Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 10 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 2028 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN Split-Tunnel Exceptions

Myke Helstein

Hello,

 

I'm currently having an issue with Split-Tunnel SSL VPN on the XG Firewall. Typically everything works fine, but I do have a 3rd party website we need to access every now and then that will not work via the Split-Tunnel SSL VPN. Our current work around is to use remote desktop and connect remotely to a workstation at the office and load the site on that. My question is this, is it possible to add a exception to the VPN settings so that this site's traffic is only ever going through the VPN? I don't want it to bypass the VPN at all, because that's why it's currently not working.

 

Thanks,

Myke



This thread was automatically locked due to age.
Parents
  • 0

    Hi  

    The 3rd party website which you are referring is allowed via your office ISP IPs only ? If yes then in that case you may required to add that 3rd party website IP address under accessible resources in your SSL VPN settings. so traffic from end system will be routed to XG via SSL VPN. ( Also configured VPN to WAN rule with MASQ applied for the same website by putting website IP in destination network/host in rule.)

    The above will route the particular site traffic over SSL VPN all the time from end machine whenever end user machine is connected over SSL VPN.

  • 0 in reply to Vishal_R

    Thanks for the response! I've added the IP of the site we need to flow through the VPN tunnel only to the VPN to WAN rule under "Destination Networks". I'm going to get the team member who needs to use that site to test it and will report back with my findings.

     

    Thanks!

  • 0 in reply to Myke Helstein

    So I was able to test the potential fix and it still isn't working. So just to be clear, I added the IP of the site we need to flow through the VPN tunnel only to the VPN to WAN rule under "Destination Networks". The site I'm trying to hit is "https://ci.family.ca" but it's IP should be "54.172.232.184". That IP is what I added to the "Destination Networks". Is it possible to add the "https://ci.family.ca" as an exception rule to my VPN split-tunnel? I can't seem to add it to the Destination Networks..but maybe I'm just missing a step.

     

    Thanks everyone,

    Myke

  • 0 in reply to Myke Helstein

    Hi  

    Only rule configuration is not enough. As we guided you need to add the IP "54.172.232.184"  in the accessible resources over the SSL VPN policy. 

    Reference snapshot:

    Here you need to the website IP address for which you want traffic route over SSL VPN.

     

    Once it is added and you connect ssl VPN confirm the route of same host has been added in the end system after connecting SSL VPN.

    CMD> route print ( command to see routing table of system).

    As of now FQDN or domain you can not add in the accessible resources and it is FR as of now. 

    Ideas Portal URL : https://ideas.sophos.com/forums/330219-xg-firewall/suggestions/34712602-split-tunnel-to-support-fqdn-host-objects-as-permi

Reply Children