This is the most secure option. It requires that all remote user Internet traffic is routed through the VPN tunnel to the XTM device. From the XTM device, the traffic is then sent back out to the Internet. With this configuration (also known as default-route VPN), the XTM device is able to examine all traffic and provide increased security. However, this requires more processing power and bandwidth from the XTM device. This can affect network performance if you have a large number of VPN users. By default, a policy named Allow SSLVPN-Users allows access to all internal resources and the Internet.
If you select Routed VPN traffic in the Mobile VPN with SSL configuration, and you do not force all client traffic through the tunnel, you must configure the allowed resources for the SSL VPN users. If you select Specify allowed resources or Allow access to networks connected through Trusted, Optional and VLANs, only traffic to those resources is sent through the VPN tunnel. All other traffic goes directly to the Internet and the network that the remote SSL VPN user is connected to. This option can affect your security because any traffic sent to the Internet or the remote client network is not encrypted or subject to the policies you configured on the XTM device.
If you configure Mobile VPN with SSL to force all client traffic through the tunnel, you can use HTTP proxy policies to restrict Internet access. The default Allow SSLVPN-Users policy has no restrictions on the traffic that it allows from SSL clients to the Internet. To restrict Internet access, you can use an HTTP proxy policy you have already configured, or add a new HTTP proxy policy for SSL clients.
The HTTP proxy policy takes precedence over the Any policy. You can leave the Any policy to handle traffic other than HTTP, or you can use these same steps with another policy to manage traffic from the SSL clients.
For more information on how to configure an HTTP proxy policy, see About the HTTP-Proxy.