Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 8 replies
  • Subscribers 27 subscribers
  • Views 10835 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Split tunneling exceptions?

svk253

We have a site that users access from our internal network, that restricts access based on the Public IP our clients are coming from. That public IP is what is shown when clients connect while in the office.  The problem is, when they are connecting through the VPN from their home, their public IP shows up, and so that site denies them. They MUST come from our public IP.

Do I have to turn off split tunneling or is there a way to force a site to go through the tunnel? When I do 'what is my ip' from a workstation connected via VPN it gives me the IP of whatever network I'm on (i.e. Comcast or something). 

I hope that makes sense. Thank you for your time.



This thread was automatically locked due to age.
Parents
  • 0

    If you have split tunneling on (on the VPN Client), you have to add the site that they are trying to access.

    If not, traffic will go out their public interface.  This is why the "What is my IP" is their ISP's Address. It is not traversing the VPN.

     

    You could also disable split tunnel, and have all traffic route over the VPN.

  • 0 in reply to Derek Lechner

    Hi Derek,
    What do you mean by add the site? I have added it under the SSL VPN tunnel access section.

    Use as default gateway is 'off' so that means split tunneling is enabled. I could turn it on. But I wanted to know if I could somehow still use split tunneling and force this one site to go out that gateway instead of the local public interface.

  • +1 in reply to svk253

    If it is added to the Permitted Network Resources, it will use the SSL VPN connection to connect.

    If it isn't listed it will use the local public interface.

     

    Turning the default gateway on will send all traffic over the SSL VPN, but that doesn't sound like that's what you want to do.

  • 0 in reply to Derek Lechner

    I added it but it doesn't seem to be doing that. A trace route shows it's still going out the user's connection. I disconnected and reconnected from the VPN too. Do I need to download a new config?

  • 0 in reply to Derek Lechner

    I don't know if it just needed some time, but now it shows that it goes out the VPN gateway. But it won't route out to the internet for some reason. It times out on the second hop. Do you have any suggestions? Thanks!

  • 0 in reply to Derek Lechner

    Sorry...another question, is there a reason I shouldn't put Any in the Permitted Network Resources box?

  • 0 in reply to svk253

    I would think it would make more sense to just turn on the default gateway option, vs sending Any traffic over the tunnel.

     

    Can you see the traffic hitting the web server from the SSL VPN connection?

    If you are able to connect to the web site, within your network, are you going out the same connection as the SSL VPN is going out (after routing back through the XG)?

    It isn't using a non-standard port is it?

  • 0 in reply to Derek Lechner

    I just did a packet capture and saw that it was getting a firewall violation. We have a firewall rule LAN to WAN but the VPN isn't allowed in there.  Any reason there shouldn't be a VPN > WAN rule? I added it and things work now.

    I appreciate your help. I think I worked it out so we can keep split tunnel on.

Reply
  • 0 in reply to Derek Lechner

    I just did a packet capture and saw that it was getting a firewall violation. We have a firewall rule LAN to WAN but the VPN isn't allowed in there.  Any reason there shouldn't be a VPN > WAN rule? I added it and things work now.

    I appreciate your help. I think I worked it out so we can keep split tunnel on.

Children
No Data