Options for Internet Access Through a Mobile VPN with SSL Tunnel

Force All Client Traffic Through Tunnel

This is the most secure option. It requires that all remote user Internet traffic is routed through the VPN tunnel to the XTM device. From the XTM device, the traffic is then sent back out to the Internet. With this configuration (also known as default-route VPN), the XTM device is able to examine all traffic and provide increased security. However, this requires more processing power and bandwidth from the XTM device. This can affect network performance if you have a large number of VPN users. By default, a policy named Allow SSLVPN-Users allows access to all internal resources and the Internet.

Allow Direct Access to the Internet

If you select Routed VPN traffic in the Mobile VPN with SSL configuration, and you do not force all client traffic through the tunnel, you must configure the allowed resources for the SSL VPN users. If you select Specify allowed resources or Allow access to networks connected through Trusted, Optional and VLANs, only traffic to those resources is sent through the VPN tunnel. All other traffic goes directly to the Internet and the network that the remote SSL VPN user is connected to. This option can affect your security because any traffic sent to the Internet or the remote client network is not encrypted or subject to the policies you configured on the XTM device.

Use the HTTP Proxy to Control Internet Access for Mobile VPN with SSL Users

If you configure Mobile VPN with SSL to force all client traffic through the tunnel, you can use HTTP proxy policies to restrict Internet access. The default Allow SSLVPN-Users policy has no restrictions on the traffic that it allows from SSL clients to the Internet. To restrict Internet access, you can use an HTTP proxy policy you have already configured, or add a new HTTP proxy policy for SSL clients.

  1. Select Firewall > Firewall Policies.
  2. Double-click the policy to open the Policy Configuration page.
  3. On the Policy tab, click Add in the From area.
  4. From the Member Type drop-down list, select SSLVPN Group.
  5. Select SSLVPN-Users and click OK.
  6. Click Save.

The HTTP proxy policy takes precedence over the Any policy. You can leave the Any policy to handle traffic other than HTTP, or you can use these same steps with another policy to manage traffic from the SSL clients.

For more information on how to configure an HTTP proxy policy, see About the HTTP-Proxy.

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base