The Remote Access Service (RAS) uses Destinations to define which network resources can be accessed by VPN users and for split tunneling.
What are Destinations?
A destination is a custom named IP network resource (or more) which the RAS service administrator defines. Each destination has a name and a network destination - the actual network resource(s). The table below lists the possibilities.
|Name (user defined)||Network Destination (user defined)||Description|
|My Internal Network||192.168.1.0/24||An entire subnet|
|My Host||192.168.1.123||A specific host|
|My Host on port 8080||192.168.1.123:8080||A specific host but only port 8080|
|My Network on port 8080||192.168.1.0/24:8080||An entire subnet but only port 8080|
|All Hosts on port 22||*:22||All hosts, only port 22|
|My Internal Networks||192.168.1.0/24, 192.168.2.0/24||Multiple subnets|
|My Internal Networks on ports 80 and 443||192.168.1.0/24:80, 192.168.1.0/24:443||An entire subnet but only ports|
Destinations are needed when you
- configure the RAS service and want to route only specific subnet(s) through the VPN tunnel - split tunneling
- configure access control listst (ACL) for VPN users
When configuring the RAS service and you want to route only a specific subnet through the VPN tunnel:
- On the Remote Access Service Settings page - Route via VPN tunnel - choose the option Specific Destinations. A new section is displayed, with a Add new link and a dropdown that allows selecting destinations.
- Click on Add new will open up a window that allows configuring destinations.
Enter the Name and Network Destination. Click Add to add the destination to the list. Click Save when you are done, you will be returned to the previous page.
- Select the destination to route through the VPN tunnel from the list and click Save.
When enabling VPN for users, you can choose to limit their access to specific destinations.
- On the Remote Access page, select the Destinations tab of your RAS server
- Click Edit to manage Destinations
- Add Destinations according to your needs. Click Save when you are done.
- Click on the ACL tab then choose Grant Access to add a new VPN user
- Select the user you wish to grant access and choose Access type: Restricted to the following destinations. Select the destinations to which the user should have access. Click Save to finish.