Re: Default route with split tunneling

aweise_ · ‎03-24-2011

Greetings,

We have a need to allow remote clients using a specific role to get access into our internal resources, but to also be able to browse the internet. I configured split tunneling so the remote clients can have access to their local resources (printers, local network drive), but as we know, the default route is set to use the VPN.

We're having issues with the clients' browser (IE version 8) authenticating through our proxy, so I figured I could use split tunneling to tell the remote clients to use the VPN if they're trying to access the corprate resources, but to use the physical adapter for everything else.

Is this possible? The split tunneling options in the admin guide don't necessarily help me.

aweise_ · ‎03-24-2011

Just some more details...

We're using an SA4500, version 6.5R5.

spacyfreak_ · ‎03-24-2011

On IVE Role .. network connect configure split tunneling.

On Ive .. resource policies... network connect ... split tunneling configure all the internal ressources the users should reach via tunnel. For example internal network 192.168.1.0/24 or host 10.10.10.10:80.

On resource policies...network connect...profiles configure dns so the users can use the internal dns for internal ressources, but also the client dns so they can resolve internet dns names, if you have internal dns for internal ressources only.

So the user who connects via network connect will reach all the local ressources and the internet, but ONLY what has to go to the networks which you configured on split tunneling rules will go into the tunnel.

RasKal_ · ‎03-25-2011

Hello, To add another hint to the excellent post from Spacyfreak) , you may also play with proxy pac file which is pushed to the NC client browser. In the PAC file, you can also divert web traffic, stating that it should goes "DIRECT" (No proxy, so routing has precedence) or via your company proxy: useful depending your topology. Resource Policies > Network Connect > NC Connection Profiles: choose your profile and look at "Proxy Server Settings" choosing one of Automatic or Manual. In both cases, provide a valid URI like http://myhost.internal.company.com/proxy.pac, this server being only reachable when the NC tunnel is up. The PAC file file be copied to the $TEMP of the client's PC (and merged with the one configured on the PC, if any). You will mention that the IVE will automatically set an exception to avoid HTTPS traffic for the external SA NIC being sent to the proxy. Best regards.

aweise_ · ‎03-28-2011

Spacyfreak - that did the trick. Thanks for the help!

RasKal - I've actually tried using a special PAC file the way you suggested, but for some reason, the file keeps getting modified when it's downloaded to the client. I started a thread about this and opened a JTAC case, but I haven't gotten much of a response as to why that happens. The PAC file I created was supposed to direct everything through our proxy, but when the remote client logs in, there's a function to send everything directly out to the internet - through our corporate network, but bypassing the proxy. I've yet to figure out why that's happening.