To resolve this issue, perform the following steps:
- Open the Group Policy Management snap-in (gpmc.msc) and edit the Default Domain Policy.
- From the Group Policy Management Editor, expand Computer Configuration > Policies > Administrative Templates > Network
- Click Network Isolation
- In the right pane, double-click Private network ranges for apps
- In the Private network ranges for apps dialog box, click Enabled
- In the Private subnets text box, enter the IP address range assigned by the Pulse Connect Secure device.
- Double-click Subnet definitions are authoritative
- Click Enabled
- Perform a group policy update on the server and the client to reflect changes.
The above steps is allowing only the private network range (IP address range assigned by the PCS device) for network isolation. All other IP ranges that would come through AD sites is not considered as private for network isolation.
Please note this change is only specific to network isolation. Once the change is applied, a new firewall rule will be created and would override the previous firewall rule. For more information about network isolation with Windows Store apps, please refer to the following MS documentation