Forum Discussion
Fallout1984
Cirrocumulus
CirrocumulusVPN - Disallow networks accessible via access policy "exclude" or via APM ACL instead?
From what I can tell, there are two ways to block access to certain networks via VPN; either by adding them to the "exclude" section of the access policy they're assigned, or by adding an ACL step in...
IMHO, ACLs are the safest way. Excluded networks setting is part of the split tunneling configuration so it is strictly related to routes pushed to the client. With ACL, you are actually controlling what is allowed or not in the BIG-IP side. The difference may not seem important, but recently I was able to trick my windows host to change the routing entries of my machine in order to bypass the split tunneling configuration pushed to the client VPN, though it was with another -so popular- vendor VPN client that claims its global protection features ;p
Amine_Kadimi
MVP
MVPIMHO, ACLs are the safest way. Excluded networks setting is part of the split tunneling configuration so it is strictly related to routes pushed to the client. With ACL, you are actually controlling what is allowed or not in the BIG-IP side. The difference may not seem important, but recently I was able to trick my windows host to change the routing entries of my machine in order to bypass the split tunneling configuration pushed to the client VPN, though it was with another -so popular- vendor VPN client that claims its global protection features ;p