Jump to content
Welcome to our new Citrix community!

Split tunnel and public urls

Recommended Posts



we are running SSL VPN without Client IP Pool (during PoC) and I need to force the traffic for a publicly accessible URL to SSL VPN tunnel. The reason is that we have for instance conditional access on SharePoint and I need to access it internally. 

I am not sure if the defining these applications as internal applications is a solution.


Many thanks

Link to comment
Share on other sites

Anything you want the gateway to handle allow/deny decisions for would have to be intercepts as "gateway" traffic.

So in split tunnel mode, you would identify this particular IP as one of your intranet apps alongside your other actual internal networks.  Or move the sharepoint behind the gatweay as an internal only resource (which sounds like you can't do).


When the vpn client gets connected, the list of intranet apps (ips or networks) will identify the networking that the vpn client intercepts and tunnels to the gateway and the rest of the networking (such as the internal or client local) is ignored by the vpn client and handled locally.


The problem with the leaving the app public, is that you still have no control for non-vpn users...so I would review if this is really what you are trying to do.



Link to comment
Share on other sites



With split tunnel there is couple of variants you want to try:


OFF: All traffic (except your local subnet traffic) goes through the NSGW

  • ADC will push default gateway to your computer pointing to VPN tunnel as next hop
  • No need for defining intranet applications
  • All traffic will flow from the client to the ADC to the destination
  • Good for back-hauling all traffic to a centralized location and then apply filtering as needed

ON: Only traffic defined on intranet applications would go through the VPN tunnel

  • ADC will push routes to your computer as defined on your intranet applications pointing to VPN tunnel as next hop.
  • Needed to define all intranet applications (subnets) you WANTto go through the ADC
  • Only defined traffic will go through ADC
  • Good for cases when you only have a handful of subnets and resources you would like your users to access.

Reverse: All traffic will go through NSGW "EXCEPT" for the subnets defined as intranet applications

  • ADC will push default route to your computer pointing to VPN tunnel as next hop and will also push subnets defined in your intranet application pointing to your local gateway.
  • Needed to define all intranet applications (subnets) you DONT WANT to go through the ADC.
  • All traffic flows through ADC EXCEPT the one defined.
  • Good for back-hauling all traffic to a centralized location but you still want to allow some subnets to be locally reachable to the user.


With that being said, you might be able to achieve what you want with either ON or Reverse. Just have to know if there is no so many subnets you want to allow traffic to (ON) or there is lots of subnets you want traffic to and small amount you want to remain unmodified (reverse).


Hope it helps.



Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...