A resource group is a selection of local resources that will share the same access rights (or the same Policy) and have their traffic handled by one Client instance in a Connector.
This section describes how to configure an Express or Advanced Connector.
Express Connector
Local (resources) refers to the network where the Connector is located. One Resource Group Configuration that provides users with access to a defined group of local resources is mapped to the Client instance running within the Connector. Down rules are set automatically when a user with matching up rules connects to the associated Site.
Think of this as an extension to the Site which has been assigned to this appliance. All you have to do is configure a user's Entitlement to one of the local resources behind the Connector. The Policy containing the required down rules (that match the user's up rules) is automagically provisioned for the Connector's Client. The user will now have access to the specified local resources in just the same way as the (protected) hosts on the specified Site.
See Connector (Express) for details about how to use this option.
Complete the following fields to configure an Express Connector:
Get existing Resource Group configuration. Copy an existing resource group configuration from the other Connector in the HA pair. When using HA Connectors there are two things to be aware of:
Even though resource groups are shown for both Connectors the associated licenses are only counted once. So using HA has no license implications.
The same tun IP is used for both Connectors - as the working Client is effectively moved to the active appliance. So you only need to budget for one set of addresses from the IP pool.
Name. The group name of the Local Resources (and related Client). This appears as part of the ag.distinguishedName claim which can be used in Policy assignment criteria and is also shown in Registered Devices.
Device ID. The device ID assigned to the named Client. It can be used when setting Policy assignment criteria.
Local Resources. These IP addresses will be routable through this resource group's Client. Traffic to (& from) these IP addresses will be handled by the Client's multi-tunnel network adapter in the normal way. The Local resources defined are also used as a value for the claim user.connectorSubnets which is used by the Gateways to set appropriate routes for these addresses to the Client's tun IP address.
Source NAT to Local Resources. When enabled, the Connector's local IP address will be used instead of the source (tun IP) address. This simplifies the local network configuration as these alien IPs do not need to be made routable.
Source NAT is enabled by default which means traffic to local resources will appear to be coming from the Connector's IP address. By disabling this, the traffic will now appear to be coming from the user's tun IP address. The local network/devices need to know that the Connector should handle this return traffic. The local router or host routes (on the local resources themselves) will need to to be configured to be able to return traffic to the user's tun IP address via the Connector's IP address.
Destination NAT to a local resource. When enabled, tun IP address used by this resource group's Client is translated to a local resource's IP address such as a printer. Destination NAT means that traffic destined for the Local Resource should be sent to the resource group Client's tun IP address instead of its own IP address. This option is not enabled by default
NOTE
Only a single local resource can be specified per resource group (strictly speaking, it's one for IPv4 and one for IPv6).
Advanced Connector
Local (resources) refers to the network where the Connector is located. Every Resource Group Configuration is mapped to a Client instance running within the Connector. Each one defines some local resources that will have their traffic routed to/from the tunnels. This supports up traffic from Connector to Gateway, down traffic and DHCP relay traffic.
NOTE
Never configure any down rules if co-habiting with the Connector (Express).
Advanced Connector's Clients are not automagically configured nor are they tied to the Site (which should been assigned to this appliance if using HA Connectors). Just as with normal Clients, you will need to create Policies and Entitlements that give access from (or to) the local resources to (or from) the protected hosts on any given Site.
See Connector (Advanced) for details about how to use this option.
Complete the following fields to configure an Advanced Connector:
Get existing Resource Group configuration. Copy an existing resource group configuration from the other Connector in the HA pair. When using HA Connectors there are two things to be aware of:
Even though resource groups are shown for both Connectors the associated licenses are only counted once. So using HA has no license implications.
The same tun IP is used for both Connectors - as the working Client is effectively moved to the active appliance. So you only need to budget for one set of addresses from the IP pool.
Name. The group name of the Local Resources (and related Client). This appears as part of the ag.distinguishedName claim which can be used in Policy assignment criteria and is also shown in Registered Devices.
Device ID. The device ID assigned to the named Client. It can be used when setting Policy assignment criteria.
Local Resources. These IP addresses will be routable through this resource group's Client. Traffic from (or to) the Local Resources IP addresses will be handled by the Client's multi-tunnel network adapter in the normal way. The defined Local resources IP address(es) are also used as a value for the claim user.connectorSubnets. This in turn is used by the Gateways to set appropriate routes for these IP addresses to the Client's tun IP address.
Non DHCP traffic.
Source NAT to local resources. When enabled, the Connector's local IP address will be used instead of the source (tun IP) address. This simplifies the local network configuration as these alien IPs do not need to be made routable.
Source NAT to Local Resources is enabled by default which means traffic sent to the local resources IP address will appear to be coming from the Connector's IP address. By disabling this, the traffic will now appear to be coming from the protected hosts IP address. The local network/devices need to know that the Connector should handle this return traffic. The local router or host routes (on the local resources themselves) will need to to be configured to be able to return traffic to the (protected) hosts' IP address via the Connector's IP address.
Source NAT from local resources. When enabled, the local resources' IP addresses will be translated to the tun IP address assigned to this resource group's Client.
Source NAT from Local Resources is enabled by default which means the Connector traffic that is handled in the Gateways will appear to be coming from the Client's tun IP address. By disabling this, the Connector traffic will now appear to be coming from the local resources' own IP addresses. Care needs to be taken to ensure there will be no IP address conflicts and that the return traffic is routed correctly via the Gateway's IP address.
NOTE
To use down Action rules towards the local resources this must be disabled.
Destination NAT to a local resource. When enabled, tun IP address used by this resource group's Client is translated to a local resource's IP address such as a printer.
Destination NAT means that traffic destined for a Local Resource's IP address should be sent to the Client's tun IP address (for that resource group) instead of its own IP address. This option is not enabled by default.
NOTE
Only a single local resource can be specified per resource group (strictly speaking, it's one for IPv4 and one for IPv6).
Default Gateway (Forward non-matching traffic). When enabled, the Connector will forwarding non-routable traffic to the local default gateway used by the Connector.
NOTE
Traffic will be NATed on the way out so will appear to be coming from the Connector's local IP address.
DHCP relay traffic.
DHCP Servers. DHCP server(s) which will be providing IP addresses to the local resources defined in this resource group.