This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN Split tunneling

Hello,

 

I have seen this question asked before but the most recent was 8 years ago...

 

So here we go again:

 

I have 20 people connecting to SSL VPN using the Sophos Client. When they try to access Web it always goes through the VPN tunnel. As we are in Europe and my UTMs are in US, you can imagine the delay...

 

I haven't found an option of enabling split tunneling anywhere. How do i do it?

 

Thanks!



This thread was automatically locked due to age.
Parents
  • Like Jaesii says, don't put any (or Internet .....) in the SSL VPN config otherwise you explicitly instruct to send all traffic over the tunnel.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Reply
  • Like Jaesii says, don't put any (or Internet .....) in the SSL VPN config otherwise you explicitly instruct to send all traffic over the tunnel.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Children
  • Where can I configure split tunnel?  I am using sophos utm 9 ver 9.506-1 but I'm not sure which "SSL VPN config" you are referring to, is it somewhere under Remote Access -> SSL menu?

  • Khai Do said:

    Where can I configure split tunnel?  I am using sophos utm 9 ver 9.506-1 but I'm not sure which "SSL VPN config" you are referring to, is it somewhere under Remote Access -> SSL menu?

    You dont specifically configure it. If you use the SSL VPN and DO NOT use Any or Internet in the rules it will happen automatically. It just works.
  •  Could you please clarify.  We do use SSL VPN but how to I configure it to NOT "use Any or Internet in the rules"?  Is that in the server settings? 

     

    What should we set it to if not 'any or internet'?  should it be the our VPN ip (i.e. vpn.company.com)?

  • The "ANY"  you have highlighted is for WAN addresses to listen on. 

    Any will allow VPNS (and user portal)  to listen on ALL of your wan IPs and ALL additional addresses.

    if vpn.domain.com is set up on a specific static public IP, drag that wan ADDRESS into the Interface Address field and that will lock the user portal and VPN to only listen on that specific IP. 

     

     

    To have a Tunnel All mode VPN, you will need to click the profiles tab, modify the SSL VPN profile and drop  the Internet IPv4 and Internet IPv6 objects into the Local Networks list.

    You will also need appropriate Firewall rules (if not using automatic) for SSL VPN to WAN and a Masquerade for the SSL VPN Pool. 

    ---

    To have a Split Tunnel VPN, just drop in the Networks and Hosts into the Local Networks box. 

    DO NOT put ANY in this box, and do not create a Masquerade.

     

    --
    SCA/UTM/XG  Sophos Platinum Partner