Access Controls
The Access Controls section allows you to define how users and groups interact with network resources, each other, and the internet. This includes access rules, subnet routing, DNS configuration, and client-to-client communication.
The section is divided into five tabs:
Group and User Access Rules
Global Access Rules
Intergroup Connectivity
Internet Access and DNS
InterClient Communication
📋 Group and User Access Rules
This tab provides fine-grained control over what resources specific users or groups can access.
You'll see an Access Rules table with the following columns:
IP address or subnet
Attached to (user or group)
Protocol (e.g., TCP, UDP, ICMP)
Port
Reachable via (NAT or Route)
Edit and Delete buttons
You can:
Filter by user or group rules, protocol, and type.
Search the table.
Reorder or hide table columns.
➕ New Access Rule
Click New Access Rule to create a new rule. You'll be prompted to:
Choose whether the rule applies to a User or a Group.
Select the name from a drop-down menu.
Enter the IP address or subnet.
Select the Protocol and Port.
Choose NAT or Route as the reachability method.
Save the rule.
Tip
NAT is typically used for simplified routing and firewall traversal, while Route allows for more transparent access when routing is properly configured.
🌐 Global Access Rules
Use this tab to define subnets that are reachable by all VPN users, regardless of group or user-specific access rules. Here you can define rules by subnet and choose whether they're reachable via NAT or Route. You can also remove any existing entries.
Global Subnet Routing Overrides: This field allows you to define subnet exceptions that are always routed, even if not otherwise specified by other access rules.
🔁 Intergroup Connectivity
This tab displays and manages all intergroup communication rules.
The Intergroup Connectivity table includes:
Group
Has access to (group or user)
Direction (one-way or two-way)
Edit and Delete buttons
You can:
Filter by direction.
Search the table.
Reorder or hide table columns.
➕ New Intergroup Rule
Click New Intergroup Rule to define communication between groups or a group and a user:
Initiate a connection from group: Select the source group.
To group/user: Choose the destination.
Optionally select Two-way connectivity.
Save the rule.
🌍 Internet Access and DNS
Configure how users connect to the internet and how DNS resolution is handled.
Internet Gateway: Choose between:
Full-Tunnel: All traffic goes through the VPN.
Split-Tunnel: Only specified traffic goes through the VPN.
Push DNS: Toggle DNS pushing to clients (recommended for full tunnel setups).
Select DNS Servers
Autodetect: Use the Access Server host's DNS settings.
Custom: Add one or more DNS servers manually.
Default Domain Suffix (optional): Specify a domain suffix to allow Windows clients to resolve short hostnames into fully qualified domain names (FQDNs).
DNS Resolution Zones (optional): Define split DNS behavior by routing specific domains through specified DNS servers.
Note
Some operating systems (like Windows) may only honor the first domain listed in split DNS configurations.
🧩 InterClient Communication
Control how connected VPN clients can interact with one another.
Global InterClient Communication: Choose one of the following policies:
Isolate all users: Blocks all client-to-client communication.
Allow user-to-user connections: Enables peer-to-peer communication.
Admins can access all users: Allows only admin users to initiate connections to other users.
Access to the internal gateway address: Toggle Allow client access to services on the VPN network to let clients access internal services hosted by the Access Server itself.