Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Split tunneling question

sk_
Contributor
‎08-07-2012 01:19:PM
‎08-07-2012 01:19:PM

Split tunneling question

We have several offsite users that VPN in using pulse. Is it possible to use split-tunneling(currently disabled) to allow them access to a single ip address at their remote location so they can print? (not an entire subnet) Thanks
0 Kudos
20 REPLIES 20
jamestownsend_
Not applicable
‎08-08-2012 01:59:AM
‎08-08-2012 01:59:AM

Re: Split tunneling question

Hi SK, I believe it is possible. If you set a local route to your /32, either persistent on the remote machine by whatever method, or via a session script when NC/Pulse authenticates and set the "route override" option to "no" under the role options then that should do what you need. You need to make sure that other routes don't exist on the remote side that may undesirably trump Pulse routes you'd expect to go over the tunnel, that's why a script may be best. Have you tested anything yet, if so what and how did it work/not work? Cheers, James
0 Kudos
jayLaiz_
Super Contributor
‎08-09-2012 04:35:AM
‎08-09-2012 04:35:AM

Re: Split tunneling question

Hi,

 

This is an interesting requirement.

 

when you enable split tunnleing, users have access to their own local network and that traffic is outside the runnel

 

They can either be given access  through terminal services bookmark on SA to a server and allowed to map ther local printers

 

Or on their network, they can configure a rule on the firewall that states any packet coming from source IP as pulse adapter IP be allowed to access only the printer IP

 

Regards,

Jay

0 Kudos
sk_
Contributor
‎08-14-2012 04:22:AM
‎08-14-2012 04:22:AM

Re: Split tunneling question

Not sure what you mean by: They can either be given access through terminal services bookmark on SA to a server and allowed to map ther local printers Thanks for you help! sk
0 Kudos
jayLaiz_
Super Contributor
‎08-14-2012 05:05:AM
‎08-14-2012 05:05:AM

Re: Split tunneling question

Hi,

 

I meant when you log into the admin UI, you can go to resource profiles-->select terminal services and then create RDP access to one of your internal servers

 

so once the terminal service bookmark is created, when you click on the bookmark, we can enable the option Connect local printers

 

The user experience will be users logs in SSL VPN, NC launches and they land on the homepage, they can click on the rdp bookmark and they will log into the terminal server and see their local printers mapped

 

Thanks,

Jay

0 Kudos
sk_
Contributor
‎08-21-2012 07:27:AM
‎08-21-2012 07:27:AM

Re: Split tunneling question

Not sure if I understand your solution. We don't have a terminal server that user log in to. They just use pulse with split tunneling disabled (which blocks them from accessing their local(networked) printer). I could enable split tunneling for their entire subnet and allow them to use their local network printer, but I was looking for a way to limit them to accessing a single (printer) IP address on their local network. Thanks, sk
0 Kudos
jayLaiz_
Super Contributor
‎08-21-2012 09:50:PM
‎08-21-2012 09:50:PM

Re: Split tunneling question

Hi Sk,

 

I do not think we can do that as their local traffic is not sent through the tunnel.They will have to configure a rule on their local firewall to limit access only to their local network printer if the source IP is the Pulse IP Pool range.

 

Regards,

Jai

0 Kudos
kenlars_
Super Contributor
‎08-28-2012 06:59:AM
‎08-28-2012 06:59:AM

Re: Split tunneling question

Is the printer always on the same address?  Let's say that the local subnet is 192.168.1.0/24 and the printer is always on 192.168.1.100.  I believe you could define an inverse split-tunneling policy to say that everything except 192.168.1.100 is on the other side of the tunnel.  This would - I believe - accomplish your goal by creating a 192.168.1.100/32 route pointing to the physical interface instead of the VPN virtual interface.

 

I have not implemented inverse split tunneling, so I can't confirm that this would work.

 

If the printer resides on different addresses at different sites, I don't know of any way to achieve the functionality you wish.

 

Ken

0 Kudos
sk_
Contributor
‎08-28-2012 08:44:AM
‎08-28-2012 08:44:AM

Re: Split tunneling question

address scheme of the offsite users is 10.175.0.* printer there would be like 10.175.0.100 when they VPN using pulse they are given a 192.168.1.* address for the vpn connection. I want all traffic to go thru the 192.168.1.* pulse interface except any traffic going to 10.175.0.100(printer) Thanks for response Ken
0 Kudos
SHKM_
Frequent Contributor
‎08-29-2012 12:16:AM
‎08-29-2012 12:16:AM

Re: Split tunneling question


Hi Sk,

       You can use exclude option, In SA admin UI

1. User > Resource policies > VPN tunneling > Split tunneling networks

2. Create a New policy

3. In the Resources tab, enter the print ip address    10.175.0.100/255.255.255.255

4. Choose the roles accordingly

5. In Action tab select "Exclude access"

6. save the rule

7. Go to Role > VPN tunneling option > Enabled "Split tunnel"

Now, the traffic towards the printer ip should be going directly (out of tunnel), rest all the traffic should come via tunnel; I hope this is what you're looking for...! test this config..!

Thanks...

0 Kudos
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.