Sophos Connect vs DNS

Question

So i finished all the instructions as posted on page https://community.sophos.com/kb/en-us/133109 
 Downloaded the client and exported the configuration. Set up the client and finally made a connection. 
 So far so good. Can ping hosts on the internal network by ip adress, however i can't seem to reach hosts by their name. 
 I did enter the ip of the DNS server but somehow hosts aren't being resolved. 
 
 Any thoughts or pointers on this. 
 
 Thnx, Peter-Paul

LuCar Toni · Accepted Answer

Thanks for your feedback! 
 
 We fixed this issue in the current Sophos Connect Client. 
 This client should be published via Up2Date. 
 Check out the current version: 
 
 1.0.004

onward · Answer

partially answering my own question: I found that manually setting a metric of 10 on the Sophos TAP adapter (Ethernet 3 in the ipconfig shown above) solves or works around this issue on Windows 10. Dns lookups then go to the internal dns server specified in the sophos connect policy and are resolving correctly. This approach was based on https://www.petenetlive.com/KB/Article/0001402 
 
 before: 
 C:\>netstat -rn =========================================================================== Interface List 6...***** ......Intel(R) Ethernet Connection (2) I219-LM 12...00 ff f7 11 f6 b0 ......Sophos TAP Adapter 1...........................Software Loopback Interface 1 =========================================================================== 
 
 after: 
 C:\>netstat -rn =========================================================================== Interface List 12...00 ff f7 11 f6 b0 ......Sophos TAP Adapter 6...****** ......Intel(R) Ethernet Connection (2) I219-LM 1...........................Software Loopback Interface 1 ===========================================================================

David Bradbury · Answer

We have a similar problem with some of our laptops. 
 Looking at the Connect Client status ( GUI) , this shows the correct IPV4 addresses for DNS 
 Checking the details in a DOS / PS terminal shows 3 default IPV6 addresses for DNS. 
 I have Sophserve ticket 9015034 open for this. 
 "A number of our laptops (a mixture of new build and some that used to have SSL VPN) with the Sophos Connect Client V1.3 are not having the DNS settings for the TAP adapter set correctly. 
 
 I have noticed that the DNS is being set to use 3 default IPV6 addresses and that the TAP adapter is being labelled as Sophos TAP adapter #2 I'll upload some screenshots which will assist

comparing the connect client status (GUI) , that shows the correct IPV4 address for DNS but those details aren't shown when displaying details of the network adaptor in a DOS or PS terminal.
Have uploaded pics showing good & bad DNS. The good DNS was on one users WIn 7 laptop, the bad DNS was on her new WIn 10 laptop. The other screenshots show TAP adapter #2 ( adapter #1 isn't present on the system - even showing hidden adapters) and the IPV6 DNS"

David Bradbury · Answer

We've done more research on this and have found that the TAP adapter name is the cause of the problem. On the PCs that have the problem, the TAP adapter is being shown with friendly name " Sophos TAP Adapter #2 " 
 If the #2 is removed ( registry entry ) , the IPV4 DNS details will populate correctly when the connection is established. 
 We've now raised this as a bug in the Connect Client installer on the Sophserv ticket that we already have open with Sophos team. 
 
 This would explain why when the connection established, although the Connect Client had received and was showing the correct DNS address, it was unable to parse the value to the TAP adapter as the software is only expecting to see "Sophos TAP Adapter" - not "Sophos TAP adapter #2"

cbunting · Answer

Having the same issue here with only 1 of our users so far... To elaborate on the fix, follow these steps: 
 
 1. Regedit - search for "Sophos Tap Adapter #2" 
 2. Remove the "#2" part from the name anywhere it shows up. 
 3. To get windows to recognize the change, restart the Sophos Connect Service 
 4. Sophos will connect correctly now and assign DNS addresses to the TAP adapter 
 
 Can you please acknowledge this as a bug and fix it in an upcoming release? 
 
 Removing sophos connect and every trace of the TAP adapter in the registry and reinstalling did not work, it still assigned it #2..

LuCar Toni · Answer

Observed the same issue with my installation. 
 Already reported this issue to the dev Team. They could reproduce it and will fix it in the next version. (ETA should be next week)

rmk_2018 · Answer

Hello Momentum, 
 
 In the Sophos Connect Client policy you configure on XG, you will assign the DNS server 1 and DNS server 2 (if available). After the tunnel is established, all hostname look ups will be sent down the tunnel and the internal DNS server should resolve the internal systems by hostname. 
 
 Please let us know if this works for you. 
 Ramesh