Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Application Bypass (CLI Procedure)

Overview

Using this task configuration, you can configure application bypass feature for remote access VPN solution in the SRX Series Firewall. As an administrator, if you want the users of your organization to access certain websites without going through the remote access VPN tunnel, follow the below procedure -

  1. Identify the applications with their domain names and protocols. For example, if you want the users to be able to access enterprise applications like Zoom, Sharepoint, Salesforce, etc., without going through the VPN, then you need to specify them in the configuration as follows -

    • For Oracle cloud application suite, specify cloud.oracle.com as the domain name match criteria.

    • For Salesforce CRM application and all its sub-domain names, specify the application match criteria as .salesforce.com using the keyword wildcard. When you specify using wildcard keyword, if your main domain is salesforce.com, then the wildcard sub-domain names of the Salesforce application can be login.salesforce.com, help.salesforce.com, and developer.salesforce.com etc. So, with this, you can bypass VPN for login.salesforce.com, help.salesforce.com, and developer.salesforce.com. Any left most label part of the domain name will be used with the specified matched criteria.

    • To match any domain name containing a specific value, use contains keyword. For example, for domain-name with value sharepoint.com, specify sharepoint.com with contains keyword. So any domain-name that contains sharepoint.com will also bypass the VPN. This is different from wildcard match because with contains keyword, the domain name string can be anywhere in the FQDN. For example, if you use example.gov with contains keyword, it matches all conditions like example.gov.in, edu.example.gov.

    • For bypassing applications based on protocol, specify either tcp, udp or all.

  2. Categorize these applications based on your use case to group them with a term name. In your SRX Series Firewall, you can create multiple terms to configure multiple application bypass entries and associate them to a particular remote client's configuration parameters at the [edit security remote-access client-config] hierarchy level.

  3. Identify the remote client to which you can associate the application bypass rules.

Configuring Application Bypass

To configure application bypass feature using the command line interface:

  1. Log in to your SRX Series Firewall using the command line interface (CLI).

  2. Configure remote-access VPN in full tunnel configuration mode. See one of the following procedures based on the authentication method used -

  3. To bypass the VPN, configure the identified applications as shown in Table 1

    Table 1: Application Bypass Configuration Parameters
    Options Domain Name/Protocol Description
    fqdn cloud.example.com Specify a cloud application.
    wildcard .example.in Covers enterprise applications like -

    • payroll.example.in

    • sales.example.in

    • marketing.example.in

    • hr.example.in
    contains example.edu Specify content that contains the specific domain name.
    protocol

    • tcp

    • udp

    		 Specify TCP and UDP based applications.

    • Using domain-name as FQDN -

    • Using domain-name with wildcard keyword -

    • Using domain-name containing a value, say, sharepoint.com -

    • Based on tcp -

    • Based on udp -

  5. When you are done configuring the feature on your device, enter commit from configuration mode.

Once Juniper Secure Connect VPN connection is established, your end users can now bypass remote-access VPN when they access these applications, thus simplifying their experience.

Related Documentation