One reason for using Client IP address ranges is to allow network access to external Web sites from within your internal network. If an organization has computers on the corporate network that go out through the Gateway Enforcer appliance to access Web sites on the Internet, such as Symantec or Yahoo, the internal clients can query the Internet. However, the Gateway Enforcer appliance tries to authenticate the Web sites trying to respond to the client request.
Therefore internal clients connecting to the Internet through the Gateway Enforcer appliance are unable to access the Internet unless you configure the Client IP address range.
The Client IP address range may be all the IP addresses a VPN server would assign to any client.
For example, an internal client can access the Internet if Client IP address range is configured. When an internal user contacts a Web site, the site can respond to the client because its IP address is outside the client IP address range. Therefore the internal user does not need to be authenticated.