Jump to content
Welcome to our new Citrix community!

NetScaler VPN Intranet access with Split Tunnel Off

Recommended Posts



So we are setting up the following configuration:

NetScaler Gateway VPN

Split Tunnelling OFF

Using SNIP rather than Client IP Pools


I can connect fine and I can map drives, browse to some internal web servers by name and IP etc. The issue I have is that the corporate intranet site will not work, it is in the format:



I have enabled logging on the Gateway plugin on the end device and in the logs it shows:


dns query type = 1

dnsname = www.

ns_iscfgdomain: www.intranetsite.com is intranet = false

Looking up domain www.intranetsite.com from cache

Did not find www.intranetsite.com in DNS cache

Making a remote DNS lookup for www.intranetsite.com


Why would it do this if Split tunnelling is disabled? The NetScaler itself can resolve www.intranetsite.com


I have tried binding some Intranet application IP ranges and hostnames but I think these are ignored anyway if Split tunnelling is set to OFF


Any ideas please?

Link to comment
Share on other sites

Do you have any authorization policies setting allow or deny decisions?  With split tunnel off, all client requests go to gateway and if the gateway doesn't have an allow for your request it will be denied.  So you may need to identify authorization policies/session policies to achieve access to the destinations via the vpn.

Check syslog to see if you are getting deny authorizations during user access.  If so, then you haven't accounted for access to the IP/VIP of the www.intranetsite.com in the authorization policies.


# filters logs to exclude gui/cli changes. Once you see what type of events you are getting, you could modify the grep for other values if this isn't working for you.

cd /var/log

tail -f ns.log | grep -v CMD_EXECUTED


If its not authorization related, you might have an issue with the link. If you did it as a bookmark, do you have it "proxied through gateway"?  OR are users just browsing to URL after vpn established?  Syslog may have other events that are relevant.  You could also run an nstrace for that users session to see if something in the network path is a factor instead of the gateway config.




Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...