Reply
Contributor II
Posts: 75
Registered: ‎05-06-2014

Is split-tunneling, within the VIA connection profile, configurable?

Greetings all,

 

The split-tunneling command within the VIA connection profile, appears to be all one or the other - either on or off.   Is there any way of configuring this, so that (for instance), using some kind of ACL, a VIA user could print to the printer on their (home/local) network directly?   Obviously this would have to take into account local IP addressing, which would be outside of central admin control/knowledge and non-unique across the enterprise...

I'm wondering if a) this could be done with the AOS / VIA config itself or whether it could be/would need to be 'hacked' by manipulation of the local PC's routing table, outside of the AOS / VIA process..?   The latter doesn't sound very easily repeatable, for a large enterprise...

 

BTW - it doesn't seem there's a natural board, within Airheads, for VIA enquiries - where do people usually post them?

Guru Elite
Posts: 21,269
Registered: ‎03-29-2007

Re: Is split-tunneling, within the VIA connection profile, configurable?

The split tunneling on VIA can only be configured by network, NOT by protocols.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 75
Registered: ‎05-06-2014

Re: Is split-tunneling, within the VIA connection profile, configurable?

Thanks for replying Colin - are you able to point out where this functionality is covered in the documentation?

Guru Elite
Posts: 21,269
Registered: ‎03-29-2007

Re: Is split-tunneling, within the VIA connection profile, configurable?

In the Via VRD here:  http://community.arubanetworks.com/t5/Validated-Reference-Design/Virtual-Intranet-Access-VIA/ta-p/155614

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 75
Registered: ‎05-06-2014

Re: Is split-tunneling, within the VIA connection profile, configurable?

Fantastic - so, from that, I glean the following:

As you have to nominate the networks TO tunnel, the most security conscious will want to configure 0.0.0.0/0  (tunnel everything) - but this clearly allows no local (print) traffic.   If you want local traffic to stay local, in an ideal world you'd want the ability to nominate just specific RFC1918 addresses (most likely, 192.168.0.0 255.255.0.0) to stay local - but it appears you can only do that by exception  (i.e. define specific tunneling for everything excluding 192.68.0.0/16).   This is OK - if a little more complex - but what happens if you have a corporate service that lies on the main network and uses an address within 192.168?  Can you use NAT to handle this, from within the VIA config?   It would seem to be a potentially complex area, possibly requiring per-user config?  (which is really horrible, for a big client base)

Search Airheads
Showing results for 
Search instead for 
Did you mean: