Please bear with me as I am new to this device. Currently we have an SA4000 in place and remote users connect using Net connect. Currently we have
This is not possible with enable split tunneling as we can't control internet access that goes out via the client's physical adapter.
It is possible with split tunneling disabled, you need to add the public ip of the website to the network connect access control list along with the internal corporate network.
Are you sure? I would think if they were to add the IP of the web site to the split tunneling networks list, make corresponding changes to NC Access list (if necessary,) then route that IP to say their internal network, it would take the default path out, similar to that of an internal user.
Thank you both for the replies. Unfortunately disabling split tunneling is not an option as we don't want remote users internet traffic to be routed through the VPN. Red, the method you described is what I have been experimenting with. I must be configuring the static route on our internal network wrong, as my traceroutes to the external site when connected to the VPN don't go past 10.200.200.200 which if I understand is the default server IP of the SA4000. Guess I will need to keep experimenting with the routes on our internal network.
I more or less was hoping someone would respond saying they have done it before and it is possible before I waste to much more time on something that isn't even possible.
I misunderstood, I thought internet access should be only to that single website and not to any other public websites for those group of users.
The process I had described is essentially how we are doign it. We have a handful of URLs which authenticate based on the source IPs, simlar to what you're doing. From the internal network, and for users without split tunneling enabled, its a non-issue. For my user base with split tunneling what I had suggested is what worked for us.
Essentialy the goal is to force the traffic destined to these sites to be treated just like your internal ranges rather than internet traffic.. Once it comes across the tunnel and hits your perimeter, you want it to follow your default path out to the internet and be subject to the same NAT policy as what is utilized by your internal users. Without having a better understanding of your network layout, its hard to offer step-by step instructions beyond the changes you need to make on the IVE.