Hi all,
we have the following setup:
- XGS 126, configured for SSLVPN
- The global SSLVPN settings contain the IPs for both internal AD DNS servers and the AD FQDN (i.e. contoso.local)
- The internal DNS is configured for Split-DNS to resolve external DNS names (i.e. webapp.contoso.com) with internal IP addresses (10.51.1.1, 10.51.1.2)
We have the requirement to access applications via a public DNS name (webapp.contoso.com), but through the VPN. That is why we configured Split DNS on the internal DNS servers.
When we connect to the corporate network with the newer Connect client (either Sophos Connect or OpenVPN Connect) Windows gets an NRPT rule saying that the FQDN provided by SSLVPN global settings (contoso.local) should be resolved by the DNS servers provided by global settings (10.51.1.1, 10.51.1.2).
In short: contoso.local --> 10.51.1.1, 10.51.1.2
So internal name resolution works (i.e. printer.contoso.local) but external name resolution (webapp.contoso.com) is directed to the Internet where no record exists because the application should only be available via VPN - so the request fails.
(it is no solution for us to add DNS records with internal IP addresses to the external zone so please do not suggest this ;-)
How can we achieve the goal to send all DNS requests to the internal DNS servers WITHOUT FORCE TUNNELING (Microsoft 365-related traffic must not be routed through the VPN)? Is there a way via DNS request routing?
Best
Ben
This thread was automatically locked due to age.
