Products
- Network Security
  - Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
  - Security ServicesComprehensive security for your network security solution
  - Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
  - Capture ATPMulti-engine advanced threat detection
  - Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
  - Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
  - Secure Mobile AccessRemote, best-in-class, secure access
  - Wireless Access PointsEasy to manage, fast and secure Wi-FI
  - SwitchesHigh-speed network switching for business connectivity
- Email Security
  - Email SecurityProtect against today’s advanced email threats
- Cloud Security
  - Cloud App SecurityVisibility and security for Cloud Apps
  - Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
  - Capture ClientStop advanced threats and rollback the damage caused by malware
  - Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
  - Product Menu Right Image
  - Capture Cloud Platform
    Capture Cloud Platform
    A security ecosystem to harness the power of the cloud
- Button Widgets
  - Products A-Z
    all products A–Z FREE TRIALS
Solutions
- Industries
- Use Cases
- Solutions Widgets
  - Solutions Content Widgets
    Federal
    Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
  - Solutions Image Widgets
Partners
- SonicWall Partners
- Partner Resources
- Partner Widgets
  - Custom HTML : Partners Content WIdgets
    Partner Portal
    Access to deal registration, MDF, sales and marketing tools, training and more
  - Partners Image Widgets
Support
- Support
- Resources
- Support Widget
  - Custom HTML : Support Content WIdgets
    Support Portal
    Find answers to your questions by searching across our knowledgebase, community, technical documentation and video tutorials
  - Support Image Widgets
COMPANY
PROMOTIONS
MANAGED SERVICES
Contact Sales

English English en

Support on SonicWall Products, Services and Solutions

Browse Knowledgebase by Category

Capture Security Center

Management and Reporting

How to configure Route to Internet (RTI)

09/14/2020 49 12431

DESCRIPTION:

How to configure Route to Internet (RTI)

RESOLUTION:

Overview

This article explains how to configure RTI in the Aventail Management Console (AMC).

The Route To Internet (RTI) functionality was added to the appliance to allow Connect or OnDemand Tunnel users running in redirect-all mode to access the Internet. The primary use case for this is customers that are running in redirect-all mode but still want to allow user access to the Internet via the internal network. This is accomplished by sending Internet bound traffic through the secure tunnel and then the appliance onto the internal network. Traffic destined for the Internet can then be filtered and logged internally before being allowed to the public sites.

Note: RTI does not provide the ability to specify or set an outbound proxy in the end user's browser.

RTI is only supported for appliances running in Single Gateway, Unrestricted routing mode.

Procedure

To configure RTI:

In AMC, select Network Settings | Routing | Configure Routing.
Click the Advanced option pull-down button.
Select the Enable route to Internet check box.
In the field, type the IP address of the appliance internal gateway (i.e., the first hop from the appliance internal interface to the internal network).

Set Access Control Rules

Access control rules are required to be defined that will allow users to pass through the appliance and get to the Internet. This can be accomplished in two ways:

Define a user/group to Any Destination rule. This will allow the specified user and/or group to access any internal or external (public) destination once they authenticate successfully. There are security concerns to be examined if this kind of rule is used. It allows access to any address over the VPN reducing access controls in the internal network.
To allow more granular access control, define IP range resources which exclude the non-routable subnets. Make sure the ranges do not include any subnets on the internal network. These IP range resources can then be grouped together in a resource group and used for Internet access rules. Other rules representing internal resources can then be used normally. This will allow the creation of access rules to internal resources as well without having to use a "Any" rule as described above.

For example, define the following IP range resources:

1.0.0.1 - 9.255.255.255
11.0.0.1 - 172.15.255.255
172.32.0.1 - 192.167.255.255
192.169.0.1 - 255.255.255.255

These resources can then be added to the access control rules to permit Internet access. Or you can create a single resource group that contains these resources and then reference only the group in the access control rule for simpler administration.

For RTI for Modes other than Single Gateway - Unrestricted:

1. Create the four resources covering the public Internet IP address range, as above.

2. Add the Access Control Rule allowing access to those resources. This creates the routes on the client side.

3. Set the community to Redirect All.

In Summary:

There are three configuration settings that allow Route To Internet:

1. For a client to send traffic to the Internet thru the VPN either of these needs to be set: (this gets the necessary routes set on the client side)

a. Redirect-All or Redirect-All-Nonlocal

b. The four IP address range resources depicted above and an ALLOW access control rule.

2. Access Control configuration on the appliance muse be either of the following:

a. The four IP address range resources (above) and an ALLOW access control rule.

b. Access control rules denying access to critical internal resources followed by an "Allow All Resources" access control rule. (Not the recommended approach for security reasons.)

3. Gateway configuration concerns on the appliance:

a. In "Single Gateway Unrestricted" mode with the RTI option enabled. The gateway to forward user traffic to the Internet must be configured.

b. In "Dual Gateway' mode the "internal gateway", configured in System Configuration > Network Settings > Routing, must be capable of routing the user traffic to the Internet thru the LAN.

Stay In Touch

Email Address*
By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. You can unsubscribe at any time at Manage Subscriptions.
Country
Company
States
Dnb- ZIP
Dnb- Phone
elqCampaignId
elqTrackId
utm_campaign
utm_medium
utm_source
utm_term
utm_content
gclid
sfdc_campaign_id
DnB - Address
DnB - First Name
DnB - Last Name
DnB - Duns
DnB - Global Ult (HQ) DUNS
DnB - Global Ult (HQ) Company
DnB - Employee Count
DnB - Trade Name
DnB - Currency
DnB - Vanity Title
DnB - Country
DnB - State
DnB - Zip
DnB - City
DnB - Global Employee Count
DnB - SIC Code
DnB - SIC Description
DnB - NAICS Code
DnB - NAICS Description
DnB - Revenue
DnB - Domain
DnB - Business Phone
DnB - Company
DnB - DataSource
DnB - DMACode
DnB - EmployeeRange
DnB - Fortune1000
DnB - Fortune200
DnB - Industry
DnB - Postal Code
DnB - PrimarySIC
DnB - SubIndustry
DnB - PrimaryNAICS
DnB - StockTicker
DnB - Revenue Range
DnB - State or Province
DnB - Website
Email
This field is for validation purposes and should be left unchanged.

Capture Cloud Platform

Federal

Partner Portal

Support Portal

Capture Cloud Platform

Federal

Partner Portal

Support Portal

How to configure Route to Internet (RTI)

Overview

Procedure

For RTI for Modes other than Single Gateway - Unrestricted:

In Summary:

Was This Article Helpful?

Article Helpful Form

Article Not Helpful Form

Not Finding Your Answer?

Stay In Touch

How to configure Route to Internet (RTI)

Overview

Procedure

For RTI for Modes other than Single Gateway - Unrestricted:

In Summary:

Categories

Was This Article Helpful?

Article Helpful Form

Article Not Helpful Form

Not Finding Your Answer?

Stay In Touch