CirrocumulusVPN - Disallow networks accessible via access policy "exclude" or via APM ACL instead?
From what I can tell, there are two ways to block access to certain networks via VPN; either by adding them to the "exclude" section of the access policy they're assigned, or by adding an ACL step in APM. An excluded network will still be pushed to the client, but the metric assigned will tell it to go out the "local" connection rather than the VPN tunnel. With an ACL, it's just blocked at the F5.
My question is, beyond the example above, is there a reason to use one method over the other? I'm thinking an ACL would be preferable if one wants to "hide" the network(s) they don't want VPN users going to.
Thanks!
IMHO, ACLs are the safest way. Excluded networks setting is part of the split tunneling configuration so it is strictly related to routes pushed to the client. With ACL, you are actually controlling what is allowed or not in the BIG-IP side. The difference may not seem important, but recently I was able to trick my windows host to change the routing entries of my machine in order to bypass the split tunneling configuration pushed to the client VPN, though it was with another -so popular- vendor VPN client that claims its global protection features ;p
