This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Reconfigure SSL VPN Full Tunnel to Split-Tunnel

Hi. We've been running a Sophos UTM Remote Access SSL VPN for a few years now with no problems. With so many users now working from home we're finding that Windows patching is not ideal over the VPN and the recommendation is to move to a Split-tunnel configuration. This would allow clients to update directly via the internet rather than from the on-prem SCCM server.

My question is therefore, how easy is it to move to split-tunneling from full tunneling? Ideally I would like to leave the full tunnel but have an exception for say the Microsoft IPs but suspect this is not possible. I'm thinking it might be a case of removing the ANY setting in the Local Networks on the VPN Profile and adding in all the networks we still want to have on the VPN and accept that the rest will go directly. Does that sound like the only option?

I'm also not clear if there would need to be any change on the client side (Sophos OpenVPN client used)?

Thanks

This thread was automatically locked due to age.

Parents

0 emmosophos over 3 years ago

Hello Colin,

Thank you for contacting the Sophos Community.

You are correct, under the Local Networks, at the moment you must have "ANY" if you remove that one, and add the Local Networks, then all traffic should that is not directed to those Local Networks should go out the user's regular Gateway.

Just keep in mind, that after you make that change, users will need to re-download the SSL VPN configuration.

Regards,

Emmanuel (EmmoSophos)

Technical Team Lead, Global Community Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 emmosophos over 3 years ago

Hello Colin,

Thank you for contacting the Sophos Community.

You are correct, under the Local Networks, at the moment you must have "ANY" if you remove that one, and add the Local Networks, then all traffic should that is not directed to those Local Networks should go out the user's regular Gateway.

Just keep in mind, that after you make that change, users will need to re-download the SSL VPN configuration.

Regards,

Emmanuel (EmmoSophos)

Technical Team Lead, Global Community Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Colin Fraser over 3 years ago in reply to emmosophos

Thans Emmanuel.

Why wil users need to download a new SSL VPN configuration file? Does that hold a list of the network? If so, what happens then if at some point a new internal network is added to the VPN list, do they need to get a new config file each time?

Thanks
Cancel
Vote Up 0 Vote Down

Cancel
0 emmosophos over 3 years ago in reply to Colin Fraser

Hello Colin,

My mistake, no users doesn't need to re-download the configuration. The route is pushed to the users when they connect.

Regards,

Emmanuel (EmmoSophos)

Technical Team Lead, Global Community Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel