Jump to content
Welcome to our new Citrix community!

Citrix Gateway - Intranet Applications


Recommended Posts

Hello all,

We have some Citrix ADC Intranet Applications hostnames that are allocated in our onpremises infra and we connect users thought the Citrix ADC vpn in split tunnel mode ON.

 

In this mode, only the traffic that reaches Intranet Applications hostnames are leaded to my VPN.

 

I need to create a new Intranet Application to a Azure URL that goes to my VPN, but only for an specific application PATH. Can I do it based on PATH instead of hostname?

Azure SSO uses a generic URL format and we wouldn't use all traffic to Azure authentication thought the vpn.

 

Thank you in advance!

Alessandro.

 

Link to comment
Share on other sites

1 minute ago, Alessandro Miotto Marques1709152314 said:

Hello all,

We have some Citrix ADC Intranet Applications hostnames that are allocated in our onpremises infra and we connect users thought the Citrix ADC vpn in split tunnel mode ON.

 

In this mode, only the traffic that reaches Intranet Applications hostnames are leaded to my VPN.

 

I need to create a new Intranet Application to a Azure URL that goes to my VPN, but only for an specific application PATH. Can I do it based on PATH instead of hostname?

Azure SSO uses a generic URL format and we wouldn't use all traffic to Azure authentication thought the vpn.

 

Thank you in advance!

Alessandro.

 

 

 

**** Just an example of URL (or /PATH/) I would like to lead to my vpn:

azure.microsoft.com/saml/id-555123abcxyz/d5590xpto

 

and an URL we wouldn't like lead to my vpn:

azure.microsoft.com/saml/id-123321defwqz/d5590xpto

Link to comment
Share on other sites

Intranet Applications are about DESTINATIONS for traffic when split tunnel is enabled.

So it will not be path based.  Authorization policies can filter what you allow/deny by path or other criteria.

 

 

If split tunnel is OFF, intranet apps are not needed because:

All client side traffic is intercepted by VPN client and set to the Gateway to make allow/deny decisions on. With split tunnel off, all client-side network traffic is treated as corporate/vpn traffic and goes from client to gateway. Your internet access is therefore via Gateway to internet, if allowed (authorizations at that point).

 

If split tunnel is ON, then you want the client to participate in both local (non gateway) networks and the gateway/corporate networks.

So the Intranet Applications are a list of the NETWORKS to intercept. List is passed to Gateway Client (in vpn mode) and if your request is ON LIST of INTRANET APPS, request is tunneled to gateway to make allow/deny decisions or to pass traffic via gateway to destination.

If the requested  networks is NOT on the Intranet Apps list, the vpn client ignores it and allows local networking to handle.

 

So I don't think you can intercept some azure traffic without intercepting all of it in this particular example.  (Someone can correct me if I'm wrong.)

  • Like 2
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...