Configure Application Bypass (CLI Procedure)
Read this topic to understand and configure application bypass feature in Juniper Secure Connect.
What is Application Bypass
Application bypass feature enables the users of the Juniper Secure Connect application to bypass specific applications based on domain names and protocols, eliminating the need for the traffic to pass through the VPN tunnel. This is different from split tunnel where you leverage VPN to encrypt confidential data while still have direct access to the internet. With application bypass, you still use VPN to encrypt confidential data, however, you can bypass VPN for certain applications defined by the administrator based on domain names and protocols.
We support Application Bypass on full tunnel configuration. Administrators configure this feature in the SRX Series Firewall in remote access client configuration parameters. These parameters define how Juniper Secure Connect client establishes VPN tunnel with your security device.
Using this task configuration, you can configure application bypass feature for remote access VPN solution in the SRX Series Firewall. As an administrator, if you want the users of your organization to access certain websites without going through the remote access VPN tunnel, follow the below procedure -
-
Identify the applications with their domain names and protocols. For example, if you want the users to be able to access enterprise applications like Zoom, Sharepoint, Salesforce, etc., without going through the VPN, then you need to specify them in the configuration as follows -
-
For Oracle cloud application suite, specify cloud.oracle.com as the domain name match criteria.
-
For Salesforce CRM application and all its sub-domain names, specify the application match criteria as .salesforce.com using the keyword
wildcard
. When you specify usingwildcard
keyword, if your main domain is salesforce.com, then the wildcard sub-domain names of the Salesforce application can be login.salesforce.com, help.salesforce.com, and developer.salesforce.com etc. So, with this, you can bypass VPN for login.salesforce.com, help.salesforce.com, and developer.salesforce.com. Any left most label part of the domain name will be used with the specified matched criteria. -
To match any domain name containing a specific value, use
contains
keyword. For example, for domain-name with value sharepoint.com, specify sharepoint.com withcontains
keyword. So any domain-name that contains sharepoint.com will also bypass the VPN. This is different from wildcard match because with contains keyword, the domain name string can be anywhere in the FQDN. For example, if you use example.gov with contains keyword, it matches all conditions like example.gov.in, edu.example.gov. -
For bypassing applications based on protocol, specify either
tcp
,udp
orall
.
-
-
Categorize these applications based on your use case to group them with a
term
name. In your SRX Series Firewall, you can create multiple terms to configure multiple application bypass entries and associate them to a particular remote client's configuration parameters at the [edit security remote-access client-config
] hierarchy level. -
Identify the remote client to which you can associate the application bypass rules.
How to Configure Application Bypass
To configure application bypass feature using the command line interface:
-
Log in to your SRX Series Firewall using the command line interface (CLI).
-
Configure remote-access VPN in full tunnel configuration mode. See one of the following procedures based on the authentication method used -
-
To bypass the VPN, configure the identified applications as shown in Table 1
Table 1: Application Bypass Configuration Parameters Options Domain Name/Protocol Description fqdn cloud.example.com Specify a cloud application. wildcard .example.in Covers enterprise applications like - -
payroll.example.in
-
sales.example.in
-
marketing.example.in
-
hr.example.in
contains example.edu Specify content that contains the specific domain name. protocol -
tcp
-
udp
Specify TCP and UDP based applications. -
-
-
Using
domain-name
as FQDN -user@host# set security remote-access client-config JUNIPER_SECURE_CONNECT application-bypass term term1 description Cloud Applications user@host# set security remote-access client-config JUNIPER_SECURE_CONNECT application-bypass term term1 domain-name fqdn cloud.example.com
-
Using
domain-name
withwildcard
keyword -user@host# set security remote-access client-config JUNIPER_SECURE_CONNECT application-bypass term term2 description Enterprise Applications user@host# set security remote-access client-config JUNIPER_SECURE_CONNECT application-bypass term term2 domain-name wildcard .example.com
-
Using
domain-name
containing a value, say, sharepoint.com -user@host# set security remote-access client-config JUNIPER_SECURE_CONNECT application-bypass term term3 description Education Services user@host# set security remote-access client-config JUNIPER_SECURE_CONNECT application-bypass term term3 domain-name contains example.edu
-
Based on
tcp
-user@host# set security remote-access client-config JUNIPER_SECURE_CONNECT application-bypass term term4 description All TCP based applications user@host# set security remote-access client-config JUNIPER_SECURE_CONNECT application-bypass term term4 protocol tcp
-
Based on
udp
-user@host# set security remote-access client-config JUNIPER_SECURE_CONNECT application-bypass term term4 description All UDP based applications user@host# set security remote-access client-config JUNIPER_SECURE_CONNECT application-bypass term term4 protocol udp
-
-
When you are done configuring the feature on your device, enter commit from configuration mode.
Once Juniper Secure Connect VPN connection is established, your end users can now bypass remote-access VPN when they access these applications, thus simplifying their experience.