The process I had described is essentially how we are doign it. We have a handful of URLs which authenticate based on the source IPs, simlar to what you're doing. From the internal network, and for users without split tunneling enabled, its a non-issue. For my user base with split tunneling what I had suggested is what worked for us. Essentialy the goal is to force the traffic destined to these sites to be treated just like your internal ranges rather than internet traffic.. Once it comes across the tunnel and hits your perimeter, you want it to follow your default path out to the internet and be subject to the same NAT policy as what is utilized by your internal users. Without having a better understanding of your network layout, its hard to offer step-by step instructions beyond the changes you need to make on the IVE.
... View more