Routing Internet Traffic through AppGate SDP

  • 2 minute read
Prev Next

By default, AppGate SDP performs split tunneling, which allows a user to access dissimilar security domains like a public network (e.g., the internet) and a local LAN or WAN at the same time. Entitlement based routing or subnet-based routing captures and routes traffic for any protected hosts, and all other traffic (e.g. internet traffic) is untouched by AppGate SDP.

To disable split tunneling, establish a default Gateway, and route all internet traffic using an AppGate SDP Site:

  1. Define a separate Site to be used as the destination for the default gateway traffic.

  2. In the AppGate SDP Admin user interface, navigate to:

    1. System>Sites >Client Routing

    2. enable Route all traffic through tunnel (Default Gateway) for the defined Site. This allows all remaining traffic to be captured and routed to the specified Site, which will serve as the default gateway (where traffic could, for instance, be filtered before being allowed out to the internet).

    3. use the Excluded Subnets form to specify any subnets that need to be excluded from the default gateway Site. (e.g., private subnets such as 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)

  3. In the AppGate SDP Admin user interface, navigate to

    1. System>Appliances> <your Appliance> < Functions>

      1. Secure Tunnel Settings

        1. Client Tunneling - Allow Destinations

          1. verify that the Address and Subnet Mask fields are blank.

          2. verify that the Interface field is set to the internet-facing interface.
            NOTE: If there are multiple interfaces, you will require a second Allowed destination entry for the inside interface.

      This setting causes the Allowed destination(s) to include any routable destination out the specified interface(s). As long as the outside interface has a default route configured it will route the traffic. The default router should include a path to the internet.

  4. Remember to grant users an Entitlement that allows all protocols and ports (port range 1-65535) to 0.0.0.0/0 in Access >Entitlements >Actions for the Site where you want to route all traffic.

    https://yourappgate.com:8443/ui/access/entitlements/create

See the following sections of the AppGate SDP Admin Guide for more information on establishing a default gateway and routing all traffic through the AppGate SDP tunnel:

Routing Clients to the Internet via AppGate

Routing Client Traffic

Related articles