3.13.7 — Prevent Remote Devices from Simultaneously Establishing Non-Remote Connections with Organizational Systems and Communicating via Some Other Connection to Resources in External Networks (Split Tunneling)

Split tunneling means a VPN user can access your corporate network and the open internet at the same time through different network paths. That is a problem because malware or an attacker on the internet side could potentially pivot into your corporate network through that user's machine.

Example 1: In your VPN solution (Cisco AnyConnect, GlobalProtect, Windows Always On VPN), configure full tunnel mode so that all traffic -- including internet traffic -- routes through the corporate VPN gateway. In Cisco AnyConnect, this is set in the AnyConnect profile XML: <SplitTunneling>Disabled</SplitTunneling>.

Example 2: If using Windows Always On VPN with a GPO or Intune profile, set the VPN connection to Force Tunnel in the VPN profile configuration. In Intune, go to Devices > Configuration profiles > VPN and set the split tunneling option to Disabled. This forces all traffic through the VPN tunnel when connected.