- Products
- Network Security
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
- Email Security
Email SecurityProtect against today’s advanced email threats
- Cloud Security
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
- Products
- Network Security
- Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
- Security ServicesComprehensive security for your network security solution
- Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
- Capture ATPMulti-engine advanced threat detection
- Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
- Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
- Secure Mobile AccessRemote, best-in-class, secure access
- Wireless Access PointsEasy to manage, fast and secure Wi-FI
- SwitchesHigh-speed network switching for business connectivity
- Email Security
- Email SecurityProtect against today’s advanced email threats
- Cloud Security
- Cloud App SecurityVisibility and security for Cloud Apps
- Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
- Capture ClientStop advanced threats and rollback the damage caused by malware
- Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
How to configure Route to Internet (RTI)
09/14/2020 
54 People found this article helpful
100,369 Views
Description
How to configure Route to Internet (RTI)
Resolution
Overview
This article explains how to configure RTI in the Aventail Management Console (AMC).
The Route To Internet (RTI) functionality was added to the appliance to allow Connect or OnDemand Tunnel users running in redirect-all mode to access the Internet. The primary use case for this is customers that are running in redirect-all mode but still want to allow user access to the Internet via the internal network. This is accomplished by sending Internet bound traffic through the secure tunnel and then the appliance onto the internal network. Traffic destined for the Internet can then be filtered and logged internally before being allowed to the public sites.
Note: RTI does not provide the ability to specify or set an outbound proxy in the end user's browser.
RTI is only supported for appliances running in Single Gateway, Unrestricted routing mode.
Procedure
To configure RTI:
- In AMC, select Network Settings | Routing | Configure Routing.
- Click the Advanced option pull-down button.
- Select the Enable route to Internet check box.
- In the field, type the IP address of the appliance internal gateway (i.e., the first hop from the appliance internal interface to the internal network).
Set Access Control Rules
Access control rules are required to be defined that will allow users to pass through the appliance and get to the Internet. This can be accomplished in two ways:
- Define a user/group to Any Destination rule. This will allow the specified user and/or group to access any internal or external (public) destination once they authenticate successfully. There are security concerns to be examined if this kind of rule is used. It allows access to any address over the VPN reducing access controls in the internal network.
- To allow more granular access control, define IP range resources which exclude the non-routable subnets. Make sure the ranges do not include any subnets on the internal network. These IP range resources can then be grouped together in a resource group and used for Internet access rules. Other rules representing internal resources can then be used normally. This will allow the creation of access rules to internal resources as well without having to use a "Any" rule as described above.
For example, define the following IP range resources:
1.0.0.1 - 9.255.255.255
11.0.0.1 - 172.15.255.255
172.32.0.1 - 192.167.255.255
192.169.0.1 - 255.255.255.255
These resources can then be added to the access control rules to permit Internet access. Or you can create a single resource group that contains these resources and then reference only the group in the access control rule for simpler administration.
For RTI for Modes other than Single Gateway - Unrestricted:
1. Create the four resources covering the public Internet IP address range, as above.
2. Add the Access Control Rule allowing access to those resources. This creates the routes on the client side.
3. Set the community to Redirect All.
In Summary:
There are three configuration settings that allow Route To Internet:
1. For a client to send traffic to the Internet thru the VPN either of these needs to be set: (this gets the necessary routes set on the client side)
a. Redirect-All or Redirect-All-Nonlocal
b. The four IP address range resources depicted above and an ALLOW access control rule.
2. Access Control configuration on the appliance muse be either of the following:
a. The four IP address range resources (above) and an ALLOW access control rule.
b. Access control rules denying access to critical internal resources followed by an "Allow All Resources" access control rule. (Not the recommended approach for security reasons.)
3. Gateway configuration concerns on the appliance:
a. In "Single Gateway Unrestricted" mode with the RTI option enabled. The gateway to forward user traffic to the Internet must be configured.
b. In "Dual Gateway' mode the "internal gateway", configured in System Configuration > Network Settings > Routing, must be capable of routing the user traffic to the Internet thru the LAN.
Related Articles
- SMA100: NetExtender support for Windows ARM-based processors is not available on Windows platforms, use Mobile Connect until Ver-10.2.2 Release
- SMA100 Series: Maximum number of Un-authenticated Connections that each of the Product Supports.
- Configuring Device Management based on Device ID for SMA 100
YES
NO