MvpnExcludeDomains fails to take effect on iOS when using Citrix WebSSO micro VPN with Microsoft Endpoint Manager MAM (Intune)
Article ID: CTX341614
Updated On:
Description
Microsoft Edge (or Citrix Secure Mail) for iOS is configured with 'MvpnExcludeDomains'. When a user browses to a website that is listed underĀ 'MvpnExcludeDomains', the traffic is still sent through Citrix Gateway. This traffic is instead expected to be sent directly to the website (not through Citrix Gateway).
Environment
Citrix is not responsible for and does not endorse or accept any responsibility for the contents or your use of these third party Web sites. Citrix is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement by Citrix of the linked Web site. It is your responsibility to take precautions to ensure that whatever Web site you use is free of viruses or other harmful items.
Resolution
1) Configure appropriate DNS Suffix settings on Citrix ADC.
2) Configure appropriate Intranet Applications on Citrix Gateway
See the links contained in the Additional Resources section for more information.
Note also that MvpnExcludeDomains is for use with Split Tunnel configured for Reverse mode of operation.
2) Configure appropriate Intranet Applications on Citrix Gateway
See the links contained in the Additional Resources section for more information.
Note also that MvpnExcludeDomains is for use with Split Tunnel configured for Reverse mode of operation.
Problem Cause
In the past, DNS Suffix settings were ignored for legacy MDX based apps on iOS. Newer versions of Microsoft Edge and Citrix Secure Mail for iOS use the newer MAM SDK from Citrix. When Citrix Endpoint Management for MDM is not being used, then these DNS Suffix settings become used by iOS.
Additional Information
Configuring DNS suffixes:
https://docs.citrix.com/en-us/citrix-adc/current-release/dns/configure-dns-suffixes.html
To create an intranet application for one IP address
https://docs.citrix.com/en-us/citrix-gateway/current-release/vpn-user-config/configure-plugin-connections/configure-client-interception.html#to-create-an-intranet-application-for-one-ip-address
When creating Intranet Applications, not all options for entering ranges of IP addresses are currently supported, for this use case, with Microsoft MAM. Do not use the method of entering an IP range which employs the use of a subnet mask. Instead, use only the method that allows for a start IP address and end IP address for the range.
To configure split tunneling
https://docs.citrix.com/en-us/citrix-gateway/current-release/vpn-user-config/configure-plugin-connections/configure-split-tunneling.html#to-configure-split-tunneling
https://docs.citrix.com/en-us/citrix-adc/current-release/dns/configure-dns-suffixes.html
To create an intranet application for one IP address
https://docs.citrix.com/en-us/citrix-gateway/current-release/vpn-user-config/configure-plugin-connections/configure-client-interception.html#to-create-an-intranet-application-for-one-ip-address
When creating Intranet Applications, not all options for entering ranges of IP addresses are currently supported, for this use case, with Microsoft MAM. Do not use the method of entering an IP range which employs the use of a subnet mask. Instead, use only the method that allows for a start IP address and end IP address for the range.
To configure split tunneling
https://docs.citrix.com/en-us/citrix-gateway/current-release/vpn-user-config/configure-plugin-connections/configure-split-tunneling.html#to-configure-split-tunneling
Was this article helpful?
Yes
No
Powered by
