Configuring Network Extension

Procedure

1. In the Config Network Extension area, enable the Network Extension.
   

   • You need to select Enable only when configuring network extension services by clicking at the right side of the virtual gateway. If you configure network extension services in wizard mode, Enable will be selected by default.
   • After network extension is enabled, the keepalive function is enabled by default.
   • You do not need to configure any route from the virtual gateway to the user's IP address to enable SSL VPN network extension. If IP spoofing attack defense is enabled on the FW, the packets from the user to the virtual gateway will be identified as IP spoofing attack packets and discarded. In such cases, you need to configure a route from the virtual gateway to the user's IP address when you enable network extension.
2. Configure an IP address range of the address pool.

   Parameter	Description
   Preserve Connections	If this function is enabled, the client periodically sends packets to the FW to prevent the SSL session from timeout. This keeps alive the network extension connection between the client and the server.
   Keepalive Packet Sending Cycle	Specifies the interval for sending keepalive packets.
   Available IP Address Range	Specifies the range of virtual IP addresses assigned by the SSL VPN gateway to users. Each row contains only one address range. When a network extension address pool is added, online users are not logged out. When a network extension address pool is modified, online users who are using the addresses will be logged out. When a network extension address pool is deleted, online users who are using the addresses in the pool will be logged out.

3. Select a routing mode.

   Parameter	Description
   Split routing mode	The data from the client to the intranet is sent to the virtual network card based on the system routing table for forwarding, and the virtual network card uses the virtual IP address as the source IP address of the data. The data destined for the local subnet is forwarded by a real network card, and the network card uses the actual IP address as the source IP address of the data. Therefore, network extension forwards only the data to the intranet. In the mean time, the virtual network card also forwards the data that does not destine for the local subnet. Users can access only enterprise intranet and local LAN resources, but cannot access Internet resources.
   Full routing mode	All data accessing any resources is delivered to the virtual network card to forward the data to the virtual gateway. Users can access only enterprise intranet resources, but cannot access Internet or local LAN resources.
   Manual routing mode	You must configure a static route to the intranet on the device. The client identifies the data destined for the intranet and forwards the data through the virtual network card. Users can access specific network segment resources of the enterprise intranet. The access to the Internet and local LAN is not affected by the network extension function.

4. Under Accessible Private Network Segment List, click Add.

   Perform this step only when the manual routing mode is selected.

5. Configure an accessible intranet subnet.

Perform this step only when the manual routing mode is selected.

In this mode, users can remotely access the resources on specific intranet segments. The access to the Internet and LAN is not affected. If the LAN and remote intranet overlap, traffic is routed to the remote intranet instead of the LAN.

• If the intranet server IP address and virtual IP address are on different subnets, configure a route to the virtual IP address on the intranet server.
• Adding, modifying, or deleting an accessible internal subnet causes online users to go offline.