3.4 Configuring Full Tunneling

Novell SSL VPN is configured for split tunneling by default. This means that only the traffic that is enabled to go through the protected network, such as items meant for the corporate network, goes through the VPN tunnel. Traffic to public networks does not go through the tunnel. However, if you want all traffic in the client machine to go through the tunnel, you must configure SSL VPN for full tunneling.

When you configure SSL VPN for full tunneling, all traffic to the protected network as well as the public network passes through the tunnel, thereby making the SSL VPN connection more secure. Any session management information between the client and the Identity server, Linux Access Gateway -- (for Traditional SSL VPN), and the SSL VPN server is exchanged outside the SSL VPN tunnel. You can configure full tunneling for both Kiosk mode as well as Enterprise mode.

You must configure traffic policies for both split tunneling and full tunneling in your organization in order to permit access to specific internal hosts as well as prevent a hacker from controlling the machine via a connection external to the tunnel. The split tunneling policies must be ordered at the top of the policy list and the full tunneling policy must be placed as the last policy.

3.4.1 Creating a Full Tunneling Policy

  1. In the Administration Console, click Devices > SSL VPNs > Edit.

  2. Click New to create a new traffic policy.

  3. Specify a name for the traffic policy.

  4. Select Enable Full Tunneling.

  5. Select Encrypt to allow the service in encrypted form or select Deny to deny services

  6. Click OK.

  7. Select Gateway Configuration from the Basic Gateway Configuration section.

  8. Specify the following information in the Other Configuration section:

    Identity Provider Address: Specify the public IP addresses or the public DNS name of the Identity Server if you are configuring SSL VPN for the full tunneling mode. This configuration is required to split the management traffic from the tunneled traffic.

    Access Gateway Address: Specify the IP address or DNS name of the Access Gateway if your server is accelerated by the Access Gateway. This field is not present if you have installed the ESP-enabled SSL VPN.This configuration is required to split the management traffic from the tunneled traffic.

    NOTE:This server requires a split DNS if a DNS address is used.

  9. To save your modifications, click OK, then click Update on the Configuration page

3.4.2 Modifying Existing Traffic Policies for Full Tunneling

  1. In the Administration Console, click Devices > SSL VPNs > Edit.

  2. Click the traffic policy that you want to modify. The Edit Traffic Policy page is displayed.

  3. Configure the following fields:

    Destination Network: Specify 0.0.0.0 as the destination network IP address.

    Action: Select Encrypt to allow the service in encrypted form or select Deny to deny services.

    Leave the default values in the other fields unchanged.

  4. Click OK to save your changes.

    If you are using Traditional SSL VPN, you are prompted to configure the IP address or DNS name of the Identity Server, and the Linux Access Gateway.

  5. Click OK.

  6. Select Gateway Configuration from the Basic Gateway Configuration section.

  7. Specify the following information in the Other Configuration section:

    Identity Provider Address: Specify the public IP addresses or the public DNS name of the Identity Server if you are configuring SSL VPN for the full tunneling mode. This configuration is required to split the management traffic from the tunneled traffic.

    Access Gateway Address: Specify the IP address or DNS name of the Access Gateway if your server is accelerated by the Access Gateway. This field is not present if you have installed the ESP-enabled SSL VPN.This configuration is required to split the management traffic from the tunneled traffic.

  8. To save your modifications, click OK, then click Update on the Configuration page