SD-WAN

 View Only
  • 1.  Internet Split Tunnel Policy Possible?

    Posted Jul 04, 2024 09:16 AM

    We are implementing VIA for one of my customers and they had a question about using policy for split tunnel rules.  In the GUI, it appears that you can only use network IDs to determine whether or not traffic will go directly out the Internet or through the VIA VPN tunnel to the VPNC.  They would like to have all traffic going through the tunnel except for things like Microsoft updates and O365.  All normal website traffic would go through the VPN tunnel.   Based on the output below, it doesn't look like what they are asking for is possible, but I wanted to ask to be sure.



  • 2.  RE: Internet Split Tunnel Policy Possible?

    Posted Jul 04, 2024 09:54 PM

    you need to first enable split-tunneling which is by default disabled.

    its under L3 Authentication->VIA connection->new-profile



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 3.  RE: Internet Split Tunnel Policy Possible?

    Posted Jul 08, 2024 03:31 AM

    Yes, I'm aware that split tunnelling needs to be enabled.  After enabling split tunnelling, is it possible to apply policies as asked in my original post, or are the rules solely network segment based?




  • 4.  RE: Internet Split Tunnel Policy Possible?

    Posted Jul 08, 2024 05:17 AM

    I think you can apply policies, which should be configured for selected applications you would like to break out locally.

    Moreover, you can add networks for tunneling in VIA tunneled networks.



    ------------------------------
    Give me a Kudo when this is useful.

    Ratchapas
    https://www.facebook.com/Aruba-News-Update-1401095559960142
    ------------------------------



  • 5.  RE: Internet Split Tunnel Policy Possible?

    Posted Jul 08, 2024 05:29 AM

    Split tunneling in VIA is network based, not application based.

    Once the traffic is tunneled to a gateway you can apply application based policies, but unless you know the IP addresses for Office 365 and Windows Update, I don't see a way to send that direct, while tunneling other traffic.

    You may have a look at the HPE Aruba Networking SSE product for a more modern approach.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 6.  RE: Internet Split Tunnel Policy Possible?

    Posted Jul 08, 2024 05:51 AM

    Yes, it is not application-based.

    It can be customized aliases, which are static and cannot list whole Windows services IP.



    ------------------------------
    Give me a Kudo when this is useful.

    Ratchapas
    https://www.facebook.com/Aruba-News-Update-1401095559960142
    ------------------------------