Junos Pulse, Apple iOS, and Split-Tunneling
When you create (SSL)VPN access for you employees, you might enable split-tunneling to save corporate bandwidth. No split-tunneling means that all traffic is forwarded into the VPN tunnel. So if you browse the internet with an active VPN, the traffic goes through the VPN, and accesses the Internet through the corporate Internet connection. This isn't a big problem with a couple of employees, but with hundreds on the road or working from home, this might frustrate the employees in the building.
So split-tunnelling is a method to to create a local 'break-out' at home (or on the road). Only traffic destined for corporate resources are directed into the VPN tunnel. Regular browsing goes directly to the Internet, saving corporate resources, and giving the employees a little privacy (so they can facebook all day without the boss knowing.....). Being able to access corporate resource means that you also need to use the corporate DNS servers (on the VPN adapter) to resolve those resources. Your regular ISP DNS servers have no idea what you mean by http://intrawebs.mycompany.local/, but your corporate DNS server does.
NOTE 1: split-tunneling might introduce security risks, because the company / IT department can't check the traffic to and from the Internet for malware and other annoying stuff. Which might infect corporate resources.
Anyway, it seems that split-tunneling doesn't work all the time. Especially if you're using a mobile device like e.g. an iPhone or iPad with iOS and the Juniper Junos Pulse client. Connecting to a Juniper SSL VPN device (SA, or MAG) with Junos Pulse on iOS doesn't work with split-tunneling enabled. It seems that Apple iOS doesn't like it when the DNS servers of the normal (physical) adapter are overruled by a DNS server assigned through a VPN. This means that corporate resources can't be resolved in this scenario.
The only way to solve this (at this moment) is to use a (special) SSL VPN profile for those iOS users. Since they traffic everything through the tunnel, you also need to make sure that 'regular' Internet traffic is possible through the corporate Internet connection (directly or through a proxy). Otherwise the employee can only access the Intrawebs, and not the Facebooks etc.
NOTE 2: I was told by Juniper JTAC that this is a limitation (or feature if you will) in iOS, and not in their Junos Pulse client. This would mean that e.g. a Cisco Anyconnect client (also available on iOS) should result in similar findings. Anyone tried that?
Reader Comments (2)
Thanx for the article. Split-tunelling is what I need.
Juniper's Junos Pulse client with Split tunnel enabled works perfectly fine. Th only caveat is the one described in the below KB. However the workaround mentioned there is fairly straighforward and in most cases will require no additional config as your internal DNS suffix list should already be defined on the SA.
http://kb.juniper.net/InfoCenter/index?page=content&id=KB16327