Enabling Connections over WAN

If the Connector server will be accessed outside the domain, it must be configured for external access (this step is only required if you want to enable remote access to the workstations without requiring a VPN):

  • The server must have a public IP address. This can be done via bi-directional NAT mapping.
  • The --external-client-cidr flag takes priority over the --internal-client-cidr. The default for the --internal-client-cidr is 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16. Any source that does not match to a --internal-client-cidr will default to an external connection.

For example --external-client-cidr 0.0.0.0/0 will treat everything as an external connection, to reset to the default behaviour you would need to enter the following command and flag parameters:

./cloud-access-connector update --internal-client-cidr 10.0.0.0/8 --internal-client-cidr 172.16.0.0/12 --internal-client-cidr 192.168.0.0/16
When setting connections from a firewall or security gateway to be external, the internal CIDR will treat connections under a certain range as internal. For example the following example will treat connections originating from under the 10.11.12.0/24 CIDR except 10.11.12.1 as internal:

./cloud-access-connector update --internal-client-cidr 10.11.12.0/24 --external-client-cidr 10.11.12.1/32
- Port 443 TCP and 4172 UDP/TCP need to be open. Session set-up is done through port 443 and in-session traffic runs through port 4172. - The --external-pcoip-ip flag sets the IPv4 address for the Connector for external connections. If this value is not set, the external IPv4 address will be determined automatically. This is an optional setting that can be used when installing the Connector.

For information on the session establishment and session bandwidth limits when working with external connections, see here.

Reboot the server after NAT changes

If the NAT is configured after the Connector has been installed, reboot the Connector server.