Skip Navigation Links
Home
Product
Industry Solutions
Resources
About Us
Contact Us
Skip Navigation LinksHome > Customers & Support > Tech Notes

Policy Management Example — Selective VPN

Technical Note 2192

Last Reviewed 18-Oct-2005
Applies to:
Mobility XE server 6.00 and higher
 Printer-friendly version

Summary

A "selective VPN" is one in which traffic is tunneled through the Mobility VPN in some cases but not all. For example, when you are on a home network you may want Internet traffic to go straight to the Internet, without passing through the Mobility VPN, while corporate network traffic should always go through Mobility. When you're back in the office (inside the firewall) you might want to bypass Mobility for traffic over the corporate LAN.

This tech note explains how to set up a selective VPN using Policy Management.

Setting up Policy Rules

This policy is made up of several rules that are combined into a single rule set. For each rule in the set, the policy UI and rule description are shown.

  1. Determine the parts of the corporate network that should be accessible only through a VPN.

  2. The first policy rule will ALLOW traffic to these networks, but bypass everything else. In our example the network addresses are 10.20.0.0, 10.30.0.0, and 10.40.0.0, and the subnet mask for each one is 255.255.0.0 (a 16-bit mask). The Policy Management page in the Mobility console looks like this:

  3. (Optional) Most applications will work fine using the single rule above, although a few applications (including Microsoft Outlook) work in such a way that you have to add specific ROUTE rules for each of the subnets you specified above. If you're using Outlook or have an application that isn't working with the above rule, add the rules below to your rule set.

    For each of the three rules, select the following interface condition (NMVNIC is Mobility's "virtual adapter"):

    The static route for each one is different. Select the following check box...

    ... and enter 10.20.0.0. (Follow the same steps for the other two rules, which will show a static route of 10.30.0.0 and 10.40.0.0, respectively.)

  4. (Optional) If you want traffic to the corporate network to be bypassed entirely when you are on the corporate network (for example, when you are docked), create exception rules for this that precede the first rule:

    Note, however, that NetBIOS doesn't behave well with this kind of rule when you switch between connecting from inside and outside of the company; other applications should be fine. This rule also won't work if an employee coincidentally uses 10.20.0.0 as his home network.

  5. (Optional) If you want external (Internet) traffic to flow through the Mobility VPN when on certain wireless access points or subnets that don't have access to the Internet, add ALLOW rules for those networks at the beginning of the ruleset. For example, if you have a restricted "Circe" wireless network, the rule would look like this:

The Policy Rule Set

Here's how the entire example (including the optional steps) looks when the rules are re-ordered and assembled into a rule set (explanatory comments are in red):

(Rule #1, described in step 5)
Apply this rule when the access point SSID contains circe and 
allow network traffic for address(es)/port(s) 
to 10.20.0.0/16
with options else 
continue to the next rule
(Rule #2, described in step 4)
Apply this rule  
when the local address is address(es)
from 10.20.0.0/16
pass through all network traffic 
continue to the next rule
(Rule #3, described in step 2)
10.20.0.0, 10.30.0.0, and 10.40.0.0
Apply this rule for any condition  
allow network traffic for address(es)/port(s) 
to 10.20.0.0/16,
to 10.30.0.0 or 
to 10.40.0.0/16 
with options else  
pass through all network traffic 
continue to the next rule
(Rule #4, described in step 3)
Apply this rule when the interface name contains NMVNIC 
add a static route to 10.20.0.0/16 
continue to the next rule 
(Rule #5, described in step 3)
Apply this rule when the interface name contains NMVNIC 
add a static route to 10.30.0.0/16 
continue to the next rule
(Rule #6, described in step 3)
Apply this rule when the interface name contains NMVNIC 
add a static route to 10.40.0.0/16 
continue to the next rule

Related Information

2154

Using Mobility Policy Management — The Basics

2171

Policy Library

2138

Reining in NetBIOS Traffic

9979

NetMotion Mobility Technical Notes

Please comment on this technical note.

Copyright ©2010 NetMotion Wireless.