SSL VPN - Block-Outside-DNS?

Apijnappels, I wouldn't do it like that.  I would just use 'Remote Access >> Advanced' to set DNS to the IP of the internal DNS server and, secondarily, to the IP of "Internal (Network)" as zaphod showed him above.

Cheers - Bob

@Balfson, I would do the same, but it is not the same as blocking access to external DNS server. A user can override the DHCP assigned DNS server. A DNAT rule will prevent the possibility to ever reach an external DNS-server.

I admit that it's not clear to me whether he's talking about his old router getting DNS for internal users from an outside DNS server or what.

The user's DNS request to a server in the remote LAN would stay in the remote LAN, immune to the DNAT in the UTM.  Since the tunnel is from the PC to the UTM, and not between the router and the UTM, we have no control over the router.  The router has no idea the UTM exists.

If the current router in the remote office can't do an IPsec tunnel with the UTM, then maybe he needs a small SG with Network Protection. [:)]

Cheers - Bob

I think he routes all traffic over the VPN since before he needed another product specifically for blocking external DNS requests. This other product can also not handle traffic that doesn't travel over the VPN and goes out directly to the router at the client side of the VPN tunnel. But these are all assumptions.....

Hi Balfson & Apijnappels,

When you have a DNS configured in the SSL VPN settings, doesn't this enforce all DNS requests to be made via the UTM/XG first? This is to establish whether FQDNs are to go over the tunnel or to the internet (in split tunnel mode)?

It would make sense but that's just conjecture.

Emile

Agreed, Emile, but, as apijnappels noted, the user could change the DNS settings on his PC after establishing the tunnel.

Cheers - Bob

Hi Bob,

Ah yes, very true!

Emile

This is what I was wondering (you've worded it better than me :)) 

Our old router (the IPCop system I mention) had to have a setting called 'Block-Outside-DNS' in the configuration file to ensure that this happened. We're in the process of replacing the IPCop system with our Sophos UTM (currently making sure the SSL VPN is working, and then we'll move on to configuring it to be the internal router for the office, just as IPCop is). Note: the Sophos UTM/IPCop aren't working as external routers for the office.

I was just wondering whether the Sophos UTM needed a similar setting implemented, or whether it did it automatically to ensure all DNS requests are made through the UTM first. 

Rob, I'm confused.  Is the IPCop in the remote office or in your main office?  If in the main office, what router is in use in the remote office?  Maybe a simple diagram would help - I'm a visual-tactile, so I would have sketched a diagram already, but I don't know what's where. [:(]

Cheers - Bob

Sorry, I haven't explained our current set-up at all. 

The SSL VPN connection is predominantly for users working from home (not a remote office), so it will be a plethora of routers on the other side of the connection.

IPCop is in our main office, and this is the router we shall be replacing with the Sophos UTM. 

IPCop currently acts as an internal router, and manages the SSL VPN connection through OpenVPN. It routes the internal traffic of the main office through our Juniper router (which acts as the external router). 

As we're currently testing the Sophos UTM at the moment, it's currently sitting beside the IPCop router and only manages our Sophos SSL VPN as well as some of our firewall settings. Once we have the Sophos SSL VPN up and running correctly, we'll then transfer the settings from IPCop across to the Sophos. 

Hopefully that makes sense :)