You provide remote and traveling users with Mobile User accounts in App Net Manager so that they can connect to Corente Services Gateways and access resources at your main office locations.
Mobile Users can remotely access a Corente Services network using:
Mobile Devices: You configure secure mobile user access for iOS and Android devices in App Net Manager.
Oracle Corente Client: Users with Microsoft Windows devices install a Corente Client that uses Internet Protocol Security (IPsec) for secure access.
You can find more information about setting up Mobile Users in the Corente Services Administration Guide.
In previous releases, the Client Administration feature of App Net Manager was used to configure Corente Client accounts. The Client Administration feature is now reserved for managing legacy Corente Clients.
You configure Mobile Users in App Net Manager to provide remote access to you Corente Services network.
To view Mobile Users that are configured in App Net Manager, do the following:
If necessary, manually refresh the Mobile User data in App Net Manager.
Expand the Global Intranet Settings menu in the domain directory.
Expand User Remote Access and then select and right-click Mobile User Administration.
Select Refresh/Clear Changes.
Expand the Global Intranet Settings menu in the domain directory.
Expand User Remote Access and then expand Mobile User Administration.
Select Mobile Users.
The following fields display for each Mobile User:
- Mobile User
Displays the Mobile User account name.
- Number of Group Memberships
Displays how many Mobile User Groups the Mobile User belongs to.
- External Authentication
Indicates if the Mobile User authenticates with the Corente Services Gateway using an external authentication provider.
- Helper App
Indicates if the Mobile User connects to the Corente Services Gateway with the Corente Client.
- Expires
Displays the number of days until the Mobile User account expires, if applicable.
- Connected to Location
Indicates if the Mobile User is currently connected to a Corente Services Gateway and displays that Corente Services Gateway name.
- Last Contact
Indicates the last time the Mobile User connected to the Corente SCP. Applies to Mobile Users who connect with the Corente Client.
The following icons also display status for Mobile Users:
To add a new Mobile User, select Mobile Users and click the New button.
The Add Mobile User window is displayed. On this window, fill out the fields as follows:
Name: Enter a name for the new Mobile User.
You can use up to 50 alphanumeric characters, including hyphens and underscore characters. Tabs, spaces, and punctuation characters are not allowed.
Mobile User names cannot be the same as any Location names or existing Corente Client account names in your domain.
If you plan to configure an external authentication provider, the Mobile User name must match the login name in the directory.
Email: Email address of the Mobile User
A confirmation email message is sent to the user when you set up a Mobile User account.
Use External Authentication: Select this option and the Mobile User will authenticate using either RADIUS or LDAP, depending on the type of external authentication that has been enabled on the Corente Services Gateway. See Section 11.9.9.3, “Configuring External Authentication”.
NoteIf an External Authentication server has not been enabled on the Corente Services Gateway, the Mobile User will be unable to connect to the Location.
Password: Create an alphanumeric password for this Mobile User account. This password must contain at least one uppercase, one lowercase, and one numeric character.
Confirm Password: Re-enter the password you created in the Password field to avoid any mistakes.
Windows Helper App Settings: These settings only apply if the Mobile User is using the Corente Client on a Windows client device.
Select the Use in Conjunction with Windows Helper App check box and configure the following settings:
Access Settings: Allows you to select how the Corente Client will connect to your Corente Services network.
Allow access to local Network: Select this option if you would like to allow the Corente Client to contact and be contacted by machines on its own LAN while it is connected to its Location partner. You should not select this option if this machine will be accessible by untrusted devices. When this option is not selected, while the software is in use, the Corente Client will only be able to contact and be contacted by machines via the Location partner. By default, this option is not selected.
Backhaul All Traffic: Select this option if you would like all traffic (both traffic destined for the Location partner and traffic destined for other places, such as the Internet) to travel inside the secure tunnel and be routed to the Location partner. The Location partner receives all of the traffic and then routes it appropriately. By default, this option is selected. When this option is not selected, no traffic will be backhauled. This means that the Corente Client:
Is able to access only the computers on the LAN of the Location to which it is connected.
Is unable to access the partners of its Location partner. The partners and computers behind those partners will be visible to the Corente Client user in Gateway Viewer, but will be inaccessible.
Mobile User Expiration: If you would like to create a temporary Mobile User account for a user, you can use the Mobile User Expiration feature to specify the length of time (in days) that the user will be permitted to connect to its partners. When the subscription period has ended, the Mobile User will immediately be disconnected by the Corente SCP when the user attempts to connect to partners. An expired Mobile User account will remain listed in App Net Manager so that you are able to modify the Mobile User Expiration settings and renew the Mobile User subscription, easily rendering the Mobile User account usable again.
