The split-tunneling command within the VIA connection profile, appears to be all one or the other - either on or off. Is there any way of configuring this, so that (for instance), using some kind of ACL, a VIA user could print to the printer on their (home/local) network directly? Obviously this would have to take into account local IP addressing, which would be outside of central admin control/knowledge and non-unique across the enterprise...
I'm wondering if a) this could be done with the AOS / VIA config itself or whether it could be/would need to be 'hacked' by manipulation of the local PC's routing table, outside of the AOS / VIA process..? The latter doesn't sound very easily repeatable, for a large enterprise...
BTW - it doesn't seem there's a natural board, within Airheads, for VIA enquiries - where do people usually post them?
The split tunneling on VIA can only be configured by network, NOT by protocols.
In the Via VRD here: https://community.arubanetworks.com/t5/Validated-Reference-Design/Virtual-Intranet-Access-VIA/ta-p/510246
Thanks for replying Colin - are you able to point out where this functionality is covered in the documentation?
Can I access to view VRD?
The page shown "You do not have sufficient privileges for this resource or its parent to perform this action.".
Fantastic - so, from that, I glean the following:
As you have to nominate the networks TO tunnel, the most security conscious will want to configure 0.0.0.0/0 (tunnel everything) - but this clearly allows no local (print) traffic. If you want local traffic to stay local, in an ideal world you'd want the ability to nominate just specific RFC1918 addresses (most likely, 192.168.0.0 255.255.0.0) to stay local - but it appears you can only do that by exception (i.e. define specific tunneling for everything excluding 220.127.116.11/16). This is OK - if a little more complex - but what happens if you have a corporate service that lies on the main network and uses an address within 192.168? Can you use NAT to handle this, from within the VIA config? It would seem to be a potentially complex area, possibly requiring per-user config? (which is really horrible, for a big client base)
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.