You have not enabled split-tunneling in that via connection profile so ALL traffic will be tunneled to the controller.
If you want your clients to ONLY be able to connect to your 172.0.0.0/8 network I'm pretty sure you need to explicitly block all other traffic in the user-role applied to the VIA user.
If you enable split-tunneling only traffic destined for 172.0.0.0/8 will be tunneled over a secure connection back to the controller while all other traffic goes out to the internet locally at the VIA user.
Also do not forget to apply/attach this VIA connection profile to the role your VIA users end up in.