WatchGuard Technologies Water Heater SSL VPN Manuale Utente
Administration Guide
57
Enabling Split Tunneling
You can change the default operation so that user groups are denied network access unless they
are allowed access to one or more network resource groups.
are allowed access to one or more network resource groups.
• You configure ACLs for user groups by specifying which network resources are allowed or denied
per user group.
By default, all network resource groups are allowed and network access is controlled by the Deny
Access without ACL option on the Global Cluster Policies tab. When you allow or deny one
resource group, all other resource groups are denied automatically and the network access for
the user group is controlled only through its ACL.
Access without ACL option on the Global Cluster Policies tab. When you allow or deny one
resource group, all other resource groups are denied automatically and the network access for
the user group is controlled only through its ACL.
If a resource group includes a resource that you do not want a user group to access, you can
create a separate resource group for just that resource and deny the user group access to it.
create a separate resource group for just that resource and deny the user group access to it.
The options just discussed are summarized in the following table.
Specifying Accessible Networks
You must specify which networks the Firebox SSL VPN Gateway can access.
When configuring network access, the most restrictive policy must be configured first and the least restrictive
last; for example, you want to allow access to everything on the 10.0.x.x network, but need to deny access to
the 10.0.20.x
When configuring network access, the most restrictive policy must be configured first and the least restrictive
last; for example, you want to allow access to everything on the 10.0.x.x network, but need to deny access to
the 10.0.20.x
network. Configure network access to 10.0.20.x first and then configure access to the
10.0.x.x network.
To give the Firebox SSL VPN Gateway access to a network
1
Click the Global Cluster Policies tab.
2
Under Access Options, in Accessible Networks, type a list of networks. Use a space or carriage
return to separate the list of networks.
return to separate the list of networks.
3
Click Submit.
Enabling Split Tunneling
You can enable split tunneling on the Global Cluster Policies tab to prevent the Secure Access Client
from sending unnecessary network traffic to the Firebox SSL VPN Gateway.
When split tunneling is not enabled, the Secure Access Client captures all network traffic originating
from a client computer, and sends the traffic through the VPN tunnel to the Firebox SSL VPN Gateway.
If you enable split tunneling, the Secure Access Client sends only traffic destined for networks protected
by the Firebox SSL VPN Gateway through the VPN tunnel. The Secure Access Client does not send net-
work traffic destined for unprotected networks to the Firebox SSL VPN Gateway.
from sending unnecessary network traffic to the Firebox SSL VPN Gateway.
When split tunneling is not enabled, the Secure Access Client captures all network traffic originating
from a client computer, and sends the traffic through the VPN tunnel to the Firebox SSL VPN Gateway.
If you enable split tunneling, the Secure Access Client sends only traffic destined for networks protected
by the Firebox SSL VPN Gateway through the VPN tunnel. The Secure Access Client does not send net-
work traffic destined for unprotected networks to the Firebox SSL VPN Gateway.
ACL set for
user group?
Deny access
without ACL?
User group can access:
No
No
All accessible networks
Yes
No
Allowed resource groups
No
Yes
Nothing
Yes
Yes
Allowed resource groups