Client internal IP address pools - Preview
The client internal IP address pools contain IP address ranges that can be allocated to each of the logged-in clients. The client internal IP address is required to assign a unique IP address to a user and their device. The client IP address is internal for Secure Private Access and is only available to the customer resource location. The devices from the customer resource location can tunnel traffic to a specific logged-in user’s device using the client’s internal IP address, initiating a server-to-client connection. The client internal IP address can also support source IP stickiness for existing client-to-server tunnel traffic to maintain consistent connections.
Use cases of client internal IP address pools
-
Enable server-to-client connections: A server must initiate a connection with the client devices for tasks such as push configurations, remote assistance, and software installation. The client internal IP address pools enable achieve these tasks by designating a range of IP addresses for client identification. These client internal IP address pools are allocated based on the user context and location. For example, specific IP address ranges can be assigned for user groups such as the HR team.
To enable server-to-client communication, you must create a server-to-client app and then provide the client machine port and protocol details in addition to the back-end IP address range that is used to connect to the client. For details, see Server-to-client app configuration.
-
Enable client internal IP address stickiness: To maintain consistent connections, some applications require a continuous session with the same client. For details, see Client IP address stickiness.
For enabling client IP address persistence, see Enable client IP address stickiness for TCP/UDP applications.
IP address pool limitations
Following are some of the limitations of the IP address pool:
- All Connector Appliances in a resource location must reside within the same IP subnet.
- The internal IP address pools must consist of IP addresses from the Connector Appliance subnet in the same resource location.
- The IP addresses within the internal IP address pools must not overlap with any used IP addresses of the Connector Appliances or other devices within the same subnet.
- If the IP addresses in the pool are exhausted, IP addresses are not assigned to the users and hence server-to-client connections and client internal IP stickiness features cannot be used.
- A maximum of 3 different IP addresses can be assigned to a user, allowing logins from up to 3 different devices. If the same user logs in from a fourth device, no IP address is assigned, preventing the use of server-to-client initiated connections and client internal IP stickiness.
- The assigned internal IP address is sticky and remains the same for daily logins and logouts on the same device. However, if a user is inactive for 15 consecutive days, their sticky internal IP address is released and reassigned to a different user.
- If a user’s assigned resource pool is deleted, the user is not allocated an internal IP address from other pools until the original pool is completely deleted from the system.
Create an intranet IP address pool
-
Navigate to Settings > IP Pools and then click Create IP Pool.
- IP Pool name: Enter a name for the IP pool.
- IP Range or CIDR: Enter the range of IP addresses reserved for clients. One of these IP addresses is assigned to the client machines.
- Connector Appliance Netmask: (Optional). In case the Connector Appliance network subnet is different from the Internal IP address subnet, the Connector appliance netmask must be entered.
- Resource Location: Select the resource location where the back-end server is located. Ensure that at least one Connector Appliance is up.
- Allocation type: Select User and select the condition, domain, and the user or user groups to which this pool is applicable.
- Click Create.
The IP address pool that you created is listed in the IP Pools page.
Once the client login is successful, an intranet IP address is assigned to the user from the client internal IP address pool.
Deletion of the IP address pool
Graceful deletion of the IP address pool is supported to prevent sudden user disconnections and communication disruptions. A grace period is provided during which all active sessions can continue to use the IP addresses assigned from the IP address pool. Admins can wait for the grace period to pass during which the users are expected to log out from the devices and free the IP addresses. Once the IP addresses are freed, admins can safely delete the IP pool without causing disruptions.
Perform the following steps to delete an IP address pool:
-
Navigate to Settings > IP Pools.
The list of IP address pools along with their details are displayed in a tabular format.
-
Click the ellipsis (…) next to the address pool that you want to delete, then click Delete.
View the IP address utilization data
You can monitor the IP address utilization data from the IP Pool Utilization page. This page provides an overview of the status of the IP addresses.
- A list of users and the IP addresses allocated to these users.
- The percentage of available IP addresses that are already allocated and the total number of IP addresses available for allocation.
Admins can use this data to monitor IP address consumption and ensure that enough IP addresses are available for the users.
Perform the following steps to view the IP address utilization details:
-
Navigate to Settings > IP Pools.
The list of IP address pools along with their details are displayed in a tabular format.
-
Click the ellipsis (…) next to the address pool and then click View IP Utilization.