This article describes Reverse Split Tunnel use case in XenMobile Server and NetScaler, and its configuration steps.

Instructions

Introduction to Split Tunnel

Sending all user device originating traffic, including Internet traffic, through VPN tunnel might not be desirable in most cases. Internet traffic going to NetScaler Gateway adds lot more hops in reaching the servers and thus in getting the response back on user device.

In some cases, organization would like to secure their internal network from any kind of attack by making sure that all traffic originating from user device goes though it’s network. By this they make sure that all Internet traffic goes through their forward proxy and (web) firewall and thus any possibility of compromising the user device to gain access to internal network is eliminated.

NetScaler Gateway’s split tunnel capability allows the Gateway plug-in to decide which traffic to send to VPN tunnel and which not. When the NetScaler Gateway Plug-in starts, it obtains the list of intranet applications from NetScaler Gateway. The NetScaler Gateway Plug-in examines all packets transmitted on the network from the user device and compares the addresses within the packets to the list of intranet applications.

• OFF mode: All network traffic originating from user device goes through the VPN tunnel. This makes sure that complete user traffic goes through organization’s secure layer and thus client device is not vulnerable to attacks. Case 1 is taken care with this mode.
• ON mode: Only the intranet traffic goes through the VPN tunnel. If the destination address in the packet is within one of the intranet applications, the NetScaler Gateway Plug-in sends the packet through the VPN tunnel to NetScaler Gateway. If the destination address is not in a defined intranet application, the packet is not encrypted and the user device routes the packet appropriately. Case 2 is taken care with this mode.
• REVERSE mode : The traffic for intranet applications bypasses the VPN tunnel while other traffic goes through the VPN tunnel. This can be used to log all non-local LAN traffic.

Configuration Steps

1. Configure Split Tunneling Reverse mode on the NetScaler Gateway.
   To configure Reverse mode for the Split Tunneling feature, navigate to Policies > Session Policy. Choose the Secure Hub Policy and navigate to Client Experience > Split Tunnel. Select REVERSE. Please note that REVERSE split tunnel only supports intranet applications added using IP Addresses versus FQDN. Therefore, the corresponding IP Addresses that belong to the FQDN's can be added as Intranet Applications. 

2. Configure MDX Policy on XenMobile Server .
   XenMobile 10.3.5 or later introduces a new MDX policy titled "Reverse Split Tunnel Mode Exclusion List”. This is configured with the 'Exclusion' range based on a comma-separated list of DNS suffixes and FQDN, which defines the URLs for which traffic must be sent out on the local area network (LAN) of the device and would not be sent to the NetScaler.