The Split Tunneling Networks option defines a VPN tunneling resource policy that specifies one or more network IP address/netmask combinations for which Secure Access Gateway handles traffic passed between the remote client and the corporate intranet. You can also specify traffic that should not pass through the VPN tunnel.
When split-tunneling is used, VPN tunneling modifies routes on clients so that traffic meant for the corporate intranet networks flow through the tunnel and all other traffic goes through the local physical adapter. Secure Access Service tries to resolve all DNS requests through the physical adapter first and then routes those that fail to the VPN tunneling adapter.
When defining a resource under the split tunneling networks we do not have an option to specify a particular port and need to specify the entire subnet/ip address. The traffic specified under the split tunneling networks would go through the VPN adapter and the remaining traffic would go through the physical adapter when split tunneling is enabled. However from the entire resource only the traffic which is specified under the VPN tunneling resource access policy in syntax protocol://<ip address>:port would be allowed through the tunnel and remaining would be simply ignored. Thus it would not be possible to configure traffic to be bypassed tunnel for specific ports.
Network Connect split tunneling allows only IP address based resource policies (ports cannot be used). The subnet mask can be defined in a dotted decimal format (eg. 255.255.255.255) or in a CIDR annotation format (eg. /32 or /24).
In order to restrict users on split tunneling networks for certain ports we can apply appropriate VPN Tunneling Resource access policy. We can configure tcp://10.97.190.0/24:1024-65535 or udp://10.97.190.0/24:1024-65535 as the resource access policy and allow/deny access for the same.
Hence even if you have allowed the entire range 10.97.10.0/24 in the split tunneling networks users would only be able to access the resources as specified in the ACL.Note:
When split tunneling is disabled all the traffic from the client machine goes through this Juniper Networks virtual adapter and is encrypted with the cipher suite configured on the VPN tunneling profile settings. However for this to work, appropriate VPN Tunneling resource policies (ACL) needs to be specified to allow/deny the traffic being passed through the tunnel. If split tunnel is disabled, all split tunnel configuration is ignored, including the exclude route. Order the policies according to how you want the Secure Access Gateway to evaluate them (policies are applied in order they are listed in the admin UI). Keep in mind that once Secure Access Gateway matches the resource requested by the user to a resource in a policy’s (or a detailed rule’s) Resource list, it performs the specified action and stops processing policies.