Secure Mobile Access 12.4 Administration Guide

Using the Exclusions

From 12.4.1, Resource Exclusion list is renamed to Exclusions with enhanced features that are explained below.

By default, access agents and Web browsers redirect connections through the appliance for destination resources that you’ve defined in AMC. This redirection is a little different, depending on the user’s means of access:

  • The tunnel access agent redirects connections through the appliance for any destination resource that the user is permitted to access.

  • A Web browser redirects to the appliance all destination resources that have been defined in AMC; if the user does not have access, a “permission denied” Web page is displayed.

Use the Exclusions page to configure exclusions to prevent host names, IP addresses, subnets, IP ranges, or domains from being redirected to the appliance. To use an exclusion in a Community, configure the Tunnel Access settings to use one or more exclusions. Exclusions configured for a community apply to both tunnel sessions as well as browser sessions.

When using Split Tunnel redirection mode, access agents and browsers will redirect connections to the appliance only for destination resources you've defined. Exclusions do not affect access control or security. To disallow access to a particular resource, create a deny rule for it.

There may, however, be resources that you don’t want redirected through the appliance. For example, a user starts Outlook Web Access through the appliance and reads an email message with a link to a public site that is within a domain resource configured on the appliance. The traffic generated by following that link would be sent through the appliance. You can prevent this by specifying the public resource in the exclusion list.

Use the exclusions to specify any resources (including host names, IP addresses, or domains) from being redirected through the appliance. When specifying a domain, you can also use the wildcard characters asterisk (*) and question mark (?). This list is global and all access services.

Due to client operating system limitations, Mobile Connect cannot convert host name, URL, or domain type resources containing wildcards to an IP address and, therefore, cannot redirect them to the appliance.

You should define the corresponding IP/Range/Subnet in Wildcard exclusion.

To see which resources are configured to be redirected through the appliance, click the Show network redirection list link. This displays the Redirection List page.

To delete a resource from the exclusions, select its checkbox and then click Delete icon.

If you exclude a resource by specifying its fully qualified domain name (FQDN), users who connect to WorkPlace from a realm that provides access using translated Web mode can still access the resource if they type its unqualified domain name in the WorkPlace Intranet Address field.

To add a resource to the exclusions

If you create a Domain resource in AMC (for example, win.yourcompany.com) and you exclude a resource from that domain using its IP address (10.20.30.40), the resource can still be accessed using its FQDN (server.win.yourcompany.com). This note of caution applies only to agents that use the Web proxy service, not the tunnel clients.

  1. In the AMC, navigate to Security Administration > Resources.

  2. Click the Exclusions tab.

  3. Click + (new) icon.

    The Add Exclusion page displays.

  4. (Optional). Enter the description for the Exclusion.
  5. In the Values field, enter the host names, IP addresses, subnets, IP ranges, or domains that you want to exclude from being redirected through the appliance. Wildcard characters (* and ?) are permitted.

    Due to client operating system limitations, Mobile Connect cannot convert host name, URL, or domain type resources containing wildcards to an IP address and, therefore, cannot redirect them to the appliance.

    You should define the corresponding IP/Range/Subnet in Wildcard exclusion.

    For example, if you have three public web servers (www.YourCompany.com, www2.YourCompany.com, and www3.YourCompany.com), you can allow the network traffic associated with them to avoid the appliance, which will improve performance. Add all three public sites to the Exclusions by using a wildcard character: www*.YourCompany.com. Resources in this list can also contain variables; see Using Variables in Resource and WorkPlace Shortcut Definitions for more information.

    Migration of prior versions of SMA that contains Resource Exclusion List to 12.4.1:

    • All entries in Resource Exclusion List migrate to a single exclusion named Split Tunnel
    • All Split tunnel communities use this exclusion named Split Tunnel
    • For Redirect All communities, exclusions will not be migrated, which may affect browser-only sessions
  6. Click Save.

Was This Article Helpful?

Help us to improve our support portal

Techdocs Article Helpful form

Techdocs Article NOT Helpful form

  • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.