This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Reconfigure SSL VPN Full Tunnel to Split-Tunnel

Hi. We've been running a Sophos UTM Remote Access SSL VPN for a few years now with no problems. With so many users now working from home we're finding that Windows patching is not ideal over the VPN and the recommendation is to move to a Split-tunnel configuration. This would allow clients to update directly via the internet rather than from the on-prem SCCM server.

 

My question is therefore, how easy is it to move to split-tunneling from full tunneling? Ideally I would like to leave the full tunnel but have an exception for say the Microsoft IPs but suspect this is not possible. I'm thinking it might be a case of removing the ANY setting in the Local Networks on the VPN Profile and adding in all the networks we still want to have on the VPN and accept that the rest will go directly. Does that sound like the only option?

 

I'm also not clear if there would need to be any change on the client side (Sophos OpenVPN client used)?

 

Thanks



This thread was automatically locked due to age.
Parents
  • Hello Colin,

    Thank you for contacting the Sophos Community.

    You are correct, under the Local Networks, at the moment you must have "ANY" if you remove that one, and add the Local Networks, then all traffic should that is not directed to those Local Networks should go out the user's regular Gateway.

    Just keep in mind, that after you make that change, users will need to re-download the SSL VPN configuration. 

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Reply
  • Hello Colin,

    Thank you for contacting the Sophos Community.

    You are correct, under the Local Networks, at the moment you must have "ANY" if you remove that one, and add the Local Networks, then all traffic should that is not directed to those Local Networks should go out the user's regular Gateway.

    Just keep in mind, that after you make that change, users will need to re-download the SSL VPN configuration. 

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Children