Gateway

Configure split tunneling

You can enable split tunneling to prevent the Citrix Secure Access client from sending unnecessary network traffic to NetScaler Gateway.

When you do not enable split tunneling, the Citrix Secure Access client captures all network traffic originating from a user device and sends the traffic through the VPN tunnel to NetScaler Gateway.

If you enable split tunneling, the Citrix Secure Access client sends only traffic destined for networks protected by NetScaler Gateway through the VPN tunnel. The Citrix Secure Access client does not send network traffic destined for unprotected networks to NetScaler Gateway.

When the Citrix Secure Access client starts, it obtains the list of intranet applications from NetScaler Gateway. The Citrix Secure Access client examines all packets transmitted on the network from the user device and compares the addresses within the packets to the list of intranet applications. If the destination address in the packet is within one of the intranet applications, the Citrix Secure Access client sends the packet through the VPN tunnel to NetScaler Gateway. If the destination address is not in a defined intranet application, the packet is not encrypted and the user device routes the packet appropriately. When you enable split tunneling, intranet applications define the network traffic that is intercepted.

Note:

If users connect to published applications in a server farm by using Citrix Workspace app, you do not need to configure split tunneling.

NetScaler Gateway also supports reverse split tunneling, which defines the network traffic that NetScaler Gateway does not intercept. If you set split tunneling to reverse, intranet applications define the network traffic that NetScaler Gateway does not intercept. When you enable reverse split tunneling, all network traffic directed to internal IP addresses bypasses the VPN tunnel, while other traffic goes through NetScaler Gateway. Reverse split tunneling can be used to log all non-local LAN traffic. For example, if users have a home wireless network and are logged on with the Citrix Secure Access client, NetScaler Gateway does not intercept network traffic destined to a printer or another device within the wireless network.

For more information about intranet applications, see Configuring Client Interception.

You configure split tunneling as part of the session policy.

To configure split tunneling

  1. In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway Policies and then click Session.
  2. In the details pane, on the Profiles tab, select a profile and then click Open.
  3. On the Client Experience tab, next to Split Tunnel, select Global Override, select an option and then click OK twice.

Configuring Split Tunneling and Authorization

When planning your NetScaler Gateway deployment, it is important to consider split tunneling and the default authorization action and authorization policies.

For example, you have an authorization policy that allows access to a network resource. You have split tunneling set to ON and you do not configure intranet applications to send network traffic through NetScaler Gateway. When NetScaler Gateway has this type of configuration, access to the resource is allowed, but users cannot access the resource.

If the authorization policy denies access to a network resource, you have split tunneling set to ON, and intranet applications are configured to route network traffic through NetScaler Gateway, the Citrix Secure Access client sends traffic to NetScaler Gateway, but access to the resource is denied.

For more information about the split tunneling options, see Split tunneling options.

Configure split tunneling