No Expiration: When this option is selected, the subscription for this Mobile User will not expire. The Mobile User will be permitted to connect to its partners until you delete this Mobile User account or change the Mobile User Expiration settings. By default, this option will be selected.
Expires In: When this option is selected, the Mobile User subscription will endure for the time period that is specified in the adjacent field. When the end of the time period approaches, the Mobile User will be notified of the impending expiration. When the time period has ended, this Mobile User will no longer be permitted to connect to its assigned partners until you change the Mobile User Expiration settings. The default time period is 30 days.
Expired: When this option is selected, the subscription for this Mobile User has expired. The Mobile User will not be permitted to connect to its assigned partners unless you renew the subscription by selecting either the No Expiration or Expires In option and save your changes.
Mobile User Group Assignments: Select the Mobile User Groups to which this new Mobile User will be assigned. You can select as many groups as you would like. A Mobile User Group may contain up to 100 Mobile Users.
When you have finished filling out this window, click OK to save your changes. Click Cancel to cancel adding the new Mobile User.
Mobile Users are combined into groups to make partner administration easier.
To view Mobile User Groups that are configured in App Net Manager, do the following:
Expand the Global Intranet Settings menu in the domain directory.
Expand User Remote Access and then expand Mobile User Administration.
Select Mobile User Groups.
The following fields display for each Mobile User Group:
- Mobile User Group
Displays the name of the Mobile User Group.
- Number of Members
Displays how many Mobile Users belong to the Mobile User Group.
Select Mobile User Groups and click the New button.
The Add Mobile User Group window will be displayed. On this window, fill out the fields as follows:
Mobile User Group Name: Enter a name for the new Mobile User Group. The name of the Mobile User group must be unique, and cannot have the same name as a Client Group.
When you have finished filling out this window, click OK to save your changes. Click Cancel to cancel adding the new Mobile User Group.
Once you save with the Save button in the App Net Manager tool bar, your new Mobile User Group will appear in the list of Mobile User Groups. To add members to a group, select that group while adding or editing a Mobile User account with the Mobile Users feature.
Prior to this release, Corente Clients were created and managed using the Client Administration feature of Net App Manager. This section includes topics for managing legacy Corente Clients.
From this release, you cannot add new accounts for legacy versions of the Corente Client. However, you can still edit legacy Corente Client accounts.
Legacy Corente Client accounts are managed using the Client Administration category in the domain directory. When you open the Clients subcategory, the domain directory lists each Client account you have configured. When you open a Client account, all the Client Groups of which it is a member will be displayed. For more information about Client Groups, see Section 10.4.3.2, “Add a Client Group”.
When you select Clients, all Corente Client accounts that have been configured in this domain will be displayed in a table to the right of the domain directory. This table displays:
Client: the Client account name
Version: the version of the software that the user has downloaded
Target: the target software version that has been set for the user by the SCP Operator
Created: the date that the Client account was created
Expires (Days): number of days until the Client account expires. A value of Never indicates that No Expiration has been set for the Client account.
First Contact: the first time the account contacted the SCP for activation
Last Contact: the last time that the account connected and contacted the SCP
Visible IP: the Visible IP address of the Corente Client
You can view the current status of each Corente Client at a glance in either the domain directory or the Clients table, by viewing the Corente Client's icon.
| Icon | Status | Meaning |
|---|---|---|
|
Download | This account has been added by an administrator, but has not yet downloaded the Corente Client personality file. |
|
Downloaded |
The Corente Client personality file has been downloaded, but the computer has not yet established a secure tunnel to the SCP. |
|
Active |
The computer has established a secure tunnel to the SCP and is currently active on the Corente Services network. |
|
Disconnected |
The computer has established a secure tunnel to the SCP at least once, but does not currently have a SCP connection. The Corente Client may not be in use. |
|
Upgrade Pending |
When a purple triangle appears on the icon, the Corente Client is scheduled for a software upgrade. |
You can Edit or Delete any existing Corente Client account. Once saved with the Save button in the App Net Manager tool bar, any changes made to an existing Corente Client will be distributed automatically and immediately if that Corente Client is currently connected. If the Corente Client is currently disconnected, the changes will be applied the next time the Corente Client contacts the SCP. If you delete a Corente Client currently in use, that Corente Clients session will be terminated.
