Each Location must have a Default User Group. The Default User Group must contain every IP address on the LAN that will participate in the application network. You created a Default User Group in the Location Wizard when you created your Corente Services Gateway personality, but you can modify this group using the following procedure. To configure the Default User Group, select the Default User Group entry on the main screen of the User Groups tab and select the Edit button. The Edit User Group 'Default User Group' screen will be displayed
On this screen, you must define which computers on the local network will participate in the application network by specifying subnets of IP addresses.
Firewall Policy: If you would like, you can choose an optional Firewall Policy that will apply to all traffic to and from the Default User Group.
Inbound QoS: If you would like, you can choose optional Quality of Service (QoS) settings for traffic inbound to the default User Group. To specify the priority of traffic inbound through the Corente Services Gateway to the default User Group, choose a QoS entry from the Inbound QoS pulldown menu.
Outbound QoS: If you would like, you can choose optional QoS settings for traffic outbound from the default User Group. To specify the priority of traffic outbound through the Location gateway from this User Group, choose a QoS entry from the Outbound QoS pulldown menu.
NoteAs when performing any sort of QoS configuration, administrators must be careful when assigning QoS levels because if there is too much high priority traffic, any other traffic with a lower level of priority may become too slow or even be dropped. In addition, you cannot use QoS to prioritize traffic to or from a Corente Client.
User Group is Within Secure Network: This option will be chosen by default and cannot be changed.
Special Internal Network Description Group: This option will not be chosen by default and cannot be changed.
User Group Subnet/Address Ranges: This section enables you to define the subnets/ranges that you would like to include in the Default User Group. The table lists all the ranges that you have already added. You may Edit or Delete any range listed in the table.
To add a new subnet/range, select the Add button.
Include Subnet: Select this option to specify a range that will be included in the group. Fill out the available fields as follows:
Network Address: Enter the first address of the subnet in this field.
Subnet Mask: Enter the net mask of the subnet in this field, which will define the range of addresses within this subnet.
NoteIf you include a range of IP addresses that is not contained within the same subnet of the LAN IP Address of the Corente Services Gateway or not distributed by the Corente Services Gateway’s DHCP server, you must either provide routing information to this subnet on the Routes Tab of this form or enable RIPv2 or OSPF on the Network Tab of this form.
Outbound NAT: You must set the appropriate Outbound NAT settings for this subnet. Network Address Translation (NAT) is used to map the real IP address of each machine in a subnet to an IP address within another subnet. The translated IP addresses become the visible IP addresses of the machines. NAT can be used to organize a network or prevent routing problems caused by duplicate IP addresses.
When Outbound NAT is enabled for a Location, the Location gateway will translate the subnet of IP addresses to another subnet before the Corente Services Gateway makes the addresses visible to remote partners. The administrator must specify the new subnet to which the real IP addresses will be translated. Each address within the real subnet will be mapped to an address in the specified subnet. For all remote partners, these specified addresses will become the visible IP addresses of the machines.
The Outbound NAT settings in your User Group will interact with the Auto Resolve NAT and Inbound NAT settings that a Location partner has chosen for your Location.
Prohibited: This setting forbids all partners to perform NAT on this Location’s User Group. If Prohibited has been set on a range in the local User Group and a partner has enabled Auto Resolve NAT (and there is an address conflict) or Inbound NAT for this Location, the tunnel will not be brought up and a Configuration Alert will be generated. In other words, the Prohibited setting will bring down any tunnel to a partner if that partner attempts to NAT this User Group. The primary use for this setting is to prevent NATing on a connection that is transporting a protocol containing embedded IP addresses for which the Corente Services Gateway does not have a fixup module. The Corente Services Gateway includes a fixup module that allows active FTP, normally forbidden on a NATed subnet.
Permitted: This is a passive setting. The Corente Services Gateway will not NAT the address range, but it will not prevent the address range from being NATed by a partner. This is the default setting.
Specified: This setting allows an administrator to specify a new subnet of IP addresses to which this address range will be mapped. The new addresses within the specified subnet will become the visible IP addresses of the local computers in this range to all remote partners. After enabling this option, enter the new subnet in the Specified NAT Address field. This address space must be unique in the application network.
The Specified setting is a useful way of organizing an entire domain, where each User Group in the domain is mapped to a distinct set of address ranges so that there are no address conflicts. The traffic from each site can then be identified by the range into which it has been mapped. Of course, it is the administrator's responsibility to guarantee that there are no conflicts between the addresses that have been Specified for each subnet. Therefore, it is usually preferable to specify Inbound NAT for conflicting addresses (configurable on the Partners tab) rather than use Outbound NAT, because Inbound NAT does not require a global solution and there are no chances for conflicting addresses after the solution has been applied.
Exclude Range: If there are IP addresses or ranges of addresses within the subnets that you have already Included that you do not want to be in your Default User Group, you can use the Exclude Range option to remove these addresses. Select this option to specify a range that will be excluded in the group. Fill out the available fields as follows:
Start Address: Enter the first address of the range that you would like to be excluded from an existing included range.
End Address: Enter the last address of the range that you would like to be excluded from an existing included range. If the range includes only one address, you do not need to fill in this field.
Click OK to add this definition to your Default User Group or Cancel to close the window and discard your changes. Repeat this process for as many subnets as you would like to add to your Default User Group. Remember that you must have at least one IP address listed as an include in the Default User Group even if you are using DHCP. In other words, DHCP is selected for a network interface on the Network tab of this form.
When you are finished defining your Default User Group, click the OK button to store your changes and return to the main User Groups tab.