually this is the internal network adapter’s IP. In addition, if your corporate firewall (not the ISA firewall on IAG) filters traffic on its internal interface, configure the firewall to allow bi-directional traffic between the private pool subnet and the corporate subnet defined in the Network Segment tab. In order to enable access to the wide area network (WAN) or Internet, configure the firewall to allow bidirectional traffic between the private pool subnet and the WAN, and define the private pool permissions. In addition, if you are using Network Address Translation (NAT) in order to enable access to the WAN or Internet, define the subnet of the private pool as an additional internal interface.

NOTE: IAG assigns the first IP address from the defined pool to the IAG NC interface, so ensure that the defined IP address pool is sufficient for your needs and consists of enough IP addresses for remote VPN clients. Additionally, IP addresses ending with zero or 255 are not used for IP assignment. For example: if you define the pool 192.168.0.0-192.168.0.9, the network connector server will be able to support up to eight concurrent clients, since 192.168.0.0 will not be used, and 192.168.0.1 will be used by the server itself.

so to recap what I said above , please ensure in order to setup Split tunneling you need to have some basic routing infrastructure ready before you do anyting on IAG interface and these steps are not documented in the guides.

 

1- ensure that all static routes are setup on IAG server so traffic could route to correct subnets.

2- Traceroute should work and show all the hops.

3- any hop that blocks the traffic including a router / Firewall should allow bi-directional traffic to static routes defined.

4- Once routing is setup correctly, then load ISA server console on IAG appliance.

5- On ISA console --> Configuration --> networks --> Internal --> double click --> Edit --> Addresses tab --> add Whale Internal Adapter to this network.

6- On IAG NC server , setup the IP pool that belongs to Corporate pool.

Select Split tunneling on Access Control Tab in IAG NC server since you want traffic to be routed through client.

Then verified IP range of the subnets in additional Networks.

Closed the NC config.

7- Finally load the IAG console , edit the NC application that is published --> select the Server Settings --> Argument option and change the IP as follows:

Change Frm for example :

-srv %localip%:%localport% -egap 192.168.66.22

 

To:

 

-srv %localip%:%localport% -egap NATed IP