Scott Hubbard
asked on
Split Tunnel VPN with static routes through office for external resources
Hello All,
We currently implement VPN via Sonicwall NetExtender and RRAS. We would ideally like to use split tunnelling to protect the bandwidth at the offices. We have no problem with split tunnelling as the internet is just open in the offices anyway (don't ask!) so allowing users to go straight to the web is preferable.
We do have one large problem. Out intranet is on a public platform (Amazon AWS) on a public IP, with access locked down to the office IP's. There are going to be other services like this.
What we would like to do is split tunnel VPN with routes to these services via static routes through the office. Sonicwall has removed this option as you can no longer add a WAN address object in client routes (a support call has confirmed this), and RRAS won't work because none of the static routes get published to the clients (as tested).
Does anyone know if there is another way this can be achieved? Or if there are any other VPN vendors out there that would support this?
We currently implement VPN via Sonicwall NetExtender and RRAS. We would ideally like to use split tunnelling to protect the bandwidth at the offices. We have no problem with split tunnelling as the internet is just open in the offices anyway (don't ask!) so allowing users to go straight to the web is preferable.
We do have one large problem. Out intranet is on a public platform (Amazon AWS) on a public IP, with access locked down to the office IP's. There are going to be other services like this.
What we would like to do is split tunnel VPN with routes to these services via static routes through the office. Sonicwall has removed this option as you can no longer add a WAN address object in client routes (a support call has confirmed this), and RRAS won't work because none of the static routes get published to the clients (as tested).
Does anyone know if there is another way this can be achieved? Or if there are any other VPN vendors out there that would support this?
ASKER
Yeah, the issue is that you have to publish client routes and then grant permissions over where a user can go. When setting up these routes, no address objects in the WAN zone appear. They can be added to an address group and then apply the group to the client routes, but the moment you then modify the group the WAN objects disappear. Basically rendering it impossible to publish a client route to a WAN zone object. This limitation wasn't there on earlier firmware versions, we are running an NSA 3600 on firmware 6.2.5.1-26.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for your input on this J Spoor. I will definitely look at the SMA series, the virtual appliance looks of particular interest, do you think they are any good?
I guess my biggest concern with going for another SonicWALL device is that they may also remove this feature from the SMA series, and if this is the case then we have another device at more expense with the same problem. Do you know if this would be achievable any other way with our existing system (SonicWALL firewall or RRAS)?
I guess my biggest concern with going for another SonicWALL device is that they may also remove this feature from the SMA series, and if this is the case then we have another device at more expense with the same problem. Do you know if this would be achievable any other way with our existing system (SonicWALL firewall or RRAS)?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for your help sir, much appreciated. Looks like i'll be playing with the SMA series then!
I do know this is still supported and Function on both of SonicWall's SMA lines.