Configure SSL using both Split Tunnelling and Tunnel All
Hello, I hope someone might be able to help me with an SSL VPN config issue we are having
We are using Tz370 firewall with licenced SSL VPN Users.
We have a requirement to setup a mixture of SSL VPN accounts where some users must tunnel all traffic and some must only use Split Tunnelling.
Reason being - those that need to tunnel all access a variety of external services that are locked down to the WAN IP that the Tz370 is setup to use. We also have other VPN users that we don't want to tunnel all, because of the heavy web traffic they use
Now I did have this working on our Tz370 until we made some config changes to disabling one of the WAN connections (it did have 2 but was changed to one) - I don't know if this was the cause of it stopping working - but its the last change we made that we know of when it stopped working.
My understanding to make this work, from various posts from others online that have had similar requirements was as follows:
SSL VPN Client settings - default device Profile - in Client routes - make sure 'WAN RemoteAccess Networks' group is added to client routes. Tunnel all mode is off
under Device Users - VPN User Account - add user to SSLVPN Services in groups and then add the 'WAN RemoteAccess Networks' group to the VPN Access Tab along with any other subnets the VPN user needs to access.
Create an access Policy for source SSLVPN -> WAN (Allow)
This did work until a recent change, but I cant even replicate the setup on a fresh Tz370 or Tz270 and I dont know what I'm doing wrong. I could restore the backup but I should be able to set this up again somewhere else.
When the SSL VPN user is connected with the Wan RemoteAccess Networks group added to their account, as per the setup - it shows 0.0.0.0/0.0.0.0 as one of the routes in the NetExtender client but it still doesn't pass the internet through the Tz370, it remains local.
What I have been able to get working - is defining a specific IP WAN object to tunnel all, but this is not practical for our requirement as there is too many to add doing it this way.
I would welcome any suggestions. Thank you