16.0 Configuring Full Tunneling

When you configure SSL VPN for full tunneling, all traffic to the protected network as well as the public network passes through the tunnel, thereby making the SSL VPN connection more secure. Any session management information between the client and the Identity server, Linux Access Gateway -- (for traditional SSL VPN), and the SSL VPN server is exchanged outside the SSL VPN tunnel. You can configure full tunneling for both Kiosk mode as well as Enterprise mode.

NovellĀ® SSL VPN is configured for split tunneling by default. This means that only the traffic that is enabled to go through the protected network, such as items meant for the corporate network, goes through the VPN tunnel. Traffic to public networks does not go through the tunnel. However, if you want all traffic in the client machine to go through the tunnel, you must configure SSL VPN for full tunneling.

You must configure policies for both split tunneling and full tunneling in your organization in order to permit access to specific internal hosts as well as prevent a hacker from controlling the machine via a connection external to the tunnel. The split tunneling policies must be ordered at the top and the full tunneling policy must be placed as the last policy.

To configure a policy for full tunneling:

  1. In the Administration Console, click Devices > SSL VPNs > Edit.

  2. Create a new traffic policy. For more information on adding a new traffic policy, see Section 14.3, Configuring Traffic Policies.

  3. Click the newly added traffic policy. The Edit Traffic Policy page is displayed.

  4. Configure the following fields:

    Destination Network: Specify 0.0.0.0 as the destination network IP address.

    Network Mask: Specify 0.0.0.0 as the network mask.

    Action: Select Encrypt to allow the service in encrypted form.

    Leave the default values in the other fields unchanged.

  5. Click OK to save changes. You are prompted to configure the IP address or DNS name of the Identity Server, and the Linux Access Gateway if you have traditional SSL VPN.

  6. Click OK.

  7. Select Gateway Configuration from the Basic Gateway Configuration section.

    The SSL VPN Gateway Basic Configuration page is displayed.

  8. Specify the following information in the Other Configuration section:

    Identity Provider Address: Specify the IP addresses or the DNS name of the Identity Server.

    Access Gateway Address: Specify the IP address or DNS name of the Access Gateway if your server is accelerated by the Access Gateway. This field is not present if you have installed the ESP-enabled SSL VPN.

  9. To save your modifications, click OK, then click Update on the Configuration page.