Designchanges in SplitVPN for Endpoint Management MAM SDK

Solving SplitVPN Issues with Citrix Endpoint Management

In today’s digital world, secure and efficient management of mobile devices is essential. One of the common challenges faced by many IT departments involves the configuration and operation of VPN solutions in combination with endpoint management systems. Recently, we encountered such an issue with one of our clients who experienced problems with SplitVPN in a Citrix environment.

Problem Overview

The client reported that SplitVPN was no longer functioning. After switching to the MAM SDK on the Secure Apps none of the apps was able to send traffic to the infrastructure, while external traffic worked. The original SplitVPN configuration was based on IP address ranges, with all internal IPs configured as published apps on the NetScaler for Endpoint Management. After thorough analysis it was revealed that a design change in the Citrix MAM SDK (Mobile Application Management Software Development Kit) was the root cause.

Technical Background

The design change specifically affects the Intranet Applications fields, where customers configure records with split tunnel enabled as defined in Citrix Docs . Previously, in the legacy MDX mode, all traffic associated with these IPs  was automatically directed to the gateway accessing it from the NetScaler SNIP. In the new MAM SDK mode, traffic is not routed to the gateway unless the corresponding intranet apps are created with hostnames (e.g., *.domain.com).

Steps

1. Open your NetScaler Configuration
2. Switch to NetScaler Gateway, Ressources, Intranet Applications and Hit „Add“
3. Add the internal Namespace and click Create
   
4. On the gateway, add the configuration unter Intranet Applications
   
5. Remove all other, not hostname based entries