Mobile SSL VPN Force All Traffic

Hi All,
Just made the change on our mobile ssl-vpn settings to force all traffic through the VPN for extra security but all of the increased Teams usage at home has killed our bandwidth back at the office! I'm going to have to revert back to split tunneling for usability unless anybody has any smart ideas regarding Office 365 traffic breaking out at a home internet connection rather than back at the office?
TIA
Stuart

Comments

  • That's a expected problem to run into. The WatchGuard SSLVPN app does NOT have the ability to to tunnel all with exceptions. You can either add routes on your clients or revert back to Split Tunnel.
    See this Microsoft Article: https://docs.microsoft.com/en-us/office365/enterprise/office-365-vpn-implement-split-tunnel

  • Thanks for the reply. We've gone back to split tunnel for now - seems like Teams is mission critical app these days ;-)

  • Yeah, split tunnel may be "less secure" but only if someone happens to see your route table of your computer... otherwise it's fine as long as your AD domain doesn't end in ".com"

  • @Tristan_Colo said:
    Yeah, split tunnel may be "less secure" but only if someone happens to see your route table of your computer... otherwise it's fine as long as your AD domain doesn't end in ".com"

    Split tunnel is less secure because it allows one to surf the Internet unfiltered, get infected, and then have that infection affect the SSLVPN LAN. A person could get hit with a keystroke logger and then it would harvest whatever they type while on the SSLVPN.

    Gregg

    Gregg Hill

  • Yeah, split tunnel may be "less secure" but only if someone happens to see your route table of your machine as you connect.

  • Not sure why you think this.
    There is tons of malware which try to access everything and does not rely on accessing a route table.
    When a client is able to access the Internet directly at the same time as it can access your trusted LAN - this is a less secure connection than when the client must access the Internet via the VPN connection though the firewall.

  • We have always used split tunnel ssl-vpn, but since lockdown we've been testing the IKE-VPN, full tunnel if you like, with MFA, but we will be going back to split tunnel and the reason is the flexibility it affords us. With full tunnel you are at the mercy of the outbound connection of your firewall, if this connection is playing up (breaking out to the internet) all of your home users will suffer this, whereas with split tunnel they may lose access to the VPN and corporate resources but they can still browse the web from home, access office 365 for example without any issue. In the end it all depends on your attitude to risk and we feel we want better connectivity over security. We equip all work laptops with bitlocker, passwords, AV, TDR and a whole manner of local GPO and firewall restrictions so we have done what we can without impacting usability. Also, your bandwidth will go through the roof if all of a sudden you are pushing 300 home workers via the vpn tunnel (we only used to server 30 odd remote workers a day). IMO the extra security offered by full tunnel has too much of an impact on accessibility. Just run yourself a speed test and compare the connections.

Sign In to comment.