Options for Internet Access Through a Mobile VPN with SSL Tunnel

Force All Client Traffic Through Tunnel

This is the most secure option. It requires that all remote user Internet traffic is routed through the VPN tunnel to the Firebox. From the Firebox, the traffic is then sent back out to the Internet. With this configuration (also known as default-route VPN), the Firebox is able to examine all traffic and provide increased security. However, this requires more processing power and bandwidth from the Firebox. This can affect network performance if you have a large number of VPN users. By default, a policy named Allow SSLVPN-Users allows access to all internal resources and the Internet.

The Mobile VPN with SSL client configures client routes that match your Firebox configuration. It is possible that user computers have additional routes configured manually or because of other installed software. In that case, not all traffic is routed through the VPN tunnel to the Firebox.

Allow Direct Access to the Internet

If you select Routed VPN traffic in the Mobile VPN with SSL configuration, and you do not force all client traffic through the tunnel, you must configure the allowed resources for the SSL VPN users. If you select Specify allowed resources or Allow access to all Trusted, Optional and Custom networks, only traffic to those resources is sent through the VPN tunnel. All other traffic goes directly to the Internet and the network that the remote SSL VPN user is connected to. This option can affect your security because any traffic sent to the Internet or the remote client network is not encrypted or subject to the policies you configured on the Firebox.

Use the HTTP Proxy to Control Internet Access for Mobile VPN with SSL Users

If you configure Mobile VPN with SSL to force all client traffic through the tunnel, you can use HTTP proxy policies to restrict Internet access. The default Allow SSLVPN-Users policy has no restrictions on the traffic that it allows from SSL clients to the Internet. To restrict Internet access, you can use an HTTP proxy policy you have already configured, or add a new HTTP proxy policy for SSL clients.

The HTTP proxy policy takes precedence over the Any policy. You can leave the Any policy to handle traffic other than HTTP, or you can use these same steps with another policy to manage traffic from the SSL clients.

For more information on how to configure an HTTP proxy policy, go to About the HTTP-Proxy.

Related Topics

About Mobile VPN with SSL

Manually Configure the Firebox for Mobile VPN with SSL