After a successful connection to the Citrix Secure Access (CSA) client in full tunnel, none of the traffic passes through the VPN. Access to the applications using an IP address or DNS over the tunnel is blocked.

The issue is limited to domain-joined machines where the Intranet IP address is configured on NetScaler and end-user machine is joined to the domain.

Upgrade the Citrix Secure Access client to 23.7.1.1

Note: When upgrading Citrix Secure Access client to 23.7.1.1, if the backend resource pool is part of the IP address range 172.16.0.0/16, then a change in configuration is required for resource access to work over the VPN.

Configuration Example:
Configure a custom "-fqdnSpoofedIP" parameter, for example to be 169.254.0.0/16, and make sure that this segment is not used at any of the internal destinations/intranet destinations.

Problem Cause

Citrix Secure Access client is not in the allowed list on Windows firewall for steering the traffic across different firewall and network profiles.