After a Netscaler upgrade from 12.1.63.23 to 13.0.88.14 we started to see that users are not able to access a few IP segments specially 172.16.0.0/16 . Interestingly this is working if the client VPN plugin version is 22.2.1.103.
We raised a case with Citrix and after back and forth conversation it is realized that they have changed their design to use this segment for their intranet applications that are defined in split tunneling. This has been confirmed by the support that for some reason the VPN client is intentionally using 172.16.0.0 / 255.255.0.0 as it's Intranet Application hostname interception range. This means the client is pointing that range, on it's own, to itself to be used for hostnames that you list as Intranet Applications in the gateway config.
We will be able to see this clearly if we try to debug the traffic from the client plugin. The fix for this is configure a custom spoofed IP range so that this does not overlap the said I segment range. Below is how we do that.
VPN Session Profile > Client Experience > Advanced Settings > "Spoofed IP Addresses for FQDN Based Tunneling". We used 169.254.0.0 / 255.255.0.0 as per Citrix support and now we can access 172.16.xxx.xxx on our VPN.
No comments:
Post a Comment