VPN Tunneling Proxy Support

VPN tunneling provides support for remote clients using a proxy server to access the Internet (and Ivanti Connect Secure via the Internet), as well as clients who do not need a proxy to access the Internet, but who access resources on an internal network through a proxy. VPN tunneling also provides support for clients accessing a Proxy Automatic Configuration (PAC) file that specifies client and system proxy settings enabling access to Web applications.

The VPN tunneling client does not support the use of the MS Winsock proxy client. Please disable the MS Winsock proxy client before running the VPN tunneling client. For more information, see http://www.microsoft.com/windowsxp/using/mobility/expert/vpns.mspx.

 

To address these varying methods of proxy implementation, VPN tunneling temporarily changes the proxy settings of the browser so that only traffic intended for the VPN tunneling session uses the temporary proxy settings. All traffic not intended for the VPN tunneling session uses the existing proxy settings.

The VPN tunneling client does not support the option to automatically detect proxy settings. You must choose to use either an automatic configuration script (PAC) or specify a proxy server. You cannot use both a proxy server and an automatic configuration script, together. You can define one or the other under the Proxy section in Users > Resource Policies > VPN Tunneling > Connection Profiles > Profile.

Whether split-tunneling is enabled or disabled, the system supports the following proxy scenarios:

•Using an explicit proxy to access Ivanti Connect Secure

•Using an explicit proxy to access internal Web applications

•Using a PAC file to access Ivanti Connect Secure

•Using a PAC file to access internal Web applications

Please note the following exceptions:

•The system does not support redirect downloads and therefore does not support the redirecting of the internal PAC file download.

•The system's dsinet client does not support SSL; you cannot obtain the internal PAC file from the SSL server.

•The system does not support "auto detect proxy". If both static proxy and "auto proxy script (pac)" are defined, it uses the static proxy configuration.

•The VPN tunneling profile does not have a static proxy exception field for internal proxy. If you require proxy exceptions, you can use a PAC file with proxy exception logic.

•The VPN tunneling client supports "auto proxy script (pac)" only when the configuration is the PAC file URL. If the URL is a redirect URL or IE proxy configuration script it is not supported.

When split-tunneling is enabled, VPN tunneling manages proxy settings in one of the following ways, depending on the method with which the proxy is implemented:

•For remote clients using a proxy server to access the Internet, all HTTP requests generated by the browser and intended for the system go through either an explicit proxy or a PAC file accessed by the remote client. Because the presence of an explicit proxy or access to a PAC file is already provisioned on the client-side, the client sets up the local, temporary proxy before attempting to establish a VPN tunnel.

•For remote clients using a proxy server to access the Internet, all HTTP requests generated by the browser and intended for the system go through either an explicit proxy or a PAC file accessed by the remote client. Because the presence of an explicit proxy or access to a PAC file is already provisioned on the client-side, the client sets up the local, temporary proxy before attempting to establish a VPN tunnel.

•When a remote client accesses a preconfigured HTTP-based PAC file, the client cannot access the PAC file until after a VPN tunnel is established. After a connection is established, the client accesses the PAC file, includes the PAC file contents in the local temporary proxy, and then refreshes the browser proxy setting.