How to configure Route to Internet (RTI)

How to configure Route to Internet (RTI)

Overview

This article explains how to configure RTI in the Aventail Management Console (AMC).

The Route To Internet (RTI) functionality was added to the appliance to allow Connect or OnDemand Tunnel users running in redirect-all mode to access the Internet. The primary use case for this is customers that are running in redirect-all mode but still want to allow user access to the Internet via the internal network. This is accomplished by sending Internet bound traffic through the secure tunnel and then the appliance onto the internal network. Traffic destined for the Internet can then be filtered and logged internally before being allowed to the public sites.

Note: RTI does not provide the ability to specify or set an outbound proxy in the end user's browser.

RTI is only supported for appliances running in Single Gateway, Unrestricted routing mode.   

Procedure

To configure RTI:

1. In AMC, select Network Settings | Routing | Configure Routing.
2. Click the Advanced option pull-down button.
3. Select the Enable route to Internet check box.
4. In the field, type the IP address of the appliance internal gateway (i.e., the first hop from the appliance internal interface to the internal network).

Set Access Control Rules

Access control rules are required to be defined that will allow users to pass through the appliance and get to the Internet. This can be accomplished in two ways:

1. Define a user/group to Any Destination rule. This will allow the specified user and/or group to access any internal or external (public) destination once they authenticate successfully. There are security concerns to be examined if this kind of rule is used. It allows access to any address over the VPN reducing access controls in the internal network.  
2. To allow more granular access control, define IP range resources which exclude the non-routable subnets. Make sure the ranges do not include any subnets on the internal network. These IP range resources can then be grouped together in a resource group and used for Internet access rules. Other rules representing internal resources can then be used normally. This will allow the creation of access rules to internal resources as well without having to use a "Any" rule as described above.
   
   For example, define the following IP range resources:
   
   1.0.0.1 - 9.255.255.255
   11.0.0.1 - 172.15.255.255
   172.32.0.1 - 192.167.255.255
   192.169.0.1 - 255.255.255.255
   
   These resources can then be added to the access control rules to permit Internet access. Or you can create a single resource group that contains these resources and then reference only the group in the access control rule for simpler administration.

For RTI for Modes other than Single Gateway - Unrestricted:

1. Create the four resources covering the public Internet IP address range, as above. 

2. Add the Access Control Rule allowing access to those resources. This creates the routes on the client side. 

3. Set the community to Redirect All.  

In Summary:

There are three configuration settings that allow Route To Internet: 

1.  For a client to send traffic to the Internet thru the VPN either of these needs to be set:  (this gets the necessary routes set on the client side) 

a. Redirect-All or Redirect-All-Nonlocal 

b. The four IP address range resources depicted above and an ALLOW access control rule. 

2. Access Control configuration on the appliance muse be either of the following:  

a. The four IP address range resources (above) and an ALLOW access control rule. 

b. Access control rules denying access to critical internal resources followed by an "Allow All Resources" access control rule. (Not the recommended approach for security reasons.) 

3. Gateway configuration concerns on the appliance: 

a. In "Single Gateway Unrestricted" mode with the RTI option enabled.  The gateway to forward user traffic to the Internet must be configured. 

b.In "Dual Gateway" mode, the "internal gateway" configured in System Configuration > Network Settings > Routing must be capable of routing user traffic to the Internet through the LAN.