Product Documentation

Configuring Split Tunneling

You can enable split tunneling to prevent the Citrix Gateway Plug-in from sending unnecessary network traffic to Citrix Gateway.

When you do not enable split tunneling, the Citrix Gateway Plug-in captures all network traffic originating from a user device and sends the traffic through the VPN tunnel to Citrix Gateway.

If you enable split tunneling, the Citrix Gateway Plug-in sends only traffic destined for networks protected by Citrix Gateway through the VPN tunnel. The Citrix Gateway Plug-in does not send network traffic destined for unprotected networks to Citrix Gateway.

When the Citrix Gateway Plug-in starts, it obtains the list of intranet applications from Citrix Gateway. The Citrix Gateway Plug-in examines all packets transmitted on the network from the user device and compares the addresses within the packets to the list of intranet applications. If the destination address in the packet is within one of the intranet applications, the Citrix Gateway Plug-in sends the packet through the VPN tunnel to Citrix Gateway. If the destination address is not in a defined intranet application, the packet is not encrypted and the user device routes the packet appropriately. When you enable split tunneling, intranet applications define the network traffic that is intercepted.

Note: If users connect to published applications in a server farm by using Citrix Receiver, you do not need to configure split tunneling.

Citrix Gateway also supports reverse split tunneling, which defines the network traffic that Citrix Gateway does not intercept. If you set split tunneling to reverse, intranet applications define the network traffic that Citrix Gateway does not intercept. When you enable reverse split tunneling, all network traffic directed to internal IP addresses bypasses the VPN tunnel, while other traffic goes through Citrix Gateway. Reverse split tunneling can be used to log all non-local LAN traffic. For example, if users have a home wireless network and are logged on with the Citrix Gateway Plug-in, Citrix Gateway does not intercept network traffic destined to a printer or another device within the wireless network.

For more information about intranet applications, see Configuring Client Interception.

You configure split tunneling as part of the session policy.

To configure split tunneling

  1. In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway Policies and then click Session.
  2. In the details pane, on the Profiles tab, select a profile and then click Open.
  3. On the Client Experience tab, next to Split Tunnel, select Global Override, select an option and then click OK twice.

Configuring Split Tunneling and Authorization

When planning your Citrix Gateway deployment, it is important to consider split tunneling and the default authorization action and authorization policies.

For example, you have an authorization policy that allows access to a network resource. You have split tunneling set to ON and you do not configure intranet applications to send network traffic through Citrix Gateway. When Citrix Gateway has this type of configuration, access to the resource is allowed, but users cannot access the resource.

If the authorization policy denies access to a network resource, you have split tunneling set to ON, and intranet applications are configured to route network traffic through Citrix Gateway, the Citrix Gateway Plug-in sends traffic to Citrix Gateway, but access to the resource is denied.

Configuring Split Tunneling