Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 11 replies
  • Subscribers 3 subscribers
  • Views 28040 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

routing all traffic in through the outside interface and out through a dedicated VPN outbound port?

xyyz 2000

So, avoiding split tunneling (although, i wouldn't even know how to configure that), how would I allow all traffic to be filtered through the VPN?  At the moment, I have setup SSL on my SophosUTM 9.4 box.  I can connect and fetch anything I need from within the network, but since split tunneling is not functioning (and I really don't want it to be functioning) all access is restricted to the inside network.

Now, I'd would like to access the internet while connected to my VPN but through an additional interface (third one) to the SophosUTM box.  Is there any way to do this, route all traffic through that third interface when I'm out and about.

Can someone please instruct me on how to do this?

Appreciation in advance



This thread was automatically locked due to age.
Parents
  • 0

    Hi, and welcome to the UTM Community!!

    Please insert a picture of your SSL VPN Profile open in Edit and one of the 'Settings' tab.  Also, a picture of 'Allowed Networks' in your Web Filtering configuration.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Thanks for your reply Bob!

    Here's what you requested


  • 0 in reply to xyyz 2000

    If you already have the 3rd interface setup and allow your internal network to browse the internet ie the correct routing or NAT, I would imagine it will be a simple case of allowing "internet" through the tunnel ie add it to your local networks on the vpn.

  • 0 in reply to Louis-M

    wouldn't that be a split tunnel of it's going out on the same interface it's coming in?  am i misunderstanding?

  • 0 in reply to xyyz 2000

    I admit that I'm not sure I understand what you want to do.

    If you want to use Web Filtering when connected via SSL VPN, you must add "SSL Pool (small)" to 'Allowed Networks' there.

    If you have another WAN connection or just an Additional Address and you want your Internet browsing to go out from there when you VPN in, then you cannot do that if using Web Filtering.

    In the SSL VPN Profile, rather than the "Any" object, use the "Internal (Network)" and "internet" objects to have a full (not split) tunnel.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to xyyz 2000

    Split tunneling is a function where the VPN gateway decides which traffic the client pushes through the VPN tunnel while the rest goes straight to the Internet (non-tunneled).  As a simple example, if your corporate network uses the following IP space:

    There are advantages and disadvantages to split-tunneling.  An advantage is that Internet connections (or traffic to any non-defined networks) go direct and increases performance and there's less overhead since there's less traffic that needs to go through the tunnel and thus through the corporate network. 
    The disadvantage is that you can't perform packet inspection on web traffic and filter potentially harmful traffic (assuming the devices which perform those functions exist on the corporate network).  Another disadvantage is that you can't force users to route through an internal proxy which might authenticate users to get to the Internet, thus controlling the user's Internet experience by a defined company security policy.

     

    So in the above case, you wouldn't be split tunneling as all your traffic would go through the vpn. We have it. We have a private MPLS network with 2 UTM gateways to the internet.

    VPN client connect to our UTM's, can access the desired internal network resources and then get onto the internet via our internet connection. Main thing is to allow that traffic into the tunnel otherwise it's going nowhere.

  • 0 in reply to Louis-M

    this is what i want to do:

    away from home now

    laptop -----tunnel-----> (outside int)/home network 

    besides poking around on the home network i can't do anything

    if i want to get out to the net, i need to terminate the VPN, resulting in

    laptop -----> hotspot -------> internet

    this is what i want to do

    laptop -----tunnel------> (vpn int)/home network/(outside int) -------> internet

    so i guess i want to route all internet-bound traffic through my SophosUTM when i'm out an about.


    from what I was told, split tunneling was using the same interface for LAN and WAN access, which, from what i was told, is generally frowned upon.


    "VPN client connect to our UTM's, can access the desired internal network resources and then get onto the internet via our internet connection. Main thing is to allow that traffic into the tunnel otherwise it's going nowhere."

    THIS EXACTLY is what i want.  you don't use the same interface for the VPN connection and internet connection do you?

  • 0 in reply to xyyz 2000

    No, split tunneling is allowing the client to access the internet locally whilst using a vpn. Simply add internet ipv4 to the tunnel to allow that traffic to traverse the tunnel.

    As long as the routing is configured on the UTM, it will know what to do with the traffic.

  • 0 in reply to xyyz 2000

    "VPN client connect to our UTM's, can access the desired internal network resources and then get onto the internet via our internet connection. Main thing is to allow that traffic into the tunnel otherwise it's going nowhere."

    THIS EXACTLY is what i want.  you don't use the same interface for the VPN connection and internet connection do you?