To edit a legacy Corente Client account, right-click on the Client name in the domain directory.
The following settings are available:
Name: Enter the alphanumeric identifier for the Corente Client account. You may use up to 50 alphanumeric characters. Hyphens and underscores are allowed, but do not use tabs, spaces, or punctuation marks when creating this name. This name must be unique from any Location names in your domain.
Email: Enter the email address of the Corente Client user. The user will receive an email message shortly after you complete this screen, notifying them that you have set up this account. The email will also contain the URL where the user can obtain the Corente Client Software. If you have already downloaded the software, make sure you notify the user so that the user can obtain the software package from you rather than by using this hyperlink.
Password: Create an alphanumeric password for this Corente Client account. This password must contain at least one uppercase, one lowercase, and one numeric character. This password will not be sent in the automatic email message; for security purposes, you must supply the password to the user yourself. You should remind the user to change this password as soon as possible in order to maintain security for your domain.
Confirm Password: Re-enter the password you created in the Password field to avoid any mistakes.
Notes: If you would like to add additional information to keep track of this Client account, enter your notes here. You can enter up to 250 characters.
Access Settings: The options in the Access Settings section allow you to select how this client account will use the Corente Client to connect to your Corente Services network.
Allow access to local Network: Select this option if you would like to allow the Corente Client to contact and be contacted by machines on its own LAN while it is connected to its Location partner. You should not select this option if this machine will be accessible by untrusted devices. When this option is not selected, while the software is in use, the Corente Client will only be able to contact and be contacted by machines via the Location partner. This option will be unselected by default.
Backhaul All Traffic: Select this option if you would like all traffic (both traffic destined for the Location partner and traffic destined for other places, such as the Internet) to travel inside the secure tunnel and be routed to the Location partner. The Location partner receives all of the traffic and then routes it appropriately. By default, this option will be selected. When this option is not selected, no traffic will be backhauled. This means that the Corente Client:
Is unable to use any WINS or DNS servers whose addresses have been served to it by a DHCP server over the domain (either by the Location gateway’s DHCP server or by an external DHCP server).
Is able to access only the computers on the LAN of the Location to which it is connected.
Is unable to access the partners of its Location partner. The partners and computers behind those partners will be visible to the Corente Client user in Gateway Viewer, but will be inaccessible.
Authentication Type: This section enables you to select the method that this Corente Client will use to authenticate to its Location partners. In addition to all of these methods, all Corente Clients are authenticated with digital certificates.
Password: Select this option and this Corente Client will authenticate with the user name and password that you supply on this screen. The password can be changed later by the user.
External: Select this option and this Corente Client will authenticate to its Location partner with either RADIUS or LDAP, depending on the type of external authentication that has been enabled on the Location gateway (see Section 11.9.9.3, “Configuring External Authentication”). The user must supply the user name and password that you have entered on this screen to obtain the personality file for this client, but must use the user name and password for the RADIUS/LDAP server to connect to the client's Location partner.
NoteIf no External Authentication server has been enabled on the Location gateway, the Corente Client will be unable to connect to the Location when its Authentication Type is External.
No Authentication: Select this option and this Corente Client will not be required to authenticate with any other method but digital certificates. The user must supply the user name and password that you have entered on this screen to obtain the personality file for this client, but a user name and password will not be required when starting the software.
Client Expiration: If you would like to create a temporary Client account for a user, you can use the Client Expiration feature to specify the length of time (in days) that the Client will be permitted to connect to its partners. When the subscription period has ended, the Client will immediately be disconnected by the SCP when the user attempts to start up the Client software and connect to partners. An expired Client account will remain listed in App Net Manager so that you are able to modify the Client Expiration settings and renew the Client subscription, easily rendering the Client account usable again.
No Expiration: When this option is selected, the subscription for this Client will not expire. The Client will be permitted to connect to its partners until you delete this Client account or change the Client Expiration settings. By default, this option will be selected.
Expires In: When this option is selected, the Client subscription will endure for the time period that is specified in the adjacent field. When the end of the time period approaches, the Client user will be notified of the impending expiration during initial Client startup. (The user can also view the length of time until client expiration at any time by placing their cursor over the Client system tray icon to view the 'tool tip'.) When the time period has ended, this Client will no longer be permitted to connect to its assigned partners until you change the Client Expiration settings. The default time period is 30 days.
