Jump to content
Welcome to our new Citrix community!

Enabling Reverse Split tunnel


Recommended Posts



I have to enable Reverse Split Tunnel on a NetScaler gateway virtual server to exclude O365 traffic. I normally do these changes when no users ore on VPN but this time I have been ask to do it with the users logged on. Would the NetScaler disconnect all the connected users ? There are 1000+ on it and I am worried all will drop off VPN when I change it.




Link to comment
Share on other sites

If you already have reverse split tunnel enabled and you are changing the network exclusions less risky, but users still may have to logout and login to see result.  I don't know if the gateway will log them off when change is made or wait until next login.  This type of setting is pushed to client during sign in to know which networks to intercept/ignore and I don't believe it refreshes until next login (but I could be wrong.)  If you have could spin up a test vpn to confirm behavior I would do that prior to doing this in production.


I read this first as you have split tunnel on and are switching to reverse split tunnel and that was way more risky:  You're going to be in "odd" waters at that point.  Authorization policies (which this isn't) are processed at login, so if a user logins with "x" rights and then you change them to "y", the user isn't necessarily revised until the next login.


I honestly don't know how the vpn and client handles a change to the intranet apps on an existing session. The client would have received the split tunnel behavior at login and then the list of networks to intercept. It usually won't see a change until next login.  But by changing mode from split tunnel to reverse split tunnel, my guess is that users will need to login again to see change in behavior.  What happens to the existing users is anyone's guess.  Either current users get existing behavior until next login. Or current users are in a conflict state between what the client things it is doing vs what the vpn is expecting and things stop working or work erratically until a clean login.  In either case, if you can't create a test vpn to see first, I would not make this change during production unless you can force user logoffs and new logons.


If someone else knows for sure what it will do, I hope they can give you a better answer. But this change sounds risky especially depending on if your new reverse split tunnel intranet apps are correct or not; you may have some authorization conflicts too.

Link to comment
Share on other sites

So, with no split tunnel: default behavior is all client networks are being intercepted and sent to vpn vserver and it decides what to allow or deny; and internet traffic like o365 is going from client to vpn vserver (and if allowed) vpn to 0365.


When enabling reverse split tunnel you will need to specify the one or more networks to "not intercept" as intranetapps and assign to groups or vpn vserver.  

Its my best guess, the vpn client will not begin using the reverse split tunnel until the next login.  Whether it interrupts the current session or causes issues until the login is done, I can't say for sure. But expectation would be to do it during a maint window and force users to log off and log in with new setting to minimize issues.


If you want to see if you can change this on the fly, I would set up a test case vpn first. Because, its not expected to be something that can be changed gracefully on the fly.

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...