SSL VPN
Reply
Contributor
jspanitz
Posts: 202
Registered: ‎08-02-2011
0

WSAM - Allow local traffic

Trying to build a WSAM policy that redirects just two web servers through to our network.  We'd like to have all other traffic go out the clients local connection.  What we are seeing is all other traffic appears to be blocked.  Pretty sure we had this working just the other day but now I can not reproduce it.

 

Can this be done?

Recognized Expert
aweck
Posts: 255
Registered: ‎07-24-2009
0

Re: WSAM - Allow local traffic

Definitely.  When you're defining the WSAM resources, just define the two hosts (with whatever ports are necessary).  Only traffic for those hosts should then be directed over WSAM.  The resource policies will also need to be in place to allow the traffic through the SSL VPN.

Juniper Elite Partner
JNCIE-ENT #63, JNCIE-SP #705, JNCIE-SEC #17, JNCIS-FWV, JNCIS-SSL
Contributor
jspanitz
Posts: 202
Registered: ‎08-02-2011
0

Re: WSAM - Allow local traffic

[ Edited ]

We had that but all traffic tried to flow through the WSAM connection when we defined hosts in the WSAM destinations.  When we switched back to defining WSAM Client Apps and used iexplore.exe with a resource policy limiting the allowed hosts, it then started to work.

 

Thought I read that if you used WSAM destinations all traffic will flow through SAM.  Seems strange.

Moderator
zanyterp
Posts: 2,263
Registered: ‎11-19-2007
0

Re: WSAM - Allow local traffic

Do you have a JTAC case open on this? Are you seeing this on several versions or just the current version you have installed?

I would expect more of the opposite behavior; I have seen in production, as well as my lab access work with just host-based definitions. did both IP & name fail?

Contributor
jspanitz
Posts: 202
Registered: ‎08-02-2011
0

Re: WSAM - Allow local traffic

No JTAC case yet.  I had to many open and was having trouble managing them all.  Now that some are closed I will open one for this issue.

 

All we have is a WSAM resource profile with 4 client apps defined.  One of the client apps is iexplore.exe with a SAM acl to a ip address and port.  But I am thinking it WSAM is just seeing iexplore.exe and redirecting all traffic, which all traffic other than the IP:smileytongue:ort in the ACL is then being blocked.

 

Is it possible to direct some traffic to a specific ip:smileytongue:ort accessed via iexplore.exe via WSAM while leaving the rest of the traffic via iexplore.exe flow outside WSAM?

Trusted Contributor
SHKM
Posts: 123
Registered: ‎03-13-2008
0

Re: WSAM - Allow local traffic

Yes, there is an option to configure IP and port combination to direct traffic through WSAM, rest all the traffic flow out side of WSAM.

 

 

Ex:

- Let say server 1.1.1.1 is running web (port 80) and ssh

- We want to allow 1.1.1.1 web traffic to flow via WSAM and all other traffic including ssh traffic should flow out side of WSAM tunnel

 

In SA UI > User role > SAM > Applications > Under "WSAM allowed servers"

Add 1.1.1.1:80

 

In Resource policies > SAM > Access > make sure required ACL is configure to allow this traffic.

 

Now, you can launch WSAM and all the web traffic flow via WSAM. Hope this helps you..!

 

Thanks,

Suresh

 

 

 

 

Recognized Expert
kenlars
Posts: 420
Registered: ‎03-24-2008
0

Re: WSAM - Allow local traffic

One note on this - if you define a destination IP and port, all traffic destined for that name or address on that port will flow through WSAM regardless of the application.  This usually isn't a bad thing,  For example, if a user were using Chrome instead of IE, the access would still work.

 

Ken

Moderator
zanyterp
Posts: 2,263
Registered: ‎11-19-2007
0

Re: WSAM - Allow local traffic


jspanitz wrote:

All we have is a WSAM resource profile with 4 client apps defined.  One of the client apps is iexplore.exe with a SAM acl to a ip address and port.  But I am thinking it WSAM is just seeing iexplore.exe and redirecting all traffic, which all traffic other than the IP:smileytongue:ort in the ACL is then being blocked.

 

Is it possible to direct some traffic to a specific ip:smileytongue:ort accessed via iexplore.exe via WSAM while leaving the rest of the traffic via iexplore.exe flow outside WSAM?


when you define a WSAM application, all traffic for that application is SAMized and will be treated by the ACL. if you need only certain servers, then you define those servers (which is generally better for your users overall)

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.