If the users disable the split tunneling option on the client after connecting to SSL VPN tunnel, the users cannot connect to any resources such as Google, Yahoo, or MSN outside the network.

• Access to external traffic fails after establishing the SSL VPN tunnel

• Client cannot initiate a port 80 connection with any external network such as Yahoo or Google

• The ping command sent to Yahoo or Google fails

As a workaround, complete the following steps:

1. Change the SSLVPN to use split tunnel. This allows Internet traffic to flow out through the ISP of the user, and only designated network traffic pass through the VPN.

2. Set up a proxy for the users. This requires setting up a proxy server to handle the services that the user must access.

3. Disable Intranet IP addresses, and use XenApp to publish applications such as Softphones which requires IIP addresses. Ensure to verify if all the applications work in a XenApp environment.

4. Setup NAT on a different appliance such as any NetScaler appliance or NATing device. Configure a VPX instance to handle the Internet bound traffic.

5. Users must use published browser such as Internet Explorer to access the Internet. This requires educating the users to use the published application instead of the local application.

Problem Cause

RNAT applies to network traffic that the interface receives.

An Access Gateway Enterprise Edition appliance still has the intranet IP of the client and the RNAT IP address does not come into effect. RNAT for IIP addresses do not work and currently NetScaler or Access Gateway Enterprise Edition appliance do not support this functionality.

When a network packet trace is recorded on the appliance, you can view SYN packets going out from the client IIP address. There is no response from the external network, as shown in the following screen shot client access yahoo.com:

Note: The client IIP address is masked for internal purpose.