Organization Set Up

When setting up a new organization, be sure to review the default settings for new connections to its hub host.

Hub Defaults

View

To view the default settings for new connections to an organization’s hub host, follow these steps:

1. Log into the ACSC management UI, and switch to the appropriate organization.
2. Click the Hosts link in the page header. This will take you to the Hosts page.
3. Click the name of the Anti-Cloud Hub host. If you don’t see this host in the list, use the Filter by name… input at the top of the page to search for it by name. This will take you to the Anti-Cloud Hub host page.
4. Click the hub link in the Interfaces panel. This will take you to the hub interface page.
5. Click the Defaults icon on the Endpoints panel. This will take you to the Anti-Cloud Hub Defaults page.

Recommended Settings

The two default settings you should change are Disallowed IPs and DNS Servers; and you may also want to customize Network Addresses.

Add all LAN networks that the organization uses to the Disallowed IPs setting. For example, if the organization has an office LAN that uses the 10.0.0.0/24 network, two cloud LAN networks 10.100.0.0/16 and 10.101.0.0/16, and home users on LANs that use the 192.168.0.0/24 and 192.168.1.0/24 networks, set Disallowed IPs to the following:

10.0.0.0/24
10.100.0.0/15
192.168.0.0/23

If the randomly assigned ACSC Network Addresses collide with the organization’s LAN networks (or if the IPv4 address block is not big enough for all the organization’s computers), adjust the Network Addresses setting. For example, if the IPv4 block in the Network Addresses setting was initially set to 10.100.123.0/24 (colliding with the example 10.100.0.0/16 range above), you may want to change it to the something that doesn’t collide, like the following:

10.234.123.0/24
fdab:cdef:1234:5678::/64

Finally, add all domain controllers and DNS resolvers the organization uses to the DNS Servers setting. For example, if the office LAN DC is 10.0.0.3, the cloud VMs rely on DNS resolvers at 10.100.0.2, and 10.101.10.101, and you use 9.9.9.9 for public DNS queries, set DNS Servers to the following:

10.0.0.3
10.100.0.2
10.101.10.101
9.9.9.9

If you add domain controllers or DNS resolvers to the organization’s ACSC network, add them to the DNS Servers setting. For example, if you add the office LAN domain controller to the ACSC network with an ACSC IP address of 10.234.123.3, add it to the DNS Servers setting:

10.0.0.3
10.234.123.3
10.100.0.2
10.101.10.101
9.9.9.9

Do not change any of the other default settings without first consulting Anti-Cloud support.

Edit

To edit the default settings for one of the panels on the defaults page, click the Edit icon in the panel. These are the fields you can edit:

Type

Default connection type for the connection wizard. Point-to-Internet, Remote as Point is the recommended setting.

Allowed IPs

List of IP address ranges to route through the ACSC network. 0.0.0.0/0, ::/0 is the recommended setting.

Disallowed IPs

List of IP address ranges to never route through the ACSC network. These ranges take precedence over the Allowed IPs setting.

The recommended setting is to include all the LAN networks used by the organization.

Allowed Apps

List of client executables that should use the ACSC network. Blank means all, and is the recommended setting. If executables are specified, their use of the ACSC network will be limited to the IP ranges configured via the Allowed IPs and Disallowed IPS settings.

Disallowed Apps

List of client executables that should never use the ACSC network. Blank means none. This list should at least include acsc-agent-service.

Hostname

DNS name of the hub host. It is not recommended to change this setting.

Port

Listen port of the hub host. It is not recommended to change this setting.

Persistent Keepalive

Seconds between keepalive packets sent by clients. 25 is the recommended setting.

Preshared Key

A unique preshared encryption key will be generated for each client if the Generate checkbox is selected. This is the recommended setting.

Socks5 Proxy

DNS name and port of the SOCKS5 proxy. It is not recommended to change this setting.

Socks5 Proxy Username

Username of the SOCKS5 proxy. It is not recommended to change this setting.

Socks5 Proxy Password

Password of the SOCKS5 proxy. It is not recommended to change this setting.

Network Addresses

List of private network address ranges to use for the ACSC network. An IPv4 and an IPv6 range is recommended. The IPv4 range should be large enough to provide a unique IPv4 address for each host that will be added to the ACSC network.

Make sure these ranges do not collide with any LAN networks used by the organization. A collision will cause routing problems between the LAN and the ACSC network.

DNS Servers

List of DNS resolvers to use in place of client’s default DNS servers. The recommended setting is to include all the domain controllers and other DNS resolvers used by the organization, in three groups:

1. The LAN IP address of each domain controller or DNS resolver
2. The ACSC IP address of each domain controller or DNS resolver
3. A public DNS resolver in case none of the first two groups are available

Search Domains

List of DNS search domains to use in place of the client’s default search domains. It is not recommended to set this.

MTU

Maximum transmission unit of the ACSC interface in bytes. 1280 is the recommended setting.

Firewall Zone

Name of network profile to use in place of the client’s default. It is not recommended to set this.

Forwarding

Forwarding settings to apply to the client’s firewall. It is not recommended to set this.

Masquerading

Masquerading settings to apply to the client’s firewall. It is not recommended to set this.

MSS Clamping

MSS clamping settings to apply to the client’s firewall. It is not recommended to set this.

Pre Up Script

Scripts to run before starting up the ACSC interface. It is not recommended to set this.

Post Up Script

Scripts to run after starting up the ACSC interface. It is not recommended to set this.

Pre Down Script

Scripts to run before shutting down the ACSC interface. It is not recommended to set this.

Post Down Script

Scripts to run after shutting down the ACSC interface. It is not recommended to set this.

Reapply

After updating the default settings, if you have already added some connections to the hub, you can reapply (most of) the settings to those existing connections with these steps:

1. Click the Reapply icon for the panel.
2. Select the settings to reapply.
3. Click the Reapply button.