How to monitor branch offices that have split tunneling

Monitoring Split Tunneling

It’s common to have enterprises relying on split tunneling to provide connectivity to remote branch offices. In a split tunnel configuration, remote users utilize the commodity Internet connection, like Comcast or Verizon, to reach public websites or cloud services and a VPN tunnel, also called a LAN-to-LAN tunnel, to reach Intranet websites or other corporate services. The LAN-to-LAN tunnel is established between the branch router and the VPN concentrator that is located at the company’s headquarters or data centers.

split tunneling

Typical split tunneling configuration for remote branch office.

(SD-WAN is an evolution of this model, where one or more commodity Internet connections are bundled together to offer enterprise-grade services for real-time and circuit uptime)

The network architect may choose to configure split tunneling either for economic reasons, due to the lower cost of Internet connections when compared to dedicated circuits like metro-Ethernet or MPLS, or for practical reasons, oftentimes due to the lack of transport services in specific areas of the country.

No matter what, when a branch office is configured with split tunneling, it becomes a challenge for network managers that rely on monitoring servers installed at the data center to quickly detect service outages and application performance issues before remote users do. This “network blindness” at remote locations has a tremendous impact on business operations (e.g. retail, banking, and healthcare) as well as for the network manager’s ability to troubleshoot remote application issues that affect the end users.

(Read about how Veterans United chose NetBeez to increase uptime and services availability at remote branch offices)

Network Visibility

The problem with split tunneling and traditional network monitoring is that most solutions based on SNMP have the monitoring server installed at the data center. This server, which integrates an SNMP poller, periodically performs MIB queries on the router and switches installed at the remote branch offices. Problem is that centralized network monitoring can’t really tell if users are able to connect to cloud application and what the performance is like.

before netbeez

Limits of centralized network monitoring solutions: What is the end user’s network and application performance at remote branch offices?

To solve this problem, network managers can now rely on distributed monitoring agents that perform active tests on the network layer (PING and Traceroute) as well as on the transport and application layer (Iperf and HTTP) to monitor services availability, check whether DNS works, and measure network and application performance.

with netbeez

Distributed network monitoring enables network managers to get early fault detection and quick troubleshooting of complex WAN.


The “distributed network monitoring” strategy implemented by NetBeez enables organizations with several branch offices to gain network visibility and utilize quick detection of remote network and application issues.

If you want to learn more about NetBeez, I encourage you to schedule a demo with a representative from our team.