Expired: When this option is selected, the subscription for this Client has expired. The Client will not be permitted to connect to its assigned partners unless you renew the subscription by selecting either the No Expiration or Expires In option and save your changes.
Client Group Assignments: Corente Clients are combined into groups to make partner administration easier. Client Groups are created using the Client Groups feature, as described in Section 10.4.3.2, “Add a Client Group”.
To include a Corente Client in a group, select the checkbox beside the group name. You may add a Corente Client to as many groups as you would like. A Client Group may contain up to 100 Corente Clients.
If a Corente Client is member of multiple groups or partnered with multiple Location partners, when the user signs onto the service, they are asked to select a Location for that session. Corente Clients can connect to only one Location at a time.
NoteCorente Clients cannot be partnered with each other. Additionally, Corente Clients can only partner with Locations that are reachable on TCP or UDP port 551. This means that a client cannot connect to any Location behind firewall or proxy server unless that device has been modified appropriately.
Corente Clients are combined into groups to make partner administration easier. When you select Client Groups in the domain directory, all Client Groups that have been configured in this domain will be displayed in a table to the right of the domain directory. This table displays the Client Group names and the number of members of each group.
To view the members of an existing Client Group, open the Client Group's branch in the domain directory.
You can Delete any Client Group in this list. If the group is currently in use by any Corente Client, the Corente Client will no longer be able to contact any Locations partnered with that group.
To create a new client group, make sure Client Groups is selected in the domain directory and:
Select the New button in the tool bar.
From the File menu, select Add Client Group.
Right-click Client Groups in the domain directory and select Add Client Group.
You will be taken to a blank Add Client Group window.
Fill out this window as follows:
Client Group Name: Enter a new group name and click OK.
Once you save with the Save button in the App Net Manager tool bar, your new Client Group will appear in the list of Client Groups. To add members to a group, select that group while adding or editing a Corente Client account with the Clients feature.
A Corente Client can participate in the Corente Services backhaul feature. All IP traffic (both Internet and Corente Services network) from a Corente Client must be backhauled to its host Location across the secure Corente Services network tunnel. The "split tunnel" model (where the Corente Services network traffic is sent across the tunnel and the Internet traffic is sent directly to the Internet) can be enabled for specific Corente Client accounts, but it is generally recommended that all Corente Clients are backhauled. For more information about enabling or disabling backhaul for a legacy client, see Section 10.4.3.1, “Managing a Legacy Corente Client Account”.
Each Corente Services Gateway that is enabled for Mobile Users must function as a Backhaul Server. When you select the Enable Client access to this Location option, the Location form will automatically enable the Backhaul Server option as well. To verify backhaul settings, go to the Network tab and review the Backhaul section. The Backhaul Server option should be selected.
When the Backhaul Server option is selected, in addition to receiving the backhauled traffic of its Corente Client partners, the Location gateway can also receive backhauled IP traffic from Locations designated as Backhaul Clients.
If you would like, you can use the following option:
Optional Default Gateway: When the Backhaul Server option is selected, you can supply an IP address or DNS name of a server on the LAN where this Corente Services Gateway will send all of the Internet traffic that has been routed to it. This enables you to specify the server that the traffic will be sent to and received from for filtering and Internet access rules, so that you do not have to change the default Internet Gateway for this Corente Services Gateway in the Network Interfaces section of the Network tab.
Because of backhaul, Corente Clients will access the Internet through their host Location when connected to the Corente Services network. Therefore, you must make sure that the appropriate configuration is completed on Corente Clients so that they can access the Internet at that location. In particular, if your users in your host Location’s site have to employ a proxy setting to reach the Internet, Corente Client users will also have to employ that same proxy setting because Internet access for the client is being backhauled through the office tunnel.
Under normal circumstances, to protect the Corente Services network, the Corente Client will not be able to communicate outside the Corente Services network tunnel. This means that all communication between a Corente Client and its own local network to which it is actually connected, such as a small Home network, is blocked while it is bridged to the LAN of its host Corente Services Gateway. However, when you configure a Corente Client account, you can select the Allow access to the local network option. When this option is selected, this Corente Client will be allowed to access computers on its own LAN in addition to computers across the Corente Services network on the host Location’s LAN. However, the Corente Client’s Internet traffic will not be backhauled.
When connected to the Corente Services network, legacy Corente Clients must be provisioned by a DHCP server located on the LAN of their host Location. The DHCP server must serve each of the Corente Clients an IP address, network mask, and default gateway address, as well as DNS server and WINs server settings. You will not be able to create reservations for Corente Clients based on MAC address, since the MAC address used over the Corente Services network is not the actual MAC address used in each physical client machine. Instead, the MAC address is obtained via proxy.