    As I said above, "If you want to use Web Filtering when connected via SSL VPN, you must add "SSL Pool (small)" to 'Allowed Networks' there."  Yes, you use the same interface.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    hi,

     

    like balfson said. Works perfect.  and do this as suggested for webfiltering

  • 0 in reply to Louis-M

    I do not want to split tunnel.  I do not want my client machine to access the the WAN using the hotspot and the LAN using the VPN.  I want what would be a full tunnel that would emulate a device on the home LAN that requires all all outbound traffic to be routed through the SophosUTM.

    When connected to the VPN, I want all traffic to enter in the VPN designated interface and exit through the Outside interface, in the same way that the LAN traffic is routed through the SophosUTM device in to the Inside interface and out of the Outside interface.

    I guess this bit about the Sophos box being smart enough to figure it all out is a bit strange to me, considering that my experience has been with PIXes where there was none of the device intelligence.

    Before I try the suggestions, which I really appreciate, I just want to make sure that there is no misunderstanding about what it is that I'd like to do.  I'm not sure if I've explained what it is I want clear enough.

    Your post along with these clarified exactly what I wanted.  

    "First, let’s take a closer look into how split tunneling works. In VPNs, there are basically two types of virtual tunnels that enable secure data transmission: full tunnels and split tunnels. In full tunnel mode, a remote corporate user establishes an Internet connection from a client PC, which then runs through the VPN. This naturally includes the user's private data traffic. As a result, every time the user scans the web, be it for shopping on eBay, checking personal email, or accessing the company CRM, it is done through the company VPN gateway.

    ...

    The other virtual tunnel configuration, split tunnels, only transmits data through the VPN tunnel from a website or from another IT service within the corporate network. For all other connections, such as Facebook or web mail, the client PC directly accesses the providers' servers. Downloads from external websites are not directed through the corporate network and the VPN."

    http://www.infosecisland.com/blogview/22859-Making-Sense-of-Split-Tunneling-.html


    "A VPN sends all the traffic destined for your corporate network over a secure encrypted tunnel. If split tunneling is disabled, that means that ALL traffic from your computer is going over that tunnel, and traffic destined for the Internet goes out from your computer, across the Internet to the corporate network, and from the corporate network to a destination on the Internet. Then, return traffic comes from that destination through the Internet, then back to the corporate network, and then back through Internet again, before finally reaching you.

    When split tunneling is enabled, Internet traffic goes directly from your computer to the Internet and back without involving the VPN at all. Split tunneling also allows you to access other systems on your local network which is impossible if all traffic has go to the corporate network first, although this can be mitigated in some configurations."

    www.tripwire.com/.../

Reply
  • 0 in reply to Louis-M

    I do not want to split tunnel.  I do not want my client machine to access the the WAN using the hotspot and the LAN using the VPN.  I want what would be a full tunnel that would emulate a device on the home LAN that requires all all outbound traffic to be routed through the SophosUTM.

    When connected to the VPN, I want all traffic to enter in the VPN designated interface and exit through the Outside interface, in the same way that the LAN traffic is routed through the SophosUTM device in to the Inside interface and out of the Outside interface.

    I guess this bit about the Sophos box being smart enough to figure it all out is a bit strange to me, considering that my experience has been with PIXes where there was none of the device intelligence.

    Before I try the suggestions, which I really appreciate, I just want to make sure that there is no misunderstanding about what it is that I'd like to do.  I'm not sure if I've explained what it is I want clear enough.

    Your post along with these clarified exactly what I wanted.  

    "First, let’s take a closer look into how split tunneling works. In VPNs, there are basically two types of virtual tunnels that enable secure data transmission: full tunnels and split tunnels. In full tunnel mode, a remote corporate user establishes an Internet connection from a client PC, which then runs through the VPN. This naturally includes the user's private data traffic. As a result, every time the user scans the web, be it for shopping on eBay, checking personal email, or accessing the company CRM, it is done through the company VPN gateway.

    ...

    The other virtual tunnel configuration, split tunnels, only transmits data through the VPN tunnel from a website or from another IT service within the corporate network. For all other connections, such as Facebook or web mail, the client PC directly accesses the providers' servers. Downloads from external websites are not directed through the corporate network and the VPN."

    http://www.infosecisland.com/blogview/22859-Making-Sense-of-Split-Tunneling-.html


    "A VPN sends all the traffic destined for your corporate network over a secure encrypted tunnel. If split tunneling is disabled, that means that ALL traffic from your computer is going over that tunnel, and traffic destined for the Internet goes out from your computer, across the Internet to the corporate network, and from the corporate network to a destination on the Internet. Then, return traffic comes from that destination through the Internet, then back to the corporate network, and then back through Internet again, before finally reaching you.

    When split tunneling is enabled, Internet traffic goes directly from your computer to the Internet and back without involving the VPN at all. Split tunneling also allows you to access other systems on your local network which is impossible if all traffic has go to the corporate network first, although this can be mitigated in some configurations."

    www.tripwire.com/.../

Children
No Data
Unfiltered HTML