When using Network Connect, it provides a Layer 3 level access to back-end corporate resources. This is done by capturing all the traffic generated through a special virtual adapter and sent through SSL to the PCS. In the PCS, all SSL packets are decrypted and sent to the back-end LAN. This way the NC client can see other systems on the LAN but to the LAN elements the NC client is invisible.
By disabling split tunneling, the default route on the client machine points to the PCS address and all the TCP traffic would be sent to PCS irrespective of whether this is intended for the back-end servers or not.
By mentioning the split tunneling networks in the NC configuration, customer will receive the specific routes and this allows the NC to handle only intended traffic to back-end servers.
Split Tunneling Modes available in IVE:
- Disable Split Tunneling: All network traffic from the client goes through the Network Connect tunnel. When Network Connect successfully establishes a connection to the PCS, the PCS removes any predefined local subnet and host-to-host routes that might cause split-tunneling behavior. If any changes are made to the local route table during an active Network Connect session, the PCS terminates the session.
- Allow access to local subnet: The PCS preserves the local subnet route on the client, retaining access to local resources such as printers. The local route table may be modified during the Network Connect session.
- Allow access to local subnet with route change monitor: Once a Network Connect session starts, changes to the local route table terminate the session. This option retains access to local resources such as printers.
- Enable Split Tunneling: This option requires that you specify the Network Connect networks to which traffic must be routed through the PCS by defining Split Tunneling resource policies (see Write a Network Connect split-tunneling networks resource policy). Network Connect modifies routes on clients so that traffic meant for those networks goes to Network Connect and all other traffic goes through the local physical adapter. The PCS tries to resolve all DNS requests through the physical adapter first and then routes those that fail to the Network Connect adapter.
For additional information on configuring Split Tunneling, consult: KB9223 - How do I verify that the Split Tunneling settings are correct on the PCS?