Spoofed IP Addresses for FQDN Based Tunneling

Spoofed IP Addresses for FQDN Based Tunneling

book

Article ID: CTX490798

calendar_today

Updated On:

Description

To understand the concept of Spoofed IP address in Split Tunnel of FQDN based tunneling

Instructions

Spoofed IP address range is used only for FQDN based tunneling scenarios to assign random IP addresses that map to the hostname based routes. Two use cases exist for hostname based tunneling, ON and REVERSE on Windows client.

ON -> IPs from spoofed range are assigned to resolved hostnames as a user accesses any hostname based routes defined to be sent inside the VPN tunnel. 
REVERSE -> IPs from spoofed range are assigned to resolved hostnames as a user accesses any hostname based routes defined to be kept outside the VPN tunnel. This mode is supported only if the Citrix Secure Access client for Windows is installed in WFP mode.

A side effect of the above scheme is that if a user will issue a nslookup/dig query to check a hostname resolution, it will see the spoofed IP instead of real IP corresponding to the hostname. The default Spoofed IP range (not documented for on-prem use case yet), is 172.16.0.0/16 network. If it conflicts with any internal networks for the customer, it is advised to use a big enough range which is unused in the customer's network.
The spoofed IP range is not used for IP based tunneling.

More details below:
https://docs.citrix.com/en-us/citrix-gateway/citrix-gateway-clients/windows-plug-in-release-notes.html#22615-17-june-2022
Support for FQDN base REVERSE tunneling was added in 22.6.1.5 version of the client but it is always recommended to use the latest version.

 

Additional Information

More details below:
https://docs.citrix.com/en-us/citrix-gateway/citrix-gateway-clients/windows-plug-in-release-notes.html#22615-17-june-2022
Support for FQDN base REVERSE tunneling was added in 22.6.1.5 version of the client but it is always recommended to use the latest version.
 
Powered by Wolken Software