Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 6 replies
  • Answers 2 answers
  • Subscribers 5 subscribers
  • Views 8497 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSLVPN Split Tunnel DNS problem

jflex

 Hello, 

I have a problem with DNS name resolution using SSL VPN.  There seems to be 2 problems, but both do not happen at the same time. 

 

UTM 9.411-3

Split Tunnel setup. 

SSLVPN pool is allowed to all internal subnets.

Static routes are set for internal subnets to point to core switch. 

Firewall rules are setup to allow SSLVPN to hit internal resources. 

DNS Request route is setup and pointing to domain controllers. 

 

Scenario 1

When DNS is configured under Advanced options of SSLVPN to use DC1 and DC2, name resolution works fine over VPN.  

Name resolution for local resources no longer resolve. 

 

Scenario 2

When DNS is configured under Advanced options of SSLVPN to be blank, name resolution does not work over VPN.  

Name resolution of local resources works fine. 

 

How to have both local internal resources and VPN resources resolve while connected to VPN client?



This thread was automatically locked due to age.
Parents
  • 0

    Is the SSL-VPN pool network allowed to use the UTMs DNS service?

    With correctly configured DNS request routing in the UTM internal ressources should be resolvable over their FQDN.

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

  • 0 in reply to kerobra_retired

    Yes,  SSLVPN Pool is allowed to use the UTM's DNS service. 

    I have deployed well over 20 UTM firewalls, and none of them can do the split tunneling properly.

    There has to be something that I'm missing.

    --
    SCA/UTM/XG  Sophos Platinum Partner

  • 0 in reply to jflex

    What exactly are your "local resources"? Are they also FQDN names or are they netbios names?

    Perhaps you need to take a look at the DNS suffix, but without any more information it's hard to point in the right direction.

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

  • 0 in reply to apijnappels

    The local resources are web servers that host applications in my office.  My office pc is joined to an AD domain, all internal websites resolve correctly to the internal IP via FQDN. 

    Once I connect to my VPN, it bypasses my local DNS servers and tries to send ALL dns requests over the VPN causing an external lookup for an internal server.

     

    Everything resolves fine via IP address on both local and remote but hostname resolution is what gives me an issue depending on what I set for DNS in the advanced tab.

    Just to rule out my configuration.. Here's pictures of how its configured.

    --
    SCA/UTM/XG  Sophos Platinum Partner

  • 0 in reply to jflex

    Hi Jaesii,

    that's not an UTM issue, that's a Windows Issue. Unfortunately, Windows VPN is not able to do "Split-DNS".

    Windows use every time the dns server that is bound to the first active adapter. You can change the binding order but you never can resolve local and remote names over vpn at the same time. That's one of the biggest issues that Microsoft ignores since many years. I've not found any working solution for this behavior yet.

    regards

    mod

  • 0 in reply to jflex

    It's indeed a Windows "issue"....

    When you are physically at the location you are VPN-ing to, can you from there ping the VPN-names of the "local" side (I guess not otherwise you wouldn't need the VPN-connection).

    There are actually only 3 solutions which all require manual work:

    1) Add records for the remotely needed DNS-records to your local DNS-server
    2) The other way around as 1
    3) Add records in you local computer's HOSTS file

    If there is a possibility to build a site-to-site VPN connection between the 2 locations, then you can configure DNS conditional forwarders in one or both of the DNS-servers and no manual work is needed.

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

Reply
  • 0 in reply to jflex

    It's indeed a Windows "issue"....

    When you are physically at the location you are VPN-ing to, can you from there ping the VPN-names of the "local" side (I guess not otherwise you wouldn't need the VPN-connection).

    There are actually only 3 solutions which all require manual work:

    1) Add records for the remotely needed DNS-records to your local DNS-server
    2) The other way around as 1
    3) Add records in you local computer's HOSTS file

    If there is a possibility to build a site-to-site VPN connection between the 2 locations, then you can configure DNS conditional forwarders in one or both of the DNS-servers and no manual work is needed.

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

Children
No Data
Unfiltered HTML