Overview

Fully Qualified Domain Names (FQDN) based split tunneling will allow the Ivanti Connect Secure administrator to configure the split tunneling based on FQDN. FQDN based resources can be defined as exclude policy and include policy for split tunneling. Based on the role merging rules as is done for IP/Netmask based resources, Ivanti Connect Secure will send lists of FQDN include policy and FQDN exclude policy to Ivanti Secure Access Client.

Ivanti Connect Secure will send list of FQDN based split tunneling rules with FQDN only to Ivanti Secure Access Clients 9.0R1 onwards. So, Ivanti Secure Access Client lesser than 9.0R1release, are not affected by new set of configuration rules.

Ivanti Secure Access Client sends all DNS requests to the Ivanti Connect Secure server and then decide based on FQDN Exclude Policy and FQDN Include Policy lists.

A FQDN name might resolve to multiple IP addresses and can also have other CNAME addresses that are expected to be treated on par with the original FQDN.

This feature is helpful while configuring rules to ignore or tunnel cloud services.

FQDN based split tunneling works well along with the following additional features:

Ivanti Connect Secure Split Tunneling Overview

Split tunneling is configured as a part of the role that is assigned to a user after authentication. When the client and Ivanti Connect Secure (ICS) establish a VPN tunnel, the server takes control of the routing environment on the endpoint to ensure that only permitted network traffic is allowed access through the VPN tunnel. Split tunneling settings enable you to further define the VPN tunnel environment by permitting some traffic from the endpoint to reach the local network or another connected subnet. When split tunneling is enabled, split tunneling resource policies enable you to define the specific IP network resources and FQDN resources that are excluded from access or accessible through the VPN tunnel.

For more information on Ivanti Connect Secure Split Tunneling, see section Ivanti Connect Secure Split Tunneling Overview in PDC Admin Guide.

FQDN Access Control Policies (ACL)

Admin can configure IPv4/IPv6/FQDN addresses in the following 2 ways:

•Simple Rules

•Detailed Rules

Simple Rules: Admin can configure IPv4/IPv6/FQDN addresses with allow/deny rules. These rules permit/deny access to an IPv4/IPv6/FQDN resource based on the IPv4/IPv6/FQDN address configured.

Detailed Rules: Admin can configure IPv4/IPv6/FQDN addresses with allow/deny rules with conditions. These rules permit/deny access to an IPv4/IPv6/FQDN resource based on the IPv4/IPv6/FQDN address configured when the condition matches.

Every entry in the ACL policy corresponds to 2 entries in the FORWARD chain in iptables/ip6tables. One in the inbound direction and the other in the outbound direction.

For more information, see Writing a Detailed Rule for VPN Tunneling Access Control Policies ACL in Ivanti Connect Secure Admin Guide.

IPv4 Split Tunneling: The Ivanti VPN now allows accessing both IPv4, IPv6 corporate resources from IPv4 and IPv6 endpoints and FQDN resources. It enables client to access both corporate network and local network at the same time. The network traffic designated is directed to tunnel interface for corporate network by configuring route policies, whereas other traffic is sent to direct interface.

All configurations to IPv6 are similar to IPv4.

For more information, see section IPv6/IPv4 Split Tunneling in PDC Admin Guide.