Apsara stack Firewall is a comprehensive product series that covers the business needs of small to large enterprises. Taking the flying tower firewall 310B as an example, it is a product for medium-sized enterprises. It integrates routing (supporting RIP, OSPF, BGP and Multicast), unified Threat Management (UTM), VPN, WAN optimization, Gateway proxy, and wireless control.
The Apsara stack firewall supports ipsec vpn and ssl vpn, which have unique configuration and monitoring features. This article describes in detail how to use the split tunneling option to configure an ssl vpn to affect or benefit end users, as well as issues to be aware of when configuring this option.
First, let's see what tunnel separation means. Generally, all the network data sent from a remote user is encapsulated in the IPSec Tunnel. Even if you are visiting a website outside the company, the data packet must first go through the VPN gateway and then be submitted to the host on the Internet. When the browsing data requested by the remote user is returned, the data packet must go through the VPN gateway and then be transmitted back to the host through the IPSEC Tunnel. Similar to ssl vpn, see
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/021603D14-0.jpg "/>
After tunnel separation is configured, the situation changes:
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0216034239-1.jpg "/>
Obviously, the network experience of remote users will be improved, the network traffic accessing the internet will not pass through the VPN gateway, and the data accessing the Intranet will still be encapsulated in the VPN tunnel. The advantages and disadvantages of tunnel separation will be discussed at the end of this article. Next, let's take a look at the configuration and verification of the Apsara stack.
In the tunnel mode of the ssl vpn tunnel separation option of the flying Tower, click the pencil icon:
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/02160312P-2.jpg "/>
What changes have taken place on remote users' computers? In a word, the default gateway route is changed. Check that this is the result of hitting netstat-r on the computer of a remote user who has been connected to the VPN but has not enabled tunneling separation:
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0216036437-3.jpg "/>
Note that for the second route, 192.168.250.166 is an intranet address allocated after the VPN is connected. Metric is much smaller than the first one, indicating that the default network route goes through this VPN.
The result is displayed on the remote client that connects to the VPN and enables tunnel separation:
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0216032N1-4.jpg "/>
Previously, the default route is no longer in the routing table, but the routes are multiple to the end. All these routes are the route items updated by the remote client based on the predefined firewall policy (external network> internal network) after the VPN connection is established. In this case, all packets outside the policy are sent by the default gateway instead of the VPN.
It is easy to verify. You only need to use tracert or pathping an Internet IP address. The specific process is not described in detail.
In short, there are both advantages and disadvantages, and tunnel separation is no exception. It enhances the network experience of remote users, reduces the load on VPN gateways, but reduces the network security of remote PCs. Hackers can access the VPN tunnel directly to the internal network through a remote computer through unprotected Internet connections! Therefore, it is necessary to weigh the advantages and disadvantages before selecting the tunnel separation option.
This article from the "Qianlong in Yuan" blog, please be sure to keep this source http://sydflyer.blog.51cto.com/298059/775202