Choosing a Network Gateway Option
When configuring network gateways in a dual-homed environment, you can choose among four routing mode
Single gateway, restricted
Single gateway, unrestricted
Use these scenarios to help you decide which option is best for your needs:
Scenario 1: Using an Internal and Internet Router
If you have an internal router as well as an Internet router, use the Dual gateway option. You can leverage your
internal router to access your internal resources.
Company A has resources and a number of subnets on their internal network, and they already have a robust
routing system in place. With the dual gateway routing mode on the appliance, client requests destined for
internal resources on the corporate network can be delivered to an internal router. See the below image.
Internal and internet router usage
Scenario 2: Managing Client Requests with Static Routes
If you’re not using an internal router, or prefer managing routing on the appliance, use the Single gateway, restricted option. In this scenario you must define static routes for all of your client requests. Client requests
without a static route will be discarded by the appliance. This option requires more effort, but allows greater
control over in-bound traffic.
Company B does not use a lot of internal resources, and prefers to manage its routing information on the
appliance. They create a static route for each resource to which their VPN users should have access. If a VPN
user attempts to reach an address that is not defined within the appliance’s routing table, then the traffic is
discarded. See the below image.
Managing client requests with static routes
Scenario 3: Returning Client Requests to a Specified Gateway
With the Single gateway, unrestricted option, the appliance delivers all client requests that do not match a
static route to the gateway that you specify (on either the internal or external interface of the appliance). This
option is less secure because it could allow traffic to pass to your Internet router and out of your network,
depending on the filtering and routing policies of your infrastructure. This configuration is also more difficult to
Like company B, company C prefers to manage its routing information on the appliance and has created static
routes for each resource to which VPN users need access. However, some users in this organization also need
access to Internet resources, and this traffic must be redirected from the appliance. For example, a company’s
users might need to access a public Web server that requires pre-registered IP addresses. See the below image.
A user must first establish a VPN session with the appliance; the request is then redirected to the external
gateway of the appliance.
Returning client requests to a specified gateway
Scenario 4: Evaluating the Appliance in a Lab Setting
Use the No gateway option during evaluation if you will have the interfaces connected to your testing networks
without the need for routing.
Scenario 5: Deploying Network Tunnel Clients in “Redirect All” Mode
If you are planning to deploy network tunnel clients in “redirect all” mode, you may need to give your network
tunnel users access to both your internal network and the Internet (for more information, see Redirection Modes). This can be accomplished by either of these options:
Use the Dual gateway option, and make certain that your internal gateway router has been configured with a route to the Internet. See the below image.
Use the Single gateway, unrestricted option, and then configure the appliance to use a route to the Internet; see Enabling a Route to the Internet.
Deploying network tunnel clients in “Redirect All” mode
Was This Article Helpful?
Help us to improve our support portal