Pulse Connect Secure Split Tunneling Overview

The Pulse Secure clients for Windows, Apple OS X, Google Android, and Apple iOS and the Pulse Secure Network Connect client all support split tunneling. Split tunneling is configured as part of the role that is assigned to a user after authentication. When the client and Pulse Connect Secure establish a VPN tunnel, the Pulse server takes control of the routing environment on the endpoint to ensure that only permitted network traffic is allowed access through the VPN tunnel. Split tunneling settings enable you to further define the VPN tunnel environment by permitting some traffic from the endpoint to reach the local network or another connected subnet. When split tunneling is enabled, split tunneling resource policies enable you to define the specific IP network resources that are excluded from access or accessible through the VPN tunnel.

Figure 37 shows a simple network configuration with three possible routes: through the default router, to the local subnet, or to a router connection to an indirectly connected subnet.

Figure 37: Pulse Split Tunneling

The network configuration in Figure 37 shows that the local network and the protected network at the other end of the VPN tunnel both have a subnet with the same private IP address, 10.10.0.0/24. In this case, the endpoint needs more information to determine where to send traffic addressed to that IP address range. You use the route precedence setting in the split tunneling settings to define which routing table takes precedence, either the tunnel routes (the routing table associated with the VPN tunnel) or the endpoint route (the routing table associated with the physical interface). If you select tunnel routes for route precedence, traffic addressed to network 10.10.0.0/24 in Figure 37 goes through the VPN tunnel and the 10.10.0.0/24 network available on the local indirect network is not reachable. If you select endpoint routes for route precedence, traffic addressed to network 10.10.0.0/24 goes through the physical adapter and the 10.10.0.0/24 network available through the VPN tunnel is not reachable. Pulse restores the original routes when the VPN tunnel is disconnected. However, no matter which way you define route precedence, the endpoint loses connectivity to one of the other of the networks if there are duplicate IP address networks.