You can designate a Windows client or client group as the VPN router. The designated client can be the CommServe computer, a MediaAgent, or any client computer in your CommCell environment.
If you need to provide access to distinct local area networks (LAN), repeat the steps of this procedure to configure a VPN Router for each LAN.
Note: When you set a client or client group as the VPN router, all the connections from the client or client group are encrypted using the HTTPS protocol.
Before You Begin
-
To perform VPN configurations, you must be part of a security association that includes a role with the VPN Management permission. For information about security associations, see Security Association Overview.
-
Add the nTRACK_CS additional setting on the client or client group that you want to designate as the VPN router. This configuration does not apply to the CommServe computer.
Remember: The client that you set as the VPN Router must be able to reach the private resources that you plan to access.
For instructions on adding additional settings from the CommCell Console, see Add or Modify an Additional Setting.
Property
Value
Name
Category
Firewall
Type
STRING
Value
1
Procedure
-
From the CommCell Browser, access the properties of the client or client group that you want to designate as the VPN router.
-
For a client, expand the Client Computers node, right-click the Client and click Properties.
-
To designate a client group, expand the Client Computer Groups node, right-click the Client_Group and click Properties.
-
-
In the properties dialog box, click Network.
-
In the Network Properties dialog box, click the VPN Config tab, and on the VPN Router subtab, select the This computer works as VPN Router check box.
-
Configure the Allow list with users and clients that should have access to the resources in your private network.
In the Allow section, click Add. Then, in the VPN Router Access Control Entry dialog box, complete the following steps:
-
In the Users and Groups section, select the users that you want to grant access to private resources.
Perform the configurations that meet your VPN requirements.
Configuration
Steps
Allow all users to access private resources (Default configuration)
No action is required.
Add one or more users to access private resources
-
Click Add > Add User.
-
In the Add User dialog box, select the users. To select multiple users, press and hold the Ctrl key.
You can find a user by typing the user name in the Search box.
-
Click OK.
Add one or more user groups to access private resources
-
Click Add > Add User Group.
-
In the Add User Groups dialog box, select the user groups. To make multiple selections, press and hold the Ctrl key.
You can find a user by typing the user name in the Search box.
-
Click OK.
Add external groups from a list of available external groups
-
Click Add > Add External Group.
-
In the Add New User Group dialog box, select the name of the external group and click OK.
-
-
In the Clients and Client Groups section, select the clients that you want to grant access to private resources. These are the computers that you plan to set as VPN clients. The users that you selected in step 4a must be able to access the clients that you want to add to the list.
Perform the configurations that apply to your VPN requirements.
Configuration
Steps
Allow access to private resources from all client computers (Default configuration)
No action is required.
Add one or more clients to access private resources
-
Click Add > Add Client.
-
In the Add Client dialog box, select the clients. To select multiple clients, press and hold the Ctrl key.
You can find a client by typing the client name in the Search box.
-
Click OK.
Add one or more client groups to access private resources
-
Click Add > Add Client Group.
-
In the Add Client Group dialog box, select the client groups. To make multiple selections, press and hold the Ctrl key.
You can find a user by typing the user name in the Search box.
-
Click OK.
-
-
In the Destinations section, select one of the following options:
-
To allow connection requests to all private resources that are in the same local area network (LAN) as the VPN router, click All Hosts in LAN.
-
To allow connection requests to specific private resources, click Hosts and enter the host names of the private resources. Make sure that the host names are separated with a comma (,).
Note
Entering a single asterisk (*) is equivalent to selecting All Hosts in LAN.
-
To restrict connections to a single IP address, click IPs and enter the IP address details. If you specify the IP of a subnet, make sure to include a CIDR value after the slash (/).
-
-
In the Destination Ports section, enter the ports that VPN clients selected in step 4b are allowed to access on the private resource. Consider the following requirements:
-
The port numbers must be separated with a comma (,).
-
If you want to specify port ranges, use hyphens. For example, 40-50.
Tip
To review common ports that you might want to configure, see Common Well-Known Ports Used by VPN Clients.
-
-
Click OK.
-
-
Optional: Configure the Deny list with users and clients that should not have access to private resources. For instructions, see steps 4 and 5 in Configuring the Deny List for the VPN Router.
-
In the Network Properties dialog box, click OK. Then, from the client or client group properties dialog box, click OK.
-
On the client (or clients) that you designated as the VPN router, enable the VPN router setting on the Commvault Process Manager application.
-
Log on to the client and open the Process Manager.
-
On the Plugin tab of the Process Manager dialog box, go to the VPN Plugin section and select the Enable VPN Router check box.
-
Close the Process Manager dialog box.
-
-
Push the network configuration on the client or client group that you designated as the VPN router.
-
From the CommCell Browser, right-click the Client or Client_Group and click All Tasks > Push Network Configuration.
-
When the Warning dialog box appears, click Continue.
A notification appears indicating that the push firewall operation was successful. Click OK to close the notification.
-