A system and method for protecting intranet client devices in a virtual private network are disclosed. The method includes defining one or more groups of client devices to protect from traffic emanating from an external network (e.g., Internet, a Wide Area Network (WAN), a remote subnet of an intranet, and the like), while allowing the client devices to initiate TCP sessions with servers in the outside network.