Can your firewall guys confirm if port 80 TCP outbound is allowed from your CAG? On Tue, Apr 29, 2008 at 1:54 PM, Chad Schneider (IT) < Chad.M.Schneider@xxxxxxxxxxxxx> wrote: > CAG Standard. > > The odd thing, this DID work, on our old firewall, maybe inadvertently.... > > Seems silly though, I want all network traffic, to go through my network. > I want those connected to me, to be forced to use our internet rules. > Sounds like my only option is to turn on split tunneling? Is that not still > considered a security concern? > > Chad Schneider > Systems Engineer > ThedaCare IT > 920-735-7615 > > >>> On 4/29/2008 at 3:39 PM, <tsguy92@xxxxxxxxx> wrote: > Chad, are you using CAG + AAC / Advanced Access Control? > > if so, this issue is by design. During our setup I actually called CTX > support on it, and was informed that's the case. > > Consider the fact that the CAG by default "denies" any connection with is > not explicitly defined as allowed. That's the issue you're likely fighting. > > Port 80 / 443 traffic to *.*.*.* is not defined as allowed for the CAG, > therefore, it won't pass that traffic on. Sadly, you can't define wildcards > like this in the CAG / AAC config. > > Setup an allowed resource for the ip addresses for www.abc.com or > something similar on Port 80 and it will work. > > Our work around for this was the following entries on our AAC server as > "allowed" resources for our VPN users. > > server - 128.0.0.0, subnet - 128.0.0.0, port - 80, 443, protocol - TCP > server - 0.0.0.0, subnet - 128.0.0.0, port - 80, 443, protocol - TCP > > HTH > > Lan > > On 4/29/08, Chad Schneider (IT) <Chad.M.Schneider@xxxxxxxxxxxxx> wrote: > > > > CAG 4.5. > > > > We want to make an SSL VPN connection via the CAG. We want split > > tunneling off (I feel for obvious reasons), but are now unable to get to > > external internet sites. Our VPN users get an internal IP address, with an > > internal Default gateway. We have 3 static routes into our internal > > network. All requests to the internal network work fine. No requests to > > any external site work. > > > > How can I make this work, allowing no split tunneling, but also allowing > > internet traffic to the outside of the network. > > > > Chad Schneider > > Systems Engineer > > ThedaCare IT > > 920-735-7615 > > > >