Configuring Windows routing and remote access for MaaS360 VPN

MaaS360® VPN can route all traffic through the VPN or route specific subnets through the VPN (split tunneling).

By default, MaaS360 VPN uses Network Address Translation (NAT) to route traffic from the MaaS360 VPN server to your corporate network. Before the MaaS360 VPN module can function on your network, you must complete the following steps:

Requirements

The following table lists the installation and setup requirements that apply to the MaaS360 VPN installation:
Item Requirement
Server Microsoft Windows Server 2016+ (physical or virtual)
  • At least one interface with access or routes to the resources that are accessed by the MaaS360 VPN.
  • Supports one-arm mode which uses the same interface for incoming VPN connections and outgoing traffic to the network or multi-arm mode which uses different interfaces for incoming VPN connections and outgoing traffic to the network.
MaaS360 VPN The external DNS name or the IP address, and the port that is used to configure external user connections.
  • External DNS name or IP address: The DNS name or the IP address that end user agents use to connect to the MaaS360 VPN.

    The public IP address is assigned directly to an interface on the Windows Server or translated to the private address of the Windows Server by using a router, firewall, load balancer, or reverse proxy (highly recommended).

  • Port: The default port is 1194. You can change this port.

    MaaS360 VPN currently uses the UDP protocol, which you cannot change. The administrator must make sure that the port that is entered in the Cloud Extender® Configuration Tool is open to the server that is provisioning MaaS360 VPN. You should block other ports for security reasons.
MaaS360 VPN software The internal IP address and the port that the MaaS360 VPN software uses.
  • Internal IP address: You must use a valid IP address of a physical adapter on the Windows Server.
  • Port: The default port is 1194. You can change this port.
    Note: The internal port does not need to match the VPN external port if there is a load balancer, firewall, router, or reverse proxy in front of the VPN server handling the translation.
MaaS360 VPN tunnel One or more valid subnets (IP address and netmask) that are used to assign IP addresses to inbound user connections for the VPN tunnel (Virtual IP and Virtual Subnet Mask).
  • Use subnets in a private range that include enough IP addresses to handle all users that connect to each MaaS360 VPN server.
  • One subnet is needed for each MaaS360 VPN server. The subnet must include enough IP addresses to handle the maximum number of users that can connect to the server at single instance.
  • Since NAT is used on outgoing traffic from the server, you can use the same subnet for each MaaS360 VPN server. However, this setup might impede troubleshooting efforts.
  • Use unique subnets in the network that do not create overlap or confusion with the network routing.
DNS server One or more DNS servers that are used by end user agents.
  • The DNS server must be accessible from the network interface that the MaaS360 VPN is installed on.
  • The DNS server must resolve public and private addresses, even if split tunneling is used (or, add a second public DNS to the list).
Subnets A list of subnets (IP address and netmask) that are used to route through the MaaS360 VPN (if you are using split tunneling).
Note: If you are not using split tunneling, all traffic (private and public) is routed through the tunnel and might increase the load on the server with non-corporate traffic.

Next steps