Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 14 subscribers
  • Views 6458 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web Gateway - Are VPN IPs (remote users) included in "trusted IPs"?

RIMAdministrator

Hello all.

I think I am confusing myself here.  Here is an example of the scenario:  internal office subnet is 10.10.10.0/24, and UTM is at 10.10.10.1.  I have a user that takes laptop home and uses VPN (10.10.15.0/24) to access office file server.  Split tunneling is applied to VPN client.

Define Web Gateway Preferences:

Trusted Destination IP's & Domains:  Does the VPN subnet "10.10.15.0/24" get added here?

Trusted Source IP's:  Does the VPN subnet "10.10.15.0/24" get added here?

My thinking is this:  User takes laptop home and gets internal IP 192.168.x.x (or ISP external IP) or whatever.  IP is not "trusted", so therefore uses Web Gateway (good).  User then connects VPN to office and gets IP 10.10.15.5.  VPN traffic should therefore be going through office UTM and using those policies, yes?  While connected to VPN, user browses internet, and since split tunneling is configured, that traffic should be using Web Gateway???  If I do not add VPN IP to trusted source IP's, then all traffic is routed through Web Gateway???  Also, should I add  internal "office" subnet (10.10.15.0/24) as a trusted destination for the VPN client?  As you can see, I am confused.  Any help in clarifying this would be very much appreciated.

Thank you,

Tony



This thread was automatically locked due to age.
  • 0

    Hi Tony,

    The two settings in question server different scenarios: when the client is remote and uses split VPN and when client is internal on your corporate network.

    In the first scenario, when your client is remote and accessing internal network via VPN, you want to add the internal subsets to the "Trusted destination IPs and domains". This would ensure any traffic from the client to the corporate network via the VPN will not route through the Web Gateway. You also may want to add the WAN ip of your VPN gateway to the "Trusted destination IPs and domains" in order to ensure the initial VPN connection does not go via the Web Gateway.

    In the second scenario when the client is internal on your intranet network, and not using VPN, you can add the internal subnet to the "Trusted source IPs". This is normally used on known safe networks where network security is already in place. Technically this tells Web Gateway client "if the traffic originates from this subnet do not filter it, instead it will be filtered in other place, such as perimeter of your corporate network."

    Hopefully this answers your questions. Let us know.

    Have a good one

    V

  • 0

    Thank you V for the quick response.

    Yes this helps clarify how to configure.  One question though.  When you say "WAN IP of your VPN gateway", should I presume you mean the "external" gateway IP of wherever the laptop is located?  If so, this would be difficult since laptop would often be at different remote locations (constantly changing gateways).  Or am I confusing my "apples and oranges" again?  :)  

    Tony

  • 0 in reply to RIMAdministrator

    No, what I mean by that is the public IP that your client uses when establishing the initial VPN connection. You may have an IP or a domain name that they connect initially to...

Unfiltered HTML