A DHCP server simplifies administration of remote access clients enormously. Because it provides an IP address on the same subnet as the Location gateway, it enables users to access and use resources exactly as they would if their machine was plugged into the LAN itself. All of the domain security functions for users at work, such as logon scripts and automatic drive mappings, will now work easily over the Corente Services network connection for remote access users.
If you are already using a third-party DHCP server to provision computers on the Location gateway’s LAN, you should also use this server to provision Corente Clients. However, if you do not have a DHCP server on the Location gateway’s LAN, the Corente Services Gateway itself can be configured to handle this task for Corente Clients.
The address assignments served by the native DHCP server on the Location gateway will last for the duration of the Corente Client session while it is connected to this Location.
Perform the following steps to configure how addressing information will be served to Corente Clients on the Edit RAS Client DHCP Server screen of the Location form.
On the User Remote Access tab of the Location form, select the DHCP Server Support Configure button. The Edit RAS Client DHCP Server screen will be displayed.
Select the Enable RAS Client DHCP Server option to enable the DHCP server for Corente Clients.
If you would like, enter a DNS Suffix to be served to computers by DHCP. When these computers submit a name for DNS name resolution, this DNS suffix will be appended to that name.
Select either of the following options, if you would like:
Serve DNS with DHCP: This option enables you to select whether or not to pass DNS Server IP addresses with the DHCP leases. When this box is selected, Corente Clients will be served the DNS server addresses that you supplied in the Network tab of this Location form.
Serve WINS with DHCP: This option enables you to select whether or not to pass WINS Server IP addresses with the DHCP leases. (WINS is the network protocol used in Windows networking; the computer names you see in Network Neighborhood are all resolved into IP addresses, and vice versa, using WINS.)
When this box is checked, you must enter the IP addreses of the WINS servers on your network that will be served to Corente Clients:
Primary WINS: Enter the IP address of the primary WINS server used to resolve WINS names on your local network.
Secondary WINS: Enter the IP Address of the secondary WINS server that will be used to resolve names if the primary WINS server does not respond. You cannot enter a Secondary WINS address if you have not entered a Primary WINS entry.
NoteWhen creating a Corente Client account, if the Backhaul All Traffic option is not selected, the Corente Client will not receive WINS and DNS server addresses when served its IP address by DHCP.
When you select the Address Ranges tab at the bottom of the screen, this section enables you to create the address pools that will be served by the Location gateway. You can Edit or Delete any existing range in this section. To begin creating address pools for Corente Clients, select the Add button.
The Add DHCP Address Range window will be displayed.
Fill out this window as follows:
Include Address Range or Exclude Address Range: To start, make sure that the Include Address Range option is selected. This option indicates that the entire range you enter will be served by DHCP.
Start Address: Enter the lowest value of the address range in this field.
End Address: Enter the highest value of the address range in this field. If the address pool you would like to create contains only one IP address, you do not have to enter anything in this field.
Select the OK button to save this pool. The range will be listed in the Address Ranges section.
If you would like to exclude certain addresses from any of the address pools you have added, you can exclude these addresses by Adding another range and selecting the Exclude Address Range option. Then, enter the range of IP addresses that you would like to exclude in the Start Address and End Address fields, as described in Step 6. The address of the Location gateway is automatically excluded and does not need to be entered here.
Complete Steps 5 to 8 to enter as many address ranges as you would like the Location gateway to serve.
When you select the Reservations tab at the bottom of this screen, you can reserve specific IP addresses for Corente Clients that receive their addressing from the Location's DHCP server. You can Edit or Delete any existing reservation in this section. To add a reservation, select the Add button.
The Add DHCP Reservation screen will be displayed.
Fill out this screen as follows:
Client Name: Enter the name of the Corente Client.
IP Address: Enter the IP address that will be reserved by the Location's DHCP server for use by this Corente Client only. The Client will always receive this address from the DHCP server.
Reserved: When this checkbox is selected, the IP address you entered will be saved and assigned to the Corente Client whenever it receives its addressing via the Location's DHCP server.
Select the OK button to save this reservation. The range will be listed in the Reservations section.
Complete Steps 10 to 12 to enter as many reservations as you would like the Location gateway to serve.
When you have finished defining the address ranges and reservations to be served by DHCP, click the OK button. You will return to the User Remote Access tab.