Are you trying got understand the 3.13.7 and Split Tunneling Security Requirement in NIST SP 800-171 Rev 2 (and draft Rev 3??

Like all of the requirements, there are nuances in the actual Security Requirement, “Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling).”

In this “As the CMMC Churns” we take a look at the keywords (e.g., remote devices, simultaneous, non-remote connections, et al) and describe how the requirement, when implemented operates as intended.

We will also discuss how a good firewall/VPN concentrator operates to securely implement “Disabled Split Tunneling” while minimizing latency impact to components of your system, not behind your firewall (e.g., Microsoft Teams).  We will even discuss strategies to minimize latency under 3.13.7 and Split Tunneling.

A Whitepaper version of this is available at http://peakinfosec.com/information-security/compliance/dfards-and-nist-sp-800-171/split_tunneling/.