VPN clients are desktop or laptop computers that run the VPN Access software. Before users install the software, you must prepare the computers for VPN traffic.
Before You Begin
-
To perform VPN configurations, you must be part of a security association that includes a role with the VPN Management permission. For information about security associations, see Security Association Overview.
-
Commvault firewall routes must be configured between VPN clients and the CommServe computer, and between VPN clients and the VPN router.
If you plan to configure laptop computers as VPN clients, follow the firewall steps in Configuring Firewall Using Proxy for Laptop Backup. Otherwise, follow the general firewall configuration steps described in Firewall Using Direct Connections or Firewall Using Commvault Network Gateway in a Perimeter Network.
Tip: If the computers are not existing clients in your CommCell environment, consider the following suggestions:
-
If there are laptop computers, create and configure a laptop package with the VPN Access software and the required firewall configurations.
-
Perform the firewall configurations on a client group. You can associate the new clients with the client group after the VPN Access package is installed.
-
Procedure
-
Configure network routing rules on the client or client group that you want to designate as the VPN client.
Tip: If you want to configure computers that are not yet existing clients in your CommCell environment, perform the configuration on a designated client group.
-
From the CommCell Browser, access the properties of the client or client group.
-
In the properties dialog box, click Network.
-
In the Network Properties dialog box, click the VPN Config tab, and on the VPN Client subtab, select the Enable VPN Client on this computer check box. By default, two network routing rules for VPN traffic are automatically configured:
-
If a private resource is resolvable from the VPN client's cached DNS data, the VPN client connects directly to that resource.
-
If a private resource is not resolvable from the VPN client's cached DNS data, the VPN client goes through the configured VPN router acting as a proxy.
-
-
To add a new rule, click Add.
-
In the VPN Client Configuration dialog box, follow the configuration steps that meet your VPN requirements:
Configuration
Steps
Route the network connections based on matching the host name, domain, IP address, and other network properties of the private resource.
-
In the Condition section, click Host matches pattern and enter a pattern.
-
Only one pattern, or IP address, can be entered for each rule.
-
Patterns can include wild cards, which are used for string matching. For example, *.example.com matches all services in the example.com domain. String characters are matched without the need of a DNS lookup.
-
You can specify an IP address along with wild cards. For example, 172.21.33.44 or 172.16.*.1.
-
In the Router section, choose how you want to route the hosts that match the pattern:
-
If you want to route the hosts through a VPN router, click Forward to VPN Router and select the router name from the list. Router groups are displayed in bold.
-
If the hosts can be accessed directly, click Connect directly.
-
Click OK.
Do not route the connections through the VPN router. VPN clients can connect to private resources directly.
-
In the Condition section, click Host is locally resolvable. The Connect directly option under the Router section is automatically selected.
-
Click OK.
-
-
If you want to add more rules, click Add. Otherwise, click OK to close the Network Properties dialog box.
-
-
Optional: Define the applications that can be accessed by VPN clients.
On the private resources that will be accessed through the VPN service, you can configure an additional setting to define the applications that can be accessed by the VPN clients. Some applications can be accessed by default. For more information, see Network: Controlling Application Access to VPN Services.
-
Push the network configuration on the clients or client group that you preconfigured as the VPN client.
-
From the CommCell Browser, right-click the Client or Client_Group and click All Tasks > Push Network Configuration.
-
When the Warning dialog box appears, click Continue.
A notification appears indicating that the push firewall operation was successful. Click OK to close the notification.
-
What to Do Next
Notify users that they can install the VPN Access software on their computers.
If you plan to create a laptop package with the VPN software, make the package available to the users.
Important: 32-bit Windows computers that have the File System Core package installed do not require the VPN software. The File System Core provides the VPN functionality for 32-bit computers.