SSL VPN tunneling all traffic but I need to send requests for a specific FQDN out of the Firebox
I'm managing 70 users that are using SSL VPN that is tunneling all traffic, but I need to send requests for a specific FQDN out of the Firebox to the Internet. My users connect to a M470 cluster via SSLVPN, they then can travel over BOVPN to multiple data centers and access the servers at those locations. I have one FQDN they need to access, it isn't reachable through the VPN for reasons beyond our control. The site is reachable if my users are not connected to the VPN. How can I push requests from VPN users to that one site out of the cluster and to the Internet so they can reach that site? Thank you for any assistance!
0
Sign In to comment.
Answers
Is general Internet access allowed via the SSLVPN connections?
What do you see in Traffic Monitor when access to this FQDN is tried?
Is your firewall public IP addr included in your BOVPN Tunnel settings ?
Thank you for the response, yes, general Internet access is allowed via the SSLVPN. I've not looked at the traffic monitor. Will do that now. Yes, our public IP addresses are included in the BOVPN tunnel settings.
With your public IP addresses being included in the BOVPN tunnel settings, reply packets from the far site will go back via the BOVPN and not via the Internet - so the reply will not match the sent packet in the sessions table and won't work.
If you have multiple public IP addrs on your M470, you could set up SSLVPN client Internet access to be via a public IP addr which is not in your BOVPN Tunnel settings.
Otherwise you would need to set up split tunneling on your SSLVPN settings.
The traffic log shows traffic going out to the site. No errors, no deny messages.
The firewall drops unexpected reply packets caused by asymmetrical routing, and does not log them.
Consider opening a support case on this to get the persective from a WG rep.
Issue is resolved. Changed from External 1 to External 2 and it works fine.