-
Products
-
SonicPlatform
SonicPlatform is the cybersecurity platform purpose-built for MSPs, making managing complex security environments among multiple tenants easy and streamlined.
Discover More
-
-
Solutions
-
Federal
Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
Learn MoreFederalProtect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
Learn More - Industries
- Use Cases
-
-
Partners
-
Partner Portal
Access to deal registration, MDF, sales and marketing tools, training and more
Learn MorePartner PortalAccess to deal registration, MDF, sales and marketing tools, training and more
Learn More - SonicWall Partners
- Partner Resources
-
-
Support
-
Support Portal
Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
Learn MoreSupport PortalFind answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
Learn More - Support
- Resources
- Capture Labs
-
- Company
- Contact Us
How to configure Route to Internet (RTI)
07/19/2024 
80 People found this article helpful
484,985 Views
Description
How to configure Route to Internet (RTI)
Resolution
Overview
This article explains how to configure RTI in the Aventail Management Console (AMC).
The Route To Internet (RTI) functionality was added to the appliance to allow Connect or OnDemand Tunnel users running in redirect-all mode to access the Internet. The primary use case for this is customers that are running in redirect-all mode but still want to allow user access to the Internet via the internal network. This is accomplished by sending Internet bound traffic through the secure tunnel and then the appliance onto the internal network. Traffic destined for the Internet can then be filtered and logged internally before being allowed to the public sites.
Note: RTI does not provide the ability to specify or set an outbound proxy in the end user's browser.
RTI is only supported for appliances running in Single Gateway, Unrestricted routing mode.
Procedure
To configure RTI:
- In AMC, select Network Settings | Routing | Configure Routing.
- Click the Advanced option pull-down button.
- Select the Enable route to Internet check box.
- In the field, type the IP address of the appliance internal gateway (i.e., the first hop from the appliance internal interface to the internal network).
Set Access Control Rules
Access control rules are required to be defined that will allow users to pass through the appliance and get to the Internet. This can be accomplished in two ways:
- Define a user/group to Any Destination rule. This will allow the specified user and/or group to access any internal or external (public) destination once they authenticate successfully. There are security concerns to be examined if this kind of rule is used. It allows access to any address over the VPN reducing access controls in the internal network.
- To allow more granular access control, define IP range resources which exclude the non-routable subnets. Make sure the ranges do not include any subnets on the internal network. These IP range resources can then be grouped together in a resource group and used for Internet access rules. Other rules representing internal resources can then be used normally. This will allow the creation of access rules to internal resources as well without having to use a "Any" rule as described above.
For example, define the following IP range resources:
1.0.0.1 - 9.255.255.255
11.0.0.1 - 172.15.255.255
172.32.0.1 - 192.167.255.255
192.169.0.1 - 255.255.255.255
These resources can then be added to the access control rules to permit Internet access. Or you can create a single resource group that contains these resources and then reference only the group in the access control rule for simpler administration.
For RTI for Modes other than Single Gateway - Unrestricted:
1. Create the four resources covering the public Internet IP address range, as above.
2. Add the Access Control Rule allowing access to those resources. This creates the routes on the client side.
3. Set the community to Redirect All.
In Summary:
There are three configuration settings that allow Route To Internet:
1. For a client to send traffic to the Internet thru the VPN either of these needs to be set: (this gets the necessary routes set on the client side)
a. Redirect-All or Redirect-All-Nonlocal
b. The four IP address range resources depicted above and an ALLOW access control rule.
2. Access Control configuration on the appliance muse be either of the following:
a. The four IP address range resources (above) and an ALLOW access control rule.
b. Access control rules denying access to critical internal resources followed by an "Allow All Resources" access control rule. (Not the recommended approach for security reasons.)
3. Gateway configuration concerns on the appliance:
a. In "Single Gateway Unrestricted" mode with the RTI option enabled. The gateway to forward user traffic to the Internet must be configured.
b.In "Dual Gateway" mode, the "internal gateway" configured in System Configuration > Network Settings > Routing must be capable of routing user traffic to the Internet through the LAN.
Related Articles
- Commands for silent installation of NetExtender via CMD line
- Users on Netextender 10.3.0 version failing to connect with the following error message " Cannot get a response from the server "
- How to create a wildcard certificate to be used on the appliance
YES
NO