FAQ2: Users are unable to access internet resources when connected to a VPN tunnel on an Azure-based ICS

Cause: When end user launches Ivanti Client, connects to ICS in Azure and tries to access internet, ICS forwards the received packets (src ip: tunnel-ip, dest-ip: internet) through its internal interface. These packets reach Azure hidden Network Load Balancing (NLB). Azure hidden NLB drops these packets because it sees there is no NIC in the VNET with source IP as tunnel IP, the src-ip of the packet coming out of ICS is ‘Client tunnel IP’.

Solution: Ivanti Connect Secure must be able to SNAT these packets to the Internal interface IP which belongs to a subnet within the VNET.

To NAT endpoint tunnel IP to Internal interface IP, do the following:

1.Log in to Ivanti Connect Secure admin console.

2.Navigate to System > Network > VPN Tunneling.

3.Enable Source NATTING. By default, Source NATTING is disabled.