Windows 7 Cisco AnyConnect and Split Tunneling

Discussion in 'Windows Security' started by harkonenn, Aug 5, 2013.

  1. harkonenn

    harkonenn Well-Known Member

    Joined:
    Oct 3, 2011
    Messages:
    6
    Likes Received:
    0
    I sometimes work from my home office and remotely connect to my company's network via VPN using Cisco AnyConnect. The VPN adapter is supposed to support split tunneling, and I assumed that since it's only necessary to use it for certain applications (like SalesLogix), that only those applications would be allowed to access the VPN.

    Today I discovered that my home system is rerouting all TCP/UDP connections through the VPN adapter when it's active. This seems to slow things down quite a bit, and that extra traffic over VPN really isn't needed - for instance, I can send and receive corporate email without needing the VPN.

    Is there a way that I can limit AnyConnect only to use the ports/addresses required for certain applications?

    Thanks!
     
  2. BIGBEARJEDI

    BIGBEARJEDI Honorable Member
    Premium Supporter

    Joined:
    Jan 28, 2013
    Messages:
    1,798
    Likes Received:
    219
    Yes, there is. But it's certainly not easy to identify all those TCP/UDP ports by each application you want to use. It sounds like you've made a recent change to your home system. Specs please! If it's Windows7 I may be able to help you as one of my Clients runs AnyConnect with VPN Client on their POS system. :sta2r:

    Also, it's very important that your home system is running ALL the Microsoft and CISCO updates. For example, if you are running Win7, you MUST have SP1 installed and all subsequent security updates. It would also help to know the Model of your VPN adapter in your home office.

    By the way, I wouldn't recommend that you send/receive Corporate Email over a non-VPN link if they've gone to the trouble of providing you with a VPN adapter for your home office without checking with your IT Director first! There is a very good reason they want you to use that, and one of those is added security protection of propietary corporate information being transmitted on a secure, encrypted, authenticated tunnel. By bypassing their Tunnel, and using a web portal connection (unless it's via an Intranet or Extranet connection), your are exposing your information to prying eyes, such as Industrial Spies and so forth who may be after your Company secrets. If they are using a high-performance cisco router such as a PIX firewall, they may also be using a Certificate Server which works in conjunction with your VPN connection technology. That makes your Email and any other application related programs your remotely connect to on your Corporate network highly secure...and it does slow things down. That's the price you pay for state-of-the-art data protection! :nerdie:

    Just thought you might like to know.

    Post your information back and I'll make some suggestions.

    BIGBEARJEDI
     
  3. harkonenn

    harkonenn Well-Known Member

    Joined:
    Oct 3, 2011
    Messages:
    6
    Likes Received:
    0
    Thanks for responding, BIGBEARJEDI. Here are my system specs: Windows 7 Ultimate 64-bit SP1 (build 7601). All updates are current as of today (important and recommended).

    Any of us who work remote are using a software VPN - the Cisco AnyConnect I mentioned. I'm running version 2.5.3055 since that's the latest one available from our IT department. I'm also running the Cisco CVPND service 5.0.07.0440 - both of these were installed by our IT department. My home system is actually a laptop issued and configured by my company, and it's on our domain. I'm not sure if this info is helpful, but my router is a Netgear WGR614 v7 (pretty old).

    As far as corporate security goes, I understand what you mean. Like the 200 other employees at my company, we just assume that the IT department knows what they're doing in that regard, and really don't give it another thought ;) They allow us to use our mobile devices to collect and send email through Exchange, and without having to VPN in. I guess our sales team complained about the VPN speed, and that requirement was dropped a couple of years ago - but I'm not familiar with any of the details.
     
  4. BIGBEARJEDI

    BIGBEARJEDI Honorable Member
    Premium Supporter

    Joined:
    Jan 28, 2013
    Messages:
    1,798
    Likes Received:
    219
    Sure thing, no problem. It's helpful to have some of your specs. And to know you are using a company configured laptop on a domain and all. Sounds like they have some networking internal issues there that may require re-architecting. First thing I would try, is replace that Netgear router with a more modern Cisco home router, such as a Valet model. (that avoids a whole host of Netgear router BIOS upgrade issues, and compatability).

    2nd thing is, if your home ISP is someone like ComCast or Cox, a Cable Modem HS Internet Provider, make sure your Cable Modem is Docsys 3.0 or 4.0 if available. That can also negatively effect all VPN and RDC type connections.

    Since you are in a small company, they probably don't have the server horsepower to run an enterprise App such as SalesLogix. I'm somewhat familiar with it, and it's a resource and bandwidth hog. In larger companies I've worked at, we spent hundreds of thousands to millions of dollars on ERP upgrades to resolve this problem. Last company I did that for we had 688 employees on 3 continents, and took 2 years to redesign. I was the Project Manager.

    I can only guess about the state of your internal network, but from experience the number 1 client type who had difficulty on our old remote network setup was our Sales People; using our old system was antiquated, and slow, and unreliable. Your problem is not the VPN, but probably the internal network and server architecture running the VPN. Unless they are using Cisco PIX firewall, Sonic, or RAdius Server technologies along with ERP, traditional APPS over VPN really suck on performance. No matter how fast your laptop is that they give you, it won't overcome all these design difficulties.

    Try to replace your home router first, and tell your IT people they probably have some work to do...you shouldn't be having to go in and tweak TCP & UDP ports for each application your run. Especially if they pre-configured your laptop!

    Luck!:polite:
    BBJ
     

Share This Page

Loading...