Fortinet white logo
Fortinet white logo

EMS Administration Guide

Configuring a profile with application-based split tunnel

Configuring a profile with application-based split tunnel

FortiClient (Windows) supports source application-based split tunnel, where you can specify which application traffic to exclude from the VPN tunnel. You can exclude high bandwidth-consuming applications. For example, you can exclude applications like the following from the VPN tunnel:

  • Microsoft Office 365
  • Microsoft Teams
  • Skype
  • GoToMeeting
  • Zoom
  • WebEx
  • YouTube

You must configure these settings in the endpoint profile in EMS. The following instructions assume that you have already configured a remote SSL or IPsec VPN server in FortiOS. See the FortiOS documentation.

This feature does not support explicitly including traffic in the VPN tunnel.

To configure application-based split tunnel using the GUI:
  1. In EMS, go to Endpoint Profiles, and select the desired profile.
  2. On the VPN tab, select an existing tunnel or create a new tunnel.
  3. Under Split Tunnel > Application Based, configure the following fields:

    Configuration

    Description

    Application Based

    Enable application-based split tunnel. FortiClient (Windows) supports source application-based split tunnel, where you can specify which application traffic to exclude from the VPN tunnel. You can exclude high bandwidth-consuming applications for improved performance. For example, you can exclude applications like the following from the VPN tunnel:

    • Microsoft Office 365
    • Microsoft Teams
    • Skype
    • GoToMeeting
    • Zoom
    • WebEx
    • YouTube

    Once the VPN tunnel is up, FortiClient binds the specified excluded applications to the physical interface.

    Type

    Select Exclude to configure whether to exclude certain application traffic from the VPN tunnel.

    Local Applications

    You can only exclude local applications from the VPN tunnel. Click Add. In the Add Application(s) field, specify which application traffic to exclude from the VPN tunnel and redirect to the endpoint physical interface. You can specify an application using its process name, full path, or the directory where it is installed. When entering the directory, you must end the value with \. You can enter file and directory paths using environment variables, such as %LOCALAPPDATA%, %programfiles%, and %appdata%. Do not use spaces in the tail or head, or add double quotes to full paths with spaces. You can add multiple entries by separating them with a semicolon.

    For example, to exclude Microsoft Teams and Firefox from the VPN tunnel, you can enter any of the following combinations:

    • Application Name: teams.exe;firefox.exe
    • Full Path: %localappdata%\Microsoft\Teams\current\Teams.exe;C:\Program Files\Mozilla Firefox\firefox.exe
    • Directory: %localappdata%\Microsoft\Teams\current\;C:\Program Files\Mozilla Firefox\

    To find a running application's full path, on the Details tab in Task Manager, add the Image path name column.

    Select the application checkbox, then click Remove to remove it from the list.

    Cloud Applications

    You can exclude cloud applications. Click Add. In the list, select the desired applications, then click Add.

    Select the application checkbox, then click Remove to remove it from the list.

    Domain

    You can exclude domains. After you exclude a domain, any associated traffic does not go through the VPN tunnel when accessed through a popular browser such as Chrome, Edge, or Firefox. Click Add. In the Add Domain(s) field, enter the desired domains, using ; to configure multiple entries.

    For example, if you configure the VPN tunnel to exclude youtube.com, youtube.com and *.youtube.com are excluded from the tunnel.

    Select the application checkbox, then click Remove to remove it from the list.

    This example shows excluding the Microsoft Teams using the application name, full path, and directory. It also excludes Teams and other web conferencing cloud applications, such as Zoom and Cisco WebEx:

  4. Assign the profile to the desired endpoints. When VPN is up on those endpoints, FortiClient excludes the application traffic specified in the profile from the VPN tunnel as configured.

Configuring a profile with application-based split tunnel

Configuring a profile with application-based split tunnel

FortiClient (Windows) supports source application-based split tunnel, where you can specify which application traffic to exclude from the VPN tunnel. You can exclude high bandwidth-consuming applications. For example, you can exclude applications like the following from the VPN tunnel:

  • Microsoft Office 365
  • Microsoft Teams
  • Skype
  • GoToMeeting
  • Zoom
  • WebEx
  • YouTube

You must configure these settings in the endpoint profile in EMS. The following instructions assume that you have already configured a remote SSL or IPsec VPN server in FortiOS. See the FortiOS documentation.

This feature does not support explicitly including traffic in the VPN tunnel.

To configure application-based split tunnel using the GUI:
  1. In EMS, go to Endpoint Profiles, and select the desired profile.
  2. On the VPN tab, select an existing tunnel or create a new tunnel.
  3. Under Split Tunnel > Application Based, configure the following fields:

    Configuration

    Description

    Application Based

    Enable application-based split tunnel. FortiClient (Windows) supports source application-based split tunnel, where you can specify which application traffic to exclude from the VPN tunnel. You can exclude high bandwidth-consuming applications for improved performance. For example, you can exclude applications like the following from the VPN tunnel:

    • Microsoft Office 365
    • Microsoft Teams
    • Skype
    • GoToMeeting
    • Zoom
    • WebEx
    • YouTube

    Once the VPN tunnel is up, FortiClient binds the specified excluded applications to the physical interface.

    Type

    Select Exclude to configure whether to exclude certain application traffic from the VPN tunnel.

    Local Applications

    You can only exclude local applications from the VPN tunnel. Click Add. In the Add Application(s) field, specify which application traffic to exclude from the VPN tunnel and redirect to the endpoint physical interface. You can specify an application using its process name, full path, or the directory where it is installed. When entering the directory, you must end the value with \. You can enter file and directory paths using environment variables, such as %LOCALAPPDATA%, %programfiles%, and %appdata%. Do not use spaces in the tail or head, or add double quotes to full paths with spaces. You can add multiple entries by separating them with a semicolon.

    For example, to exclude Microsoft Teams and Firefox from the VPN tunnel, you can enter any of the following combinations:

    • Application Name: teams.exe;firefox.exe
    • Full Path: %localappdata%\Microsoft\Teams\current\Teams.exe;C:\Program Files\Mozilla Firefox\firefox.exe
    • Directory: %localappdata%\Microsoft\Teams\current\;C:\Program Files\Mozilla Firefox\

    To find a running application's full path, on the Details tab in Task Manager, add the Image path name column.

    Select the application checkbox, then click Remove to remove it from the list.

    Cloud Applications

    You can exclude cloud applications. Click Add. In the list, select the desired applications, then click Add.

    Select the application checkbox, then click Remove to remove it from the list.

    Domain

    You can exclude domains. After you exclude a domain, any associated traffic does not go through the VPN tunnel when accessed through a popular browser such as Chrome, Edge, or Firefox. Click Add. In the Add Domain(s) field, enter the desired domains, using ; to configure multiple entries.

    For example, if you configure the VPN tunnel to exclude youtube.com, youtube.com and *.youtube.com are excluded from the tunnel.

    Select the application checkbox, then click Remove to remove it from the list.

    This example shows excluding the Microsoft Teams using the application name, full path, and directory. It also excludes Teams and other web conferencing cloud applications, such as Zoom and Cisco WebEx:

  4. Assign the profile to the desired endpoints. When VPN is up on those endpoints, FortiClient excludes the application traffic specified in the profile from the VPN tunnel as configured.