Configure split tunneling
You can enable split tunneling to prevent the Citrix Secure Access agent from sending unnecessary network traffic to Citrix Gateway.
When you do not enable split tunneling, the Citrix Secure Access agent captures all network traffic originating from a user device and sends the traffic through the VPN tunnel to Citrix Gateway.
If you enable split tunneling, the Citrix Secure Access agent sends only traffic destined for networks protected by Citrix Gateway through the VPN tunnel. The Citrix Secure Access agent does not send network traffic destined for unprotected networks to Citrix Gateway.
When the Citrix Secure Access agent starts, it obtains the list of intranet applications from Citrix Gateway. The Citrix Secure Access agent examines all packets transmitted on the network from the user device and compares the addresses within the packets to the list of intranet applications. If the destination address in the packet is within one of the intranet applications, the Citrix Secure Access agent sends the packet through the VPN tunnel to Citrix Gateway. If the destination address is not in a defined intranet application, the packet is not encrypted and the user device routes the packet appropriately. When you enable split tunneling, intranet applications define the network traffic that is intercepted.
If users connect to published applications in a server farm by using Citrix Workspace app, you do not need to configure split tunneling.
Citrix Gateway also supports reverse split tunneling, which defines the network traffic that Citrix Gateway does not intercept. If you set split tunneling to reverse, intranet applications define the network traffic that Citrix Gateway does not intercept. When you enable reverse split tunneling, all network traffic directed to internal IP addresses bypasses the VPN tunnel, while other traffic goes through Citrix Gateway. Reverse split tunneling can be used to log all non-local LAN traffic. For example, if users have a home wireless network and are logged on with the Citrix Secure Access agent, Citrix Gateway does not intercept network traffic destined to a printer or another device within the wireless network.
For more information about intranet applications, see Configuring Client Interception.
You configure split tunneling as part of the session policy.
To configure split tunneling
- In the configuration utility, on the Configuration tab, in the navigation pane, expand Citrix Gateway Policies and then click Session.
- In the details pane, on the Profiles tab, select a profile and then click Open.
- On the Client Experience tab, next to Split Tunnel, select Global Override, select an option and then click OK twice.
Configuring Split Tunneling and Authorization
When planning your Citrix Gateway deployment, it is important to consider split tunneling and the default authorization action and authorization policies.
For example, you have an authorization policy that allows access to a network resource. You have split tunneling set to ON and you do not configure intranet applications to send network traffic through Citrix Gateway. When Citrix Gateway has this type of configuration, access to the resource is allowed, but users cannot access the resource.
If the authorization policy denies access to a network resource, you have split tunneling set to ON, and intranet applications are configured to route network traffic through Citrix Gateway, the Citrix Secure Access agent sends traffic to Citrix Gateway, but access to the resource is denied.