Connect Tunnel is a client application that is installed on a user’s device, and OnDemand Tunnel is a lightweight,
Web-based agent that is activated each time a user logs in to WorkPlace from an Java-enabled device.These two access methods differ in how they are installed or activated, but they share the same configuration
This section describes how to configure settings for the tunnel clients. For a more detailed description of these
settings, see Network Tunnel Client Configuration.
In the AMC, navigate to User Access > Realms and click the link for the community you want to configure, and select Tunnel Access tab.
The Tunnel Access page displays.
By default, any configured IP address pool is available to the selected community. To select specific IP address pools, click Edit in the IP address pools area and then select from the list of configured pools.
Select the Redirection mode used to route client traffic to the appliance. The network tunnel service supports several redirection modes. For a more detailed description of the supported redirection modes, see Redirection Modes.
- Split Tunnel (less secure): Traffic bound for resources defined in AMC is redirected through the tunnel, and all other traffic is routed as normal.
- Enable Use tunnel as primary network (Mobile Connect only)checkbox. The appliance will resolve all the DNS queries when you enable the checkbox.
- Redirect All (more secure): Traffic is redirected through the tunnel regardless of how resources are defined in AMC.
You can override the behavior of Split Tunnel or Redirect All by specifying exclusions that will be used by this community.
In the Community Exclusions field, enter the host names, IP addresses, subnets, IP ranges, or domains that you want to exclude from being redirected through the appliance. Wildcard characters (
?) are permitted.
Due to client operating system limitations, Mobile Connect cannot convert host name, URL,
or domain type resources containing wildcards to an IP address and, therefore, cannot redirect
them to the appliance.
For example, if you have three public web servers (
www3.YourCompany.com), you can allow the network traffic
associated with them to avoid the appliance, which will improve performance. Add all three public sites
to the Exclusions by using a wildcard character:
www*.YourCompany.com. Resources in this list can also contain variables; see Using Variables in Resource and WorkPlace Shortcut Definitions for more
You should define the corresponding IP/Range/Subnet in Wildcard exclusion.
Migration of prior versions of SMA that contains Resource Exclusion List to 12.4.1:
- All entries in Resource Exclusion List migrate to a single exclusion named Split Tunnel
- All Split tunnel communities use this exclusion named Split Tunnel
- For Redirect All communities, exclusions will not be migrated, which may affect browser-only sessions
Enable Exclude local network traffic by default checkbox if you want to allow users to access local printers and file shares. If corporate resources use the same address space as the local network, they will not be accessible.
Enable Allow users to exclude or include local network traffic if you want to allow users to choose local/remote network preference and add custom exclusions. Recommended for advanced users only.
(Optional) Click to expand the Tunnel Client Options section:
In the Caption for start menu and icon field, type the customized text that you want to appear for the Connect Tunnel client on the menu and beneath the Connect icon on the user’s desktop.
Create icon on desktop: Places the Connect Tunnel client icon on the desktop.
Run at system startup: Automatically runs the Connect Tunnel client when the operating system starts on the user’s computer (Windows only).
To use Single Sign-on, in the Cached Credentials section, select when cached credentials should be used:
Always: Always used cached credentials if available.
At user’s discretion: Let the user decide when to used cached credentials.
Only with biometric verification: Only use cached credentials after verification using one of the supported biometric verification methods.
Never: Prohibit users from using cached credentials.
On a Windows system, Connect Tunnel uses cached system credentials. On other systems,
Connect Tunnel remembers the entered credentials and uses them on subsequent connection
Use one of the Software updates options to alert users when client updates are available or update their
software automatically. This setting is available only when the network tunnel client is configured to
provision client from Secure Mobile Access WorkPlace:
Manual—User must start updates manually.
At user's discretion—Allows users to decide when to install software updates. The update can be deferred indefinitely; however, the user will see the software-update alert when he or she starts the tunnel client (once per day) until the update is installed.
Required—User must accept updates in order to access VPN resources through the tunnel client.
Forced—Updates are required in order to connect. The update program starts, and a progress bar is visible during installation, but the user is not prompted during the process.
- (Optional) To automatically establish a tunnel connection when a user attempts to login from an
unsecure location, check the Enable secure network detection checkbox in the Secure Network
Detection section. For more information, see Secure Network Detection.
(Optional) By default, the client is configured to access the realm and appliance name from which the
client was downloaded. However, you can override this default behavior and configure the client to
access a different realm or appliance. In the Custom connection area, select the Configure client with
custom realm and appliance FQDN checkbox, and then specify these options as needed:
From the Realm name list, click the name of the default realm.
In the Appliance FQDN field, type the fully qualified domain name of the default appliance.
