IBM Cloud Docs
SSL VPN FAQs

SSL VPN FAQs

These FAQs provide answers to common questions about SSL VPNs.

What is IBM Cloud VPN?

IBM Cloud® VPN access is designed to allow users to remotely manage all servers securely over the IBM Cloud private network. A VPN connection from your location to the private network allows for out-of-band management and server rescue through an encrypted VPN tunnel. VPN tunnels can be created to any IBM Cloud data center or PoP providing geographic redundancy.

With VPN access, you can:

  • Establish a VPN connection to the private network by using SSL or IPsec
  • Access your server through its private 10.x.x.x IP address by using SSH or RDP
  • Connect to your server’s IPMI IP address for server management or rescue needs.

Our SSL VPN gateway is a security product from Array Networks. The gateway itself runs radius to update users and passwords from our customer portal.

What if I cannot connect to the SSL or IPsec VPN endpoint of my choice?

Geographic redundancy exists to allow access into your private network from anywhere in the world that you choose to connect from. If one location doesn't connect, you can use a different data center during the interruption. If multiple locations are failing to connect, visit our Troubleshooting section.

Does the SSL VPN also perform IPsec or other VPN protocols?

Currently, the SSL VPN gateway uses a browser-based SSL VPN plug-in or a proprietary client for creating connections. We continue to bring more VPN connectivity options to the private network. The SSL VPN was selected for ease of use and compatibility.

Can I mount the NAS/FTP server from my remote location over the SSL VPN gateway?

No. You have access to your private VLAN and servers only from the SSL VPN gateway. If you want to download data from your NAS/FTP volume, you must move the data to your server then out through the VPN to the remote location.

For security reasons, only servers that are located inside the data center are allowed access to the servers, which provide services (DNS, Update, NAS, Lockbox).

How does VPN access work?

First, an account administrator must enable SSL VPN permissions for users. As a user, you can log in to the VPN through the web interface or use a stand-alone VPN client for Linux, MacOS, or Windows. For more information, see Logging in to the VPN.

What are the available categories for a user's VPN management status within the customer portal?

  • Active - The user has access to the IBM Cloud infrastructure customer portal and VPN based on permissions set by the account administrator. This status can be manually selected and changed at any time.
  • Disabled - The user does not have access to any permissions or subscriptions on the account, including customer portal and VPN. If set to disabled by another user on the account, this status can be manually selected and changed at any time.
  • VPN Only - The user has access to only VPN connectivity and cannot access the customer portal. This status can be manually selected or changed at any time.
  • Inactive - The user hasn't used the customer portal or VPN in the last 60 days (system-generated status).
  • cancel_pending - An administrator on the account cancelled this user and the cancellation is being processed. (system-generated status).

How do I set up SSL VPN?

SSL VPN is a quick-access connection that connects you to our private network directly for non-production use. For detailed instructions about setting up SSL VPN, see Getting started with SSL VPN.

Are there open-source alternatives to SSL VPN?

Yes, you can set up WireGuard or OpenVPN servers on IBM Cloud, and build your own VPN tunnels from on-premises to IBM Cloud.

What is the process of installing MotionPro on Windows, Mac, or Linux?

  1. Uninstall your current version of MotionPro (if applicable).
  2. Restart your system.
  3. Download and install the latest version of MotionPro.

How do I request SSL-VPN logs?

Requesting SSL-VPN audit logs requires that you open a support case to ensure proper protocol, security, and policies are followed. For security reasons, only the primary account holder can make the request for SSL-VPN audit logs. VPN logs are not available in real time as there can be a delay in availability. Due to the sensitive nature of the content, sometimes not all information can be shared. Please provide the following items for the request:

  1. VPN username or IP address
  2. Date (range is preferable)
  3. Suggested times including time-zone
  4. VPN endpoint (if known)