Configuring Address Pools
In some situations, users who connect with the NetScaler Gateway Plug-in need a unique IP address for NetScaler Gateway. For example, in a Samba environment, each user connecting to a mapped network drive needs to appear to originate from a different IP address. When you enable address pools (also known as IP pooling) for a group, NetScaler Gateway can assign a unique IP address alias to each user.
You configure address pools by using intranet IP addresses. The following types of applications might need to use a unique IP address that is drawn from the IP pool:
- Voice over IP
- Active FTP
- Instant messaging
- Secure shell (SSH)
- Virtual network computing (VNC) to connect to a computer desktop
- Remote desktop (RDP) to connect to a client desktop
You can configure NetScaler Gateway to assign an internal IP address to users that connect to NetScaler Gateway. Static IP addresses can be assigned to users or a range of IP addresses can be assigned to a group, virtual server, or to the system globally.
NetScaler Gateway allows you to assign IP addresses from your internal network to your remote users. A remote user can be addressed by an IP address on the internal network. If you choose to use a range of IP addresses, the system dynamically assigns an IP address from that range to a remote user on demand.
When you configure address pools, be aware of the following:
- Assigned IP addresses need to be routed correctly. To ensure the correct routing, consider the following:
- If you do not enable split tunneling, make sure that the IP addresses can be routed through network address translation (NAT) devices.
- Any servers accessed by user connections with intranet IP addresses must have the proper gateways configured to reach those networks.
- Configure gateways or a static route on NetScaler Gateway so that network traffic from user software is routed to the internal network.
- Only contiguous subnet masks can be used when assigning IP address ranges. A subset of a range can be assigned to a lower-level entity. For example, if an IP address range is bound to a virtual server, bind a subset of the range to a group.
- IP address ranges cannot be bound to multiple entities within a binding level. For example, a subset of an address range that is bound to a group cannot be bound to a second group.
- NetScaler Gateway does not allow you to remove or unbind IP addresses while they are actively in use by a user session.
- Internal network IP addresses are assigned to users by using the following hierarchy:
- User’s direct binding
- Group assigned address pool
- Virtual server assigned address pool
- Global range of addresses
- Only contiguous subnet masks can be used in assigning address ranges. However, a subset of an assigned range might be further assigned to a lower-level entity.
A bound global address range can have a range bound to the following:
- Virtual server
- A bound virtual server address range can have a subset bound to the following:
A bound group address range can have a subset bound to a user.
When an IP address is assigned to a user, the address is reserved for the user’s next logon until the address pool range is exhausted. When the addresses are exhausted, NetScaler Gateway reclaims the IP address from the user who is logged off from NetScaler Gateway the longest.
If an address cannot be reclaimed and all addresses are actively in use, NetScaler Gateway does not allow the user to log on. You can prevent this situation by allowing NetScaler Gateway to use the mapped IP address as an intranet IP address when all other IP addresses are unavailable.