Enabling Connections over WAN

If the Cloud Access Connector server will be accessed outside the domain, it must be configured for external access (this step is only required if you want to enable remote access to the workstations without requiring a VPN):

  • The server must have a public IP address. This can be done via bi-directional NAT mapping.
  • The --external-client-cidr flag takes priority over the --internal-client-cidr. The default for the --internal-client-cidr is,, Any source that does not match to a --internal-client-cidr will default to an external connection.

For example --external-client-cidr will treat everything as an external connection, to reset to the default behaviour you would need to enter the following command and flag parameters:

./cloud-access-connector update --internal-client-cidr --internal-client-cidr --internal-client-cidr
When setting connections from a firewall or security gateway to be external, the internal CIDR will treat connections under a certain range as internal. For example the following example will treat connections originating from under the CIDR except as internal:

./cloud-access-connector update --internal-client-cidr --external-client-cidr
- Port 443 TCP and 4172 UDP/TCP need to be open. Session set-up is done through port 443 and in-session traffic runs through port 4172. - The --external-pcoip-ip flag sets the IPv4 address for the Cloud Access Connector for external connections. If this value is not set, the external IPv4 address will be determined automatically. This is an optional setting that can be used when installing the Cloud Access Connector.

For information on the session establishment and session bandwidth limits when working with external connections, see here.

Reboot the server after NAT changes

If the NAT is configured after the Cloud Access Connector has been installed, reboot the Cloud Access Connector server.