As @PhoneBoy says, you can use 'exclude_local_networks_in_hub_mode' attribute in the trac_client_1.ttm to exclude a user's local network when they're connected to Remote Access VPN and using hub mode...
You can go for a more manual and customisable approach where you manually exclude any host/network required, rather than just being limited to the excluding a user's local network.
If you'd like configure the Remote Access routing to essentially route all traffic to the gateway, EXCEPT a certain list of hosts/subnets, then you need to do the following:
- Ensure "Route all traffic to gateway" is set to NO in Global Properties > Remote Access > SecureClient Mobile & Endpoint Connect.
- Ensure Hub Mode is set to ALLOW on the gateway object under VPN Clients > Remote Access.
- Create a new network group named 'All_Internet_Group', and add the default 'All_Internet' object to it.
- Create a new network group named 'ED-RemoteAccess_Exclusions'. Add all of the hosts/networks you'd like to be excluded from hub mode (I.E, routed locally on the client's end rather than across the VPN to the gateway).
- Create a new "group with exclusions" called 'ED-RemoteAccess', reference the 'All_Internet_Group' we created as the main group and the 'ED-RemoteAccess_Exclusions' we created as the exclusion group.
- Set the 'ED-RemoteAccess' group as the Remote Access encryption domain on the gateway topology.
- Ensure security rules and NAT rules are setup to support this configuration (I.E, security rules allow the OfficeMode subnet access to the Internet, and the OfficeMode subnet is NAT'd behind the gateway).
- Install policy, then disconnect/reconnect any existing connected clients so that they get the new routing table.
To put this into a scenario, lets say you want all traffic to be routed to the gateway (like it is in hub mode), apart from 184.108.40.206/24 (some random network I thought of, insert yours here) - you want the clients to route this out of their local connection rather than via the security gateway. Following the scenario above and adding the 220.127.116.11/24 network to the 'ED-RemoteAccess_Exclusions' group will achieve this.
Hope that helps!