(Optional) By default, a tunnel client session is never terminated by the appliance once it has been
established: users can leave sessions idle and return to them later without having to reauthenticate. If
you want to require users to re-authenticate after a certain period of time, in the Session Termination section, select Limit session length to credential lifetime. This requires users to re-authenticate once the
amount of time specified by Credential lifetime (on the Configure General Appliance Options page) has
passed. When this option is selected, users are notified when a session is nearing the inactivity threshold
and users can avert the disconnect by performing any mouse or keyboard activity.
If you need a TCP connection or consistent UDP traffic flow between the same two address/port tuples to
live longer than eight hours, you must put the user in a community that has this option unchecked. Even
with the Limit session length to credential lifetime checkbox unchecked, users cannot authorize new
flows within the tunnel after their credentials expire.
(Optional) Select Enable Always On VPN in the Always on VPN section to always establish a VPN
connection between the user's device and the appliance whenever the device has a network connection
to the Internet.
Always On VPN is only supported for Connect Tunnel for Windows in SMA 12.4.
(Optional) If you enabled Redirect all in the Redirection mode area, you can configure Internet traffic to
be sent through an internal proxy server when the VPN connection is active. In the Proxy options area,
select the Redirect Internet traffic through internal proxy server checkbox, and then select one of the
proxy server options.
To specify a proxy auto-configuration (
.pac) file, click Proxy auto-configuration file and then
type the URL, preceded by the
http:// protocol identifier, for the
.pac file. The
servers can be used and can redirect specific URLs to specific proxy servers. For information about
.pac files, see:
To manually specify a proxy server, click Proxy server and then type the server’s host name and
port number in
host:port format (for example,
myhost:80). Optionally, in the Exclusion list field, you can type the host names, IP addresses, or domain names of any resources that you do
not want redirected through the proxy server. When defining these resources, wild cards are
valid, and multiple entries must be separated by semicolons.
(Optional) To launch an executable file or script after the connection has been established:
Click to expand the Post-connection scripts area.
Select the Run a post-connection script checkbox that corresponds to your operating system.
Specify your settings. For more information, see Post-Connection Scripting.
In the Run this file field, type the path and name for the script file. For example:
(Optional) In the Command line arguments field, type any command-line
arguments that you want to execute when running the script. For example:
(Optional) In the Working directory field, type the directory in which the script will
be executed. When defining the working directory, you can specify environment
variables formatted as
the actual environment variable name. For example:
The post connection script file must be in a location on the client computer that the user can
access and where that user can execute files.
In the Advanced area, Enable ESP encapsulation of tunnel network traffic is selected by default for all
network traffic (for all tunnel traffic). ESP (Encapsulating Security Payload) is a way to encapsulate and
decapsulate packets inside of UDP packets for traversing Network Address Translators (NATs). Using it can
improve the performance of applications, especially UDP-streaming applications like VoIP.
For an ESP tunnel to function, UDP port 4500 needs to be open in the firewall for traffic to and from the
SMA appliance external IP and Virtual IP addresses.
When ESP is enabled, the tunnel client tries to bring up an ESP tunnel, but falls back to a legacy SSL
tunnel if there is a problem establishing the ESP tunnel. The typical reason for this failure is that UDP port
4500 is not open in the network firewall.
If you do not want to use ESP because you do not want to open UDP port 4500 in your firewall or for any
reason, then clear the Enable ESP encapsulation of tunnel network traffic checkbox. To disable the
default use of ESP in a community, clear the checkbox on the Realms > [your tunnel realm] >
Communities > [your tunnel community] > Access Methods > Tunnel Access >
- If users are running OnDemand Tunnel in “redirect all” mode, connections to translated Web
resources fail with
Page cannot be displayed errors. To work around this issue, add an A
(Address) record to the internal DNS servers to assign the appliance VIP or external IP to the
- When At user’s discretion is enabled for Client software updates in the Software updates area,
the user sees an upgrade notification, and the Connect Tunnel client caches the user’s response for
24 hours. If the setting is then changed to Required or Forced, a user who opted to delay updating
may not be prompted again until the following day because the earlier response is still cached.
If you plan to run a VB script after a connection has been established, you cannot simply enter the
path and name of the
.vbs script file; you must use the Windows Script Host utility to invoke it. To
work around this, configure the post-connection options as follows:
Run this file:
Command line arguments:
<Path to script>. For example:
c:\path\to\script.vbs or \\path\to\script.vbs
Leave Working directory empty.
- When you specify a
.pac file location, be certain that your tunnel users have access to it. You can
do this by defining a resource and creating an access rule. See Creating and Managing Resource Groups and Configuring Access Control Rules.