We're moving a small remote office to a new location which means a new internet connection and a new router. I noticed that they are configured currently to use the remote gateway through the VPN, thus all their internet traffic goes through the connection in the central office which just seems to be slow and inefficient to me.
I'm thinking of configuring them to use their local gateway for non-VPN traffic. Is there a reason why I should not be doing this? Seems to me that's the best way to go about this. Unfortunately, the guy who set this up is long gone and I'm not sure what justification you would have to do this.
Best Answer
Typically there are two reasons I see this done.
As Robert Kaucher mentioned, content filtering, logging, and enforcement at the "hub site" is one big reason. Many content filtering products allow "slave" servers to be deployed at remote sites to perform filtering and logging based on a central "policy server". For a remote site where there isn't any server computer, though, and organization might just opt to route all that traffic back to a central filtering server.
Centralized firewall rules and monitoring are another common reason I've seen this done (for user-to-site VPNs in particular, but I've seen it with site-to-site, too). "Split tunneling" (that is, allowing the remote VPN endpoint to directly communicate with the Internet and sending only traffic to the corporate network down the VPN pipe) is seen by some as a major security risk. In a site-to-site environment, you could make the call that the firewall in the remote office should be configured to allow safe direct Internet access, but I've seen situations where it was considered "better" (I suppose because the firewall rules at the remote site ended up being, basically, "allow VPN traffic only") to route all that Internet traffic to the "hub" site.
You should see an improvement in bandwidth utilization at the "hub" site, and improved responsiveness at the remote site by moving to a split tunnel. As long as you've got solid firewall rules in the remote site (and whatever monitoring infrastructure, content filter, etc that you want) there shouldn't be any reason not to allow it to have direct Internet access and save bandwidth at the "hub" site.