Reset Search



KB26796 - Is it possible to specify a port range in the VPN Tunneling split tunneling policy?

« Go Back


Last Modified Date12/5/2015 10:39 PM
While saving the VPN Tunneling split tunneling policy, Administrators see an error message "Failed to save policy. Reason: Invalid Resource!". This article provides information on specifying the port range using VPN Tunneling split tunneling policy .


Problem or Goal


Split tunneling has been configured for a Network Connect role and the split tunneling networks have been specified in order to exclude the traffic being passed through the VPN  tunnel. However when specifying the port range to exclude in split tunneling,  a syntax error  is generated: Failed to save policy. Reason: Invalid resource!. Administrator intends to exclude the port range for the Network Connect split tunneling and would like to know the correct syntax for it.



The Split Tunneling Networks option defines a VPN tunneling resource policy that specifies one or more network IP address/netmask combinations for which Secure Access Gateway handles traffic passed between the remote client and the corporate intranet. You can also specify traffic that should not pass through the VPN tunnel.

When split-tunneling is used, VPN tunneling modifies routes on clients so that traffic meant for the corporate intranet networks flow through the tunnel and all other traffic goes through the local physical adapter. Secure Access Service tries to resolve all DNS requests through the physical adapter first and then routes those that fail to the VPN tunneling adapter.

When defining a resource under the split tunneling networks we do not have an option to specify a particular port and need to specify the entire subnet/ip address.  The traffic specified under the split tunneling networks would go through the VPN adapter and the remaining traffic would go through the physical adapter when split tunneling is enabled. However from the entire resource only the traffic which is specified under the VPN tunneling resource access policy in syntax protocol://<ip address>:port would be allowed through the tunnel and remaining would be simply ignored. Thus it would not be possible to configure traffic to be bypassed tunnel for specific ports.

Network Connect split tunneling allows only IP address based resource policies (ports cannot be used). The subnet mask can be defined in a dotted decimal format (eg. or in a CIDR annotation format (eg. /32 or /24).


In order to restrict users on split tunneling networks for certain ports we can apply appropriate VPN Tunneling Resource access policy. We can configure tcp:// or udp:// as the resource access policy and allow/deny  access for the same. Hence even if you have allowed the entire range in the split tunneling networks users would only be able to access the resources as specified in the ACL.

Note: When split tunneling is disabled all the traffic from the client machine goes through this Juniper Networks virtual adapter and is encrypted with the cipher suite configured on the VPN tunneling profile settings. However for this to work, appropriate VPN Tunneling resource policies (ACL) needs to be specified to allow/deny the traffic being passed through the tunnel. If split tunnel is disabled, all split tunnel configuration is ignored, including the exclude route. Order the policies according to how you want the Secure Access Gateway to evaluate them (policies are applied in order they are listed in the admin UI). Keep in mind that once Secure Access Gateway matches the resource requested by the user to a resource in a policy’s (or a detailed rule’s) Resource list, it performs the specified action and stops processing policies.
Related Links
Attachment 1 
Created ByData Deployment



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255