Use Cases

While user is accessing enterprise or internal network using NetScaler Gateway, there can be two possibilities/cases for device originating traffic.

Case 1: Send complete traffic originating from user device through the VPN tunnel to the NetScaler Gateway, so that organization can provide high security to their internal network.
Case 2: Send only the Intranet application traffic through the VPN tunnel to NetScaler Gateway, so that it is segregated from personal Internet traffic.
 

Introduction to Split Tunnel

The split tunneling is used to prevent the NetScaler Gateway Plug-in from sending unnecessary network traffic to NetScaler Gateway.

When connected to VPN, sending all user device originating traffic, including Internet traffic, through VPN tunnel might not be desirable in most cases. Internet traffic going to NetScaler Gateway adds lot more hops in reaching the servers and thus in getting the response back on user device.

In some cases, organization would like to secure their internal network from any kind of attack by ensuring all traffic originating from user device goes though it’s network. With this approach, all Internet traffic goes through their forward proxy and (web) firewall and thus any possibility of compromising the user device, and thereby gaining access to the internal network is eliminated.

NetScaler Gateway’s split tunnel capability allows the Gateway plug-in to decide the traffic that need to be sent to VPN tunnel and LAN Adapter. 

When the NetScaler Gateway Plug-in starts, it obtains the list of Intranet applications from NetScaler Gateway. Then, it examines all packets transmitted from the user's device and compares the destination address with the list of Intranet applications.

NetScaler Gateway's Split tunnel can be configured with different configurations as below, based on which the Gateway plug-in takes the forwarding decision.

OFF : All network traffic originating from user device goes through the VPN tunnel. This ensures all the traffic goes through organization’s Network and thus client device is not vulnerable to attacks, as mentioned in the case1 above.

ON : Only the Intranet traffic goes through the VPN tunnel. If the destination address in the packet is within one of the Intranet applications, the NetScaler Gateway Plug-in sends the packet through the VPN tunnel to NetScaler Gateway. If the destination address is not in a defined Intranet application, the packet is not encrypted and the user's device routes the packet appropriately. This address the requirement mentioned in case2 above.

REVERSE : The traffic for Intranet applications bypasses the VPN tunnel, while all other traffic goes through the VPN tunnel. This can be used to log all non-local LAN traffic.
 

---

Instructions

Split tunnel can be configured either at global level or per Gateway vserver level.
To enable Split tunnel at the global level –
CLI:
> set vpn parameter -splitTunnel [OFF | ON | REVERSE]
GUI:
Go to NetScaler Gateway -> Global Settings -> Change Global Settings -> Client Experience -> Split Tunnel

To enable Split tunnel at Gateway vserver level –

Step 1: Create session profile

CLI:
> add vpn sessionAction <session profile name> -splitTunnel [OFF | ON | REVERSE]
GUI:
Go to NetScaler Gateway -> Policies -> Session -> Session Profiles

Step 2: Create session policy

CLI:
> add vpn sessionPolicy <session policy name> <rule> <session profile name>
GUI:
Go to NetScaler Gateway -> Policies -> Session -> Session Policies

Step 3: Binding session policy

CLI:
> bind vpn vserver <Gateway virtual server name> -policy <session policy name>
GUI:
Go to NetScaler Gateway -> Virtual Servers -> edit Gateway virtual server -> Policies -> Choose Session

 

How do I configure Split Tunnel on NetScaler Gateway?

Citrix Documentation - Configuring Split Tunneling