NGAF SSL VPN DNS Suffix

addimasqi Lv2Posted 18 Mar 2020 20:26

I have some problems with the SSLVPN connection.  I will summarize the existing condition & configuration (just for an example) :

The application server in the LAN zone :
- IP Address: 10.10.0.150
- Hostname: application-portal
- Usually, users access with browser by typing the hostname in the browser address.

VPN configuration :
- gateway deployment mode
- local DNS10.10.0.13
- route and configuration I think is OK.

Result :
- usually, users access with browser by typing the hostname in the browser and we can't access it with the hostname.  When we access using the IP address is OK.
- The ping test to DNS server is OK, ping test to hostname application-portal not resolve. The ping test to the application-portal IP address is OK.
- nslookup to hostname not resolve. (nslookup application-portal)
- when we check nslookup with DNS suffix (application-portal.ourdnssuffix) the IP address is resolved.

So the conclusion from troubleshooting with our server engineer is, we must add DNS suffix to the virtual IP pool for SSL VPN.  Is that true?

For comparison, when we using SSL VPN from Watchguard, they have a configuration to add DNS suffix / domain name.  For Sangfor NGAF in SSL VPN local DNS configuration, we choose "client PC uses the above DNS Server (10.10.0.13) or local domain name resource (ourdnssuffix).  

By solving this question, you may help 276 user(s).

Posting a reply earns you 2 coins. An accepted reply earns you 20 coins and another 10 coins for replying within 10 minutes. (Expired) What is Coin?

Enter your mobile phone number and company name for better service. Go

Sangfor_SY Lv1Posted 02 Apr 2020 14:58
  
after connect ssl vpn, did you able to see ssl vpn adapter the server ip in pc via cmd ->ipconfig ?
Park Bo Gart Lv2Posted 02 Apr 2020 18:18
  
This is our current problem also. One thing that I have noticed given that I successfully logged in the SSL VPN:

1. Access to the resources that you defined (IP, IP Range) is working.
2. Access to FQDN is not working. You will notice that your workstation is trying to resolve the FQDN using the DNS IP configured on your primary physical NIC, not the DNS IP given by the virtual NIC of SSL VPN.

So RND created a patch for us that once you logged into the SSL VPN, the DNS IP config of your primary physical NIC will add the DNS IP you set in the SSL VPN Local DNS configuration. Once logged out, the DNS IP will be removed.

also, another problem related to SSL VPN but not related to DNS is that when you assign IP Range to the resources, checking out the routing table of your PC, you will see that it is populated by single IP with a mask of /32 instead of just the range that you defined.
Osamakhan Lv2Posted 10 Apr 2020 15:47
  
Use L3VPN it pings all your internal network + also connect with your AD Server.
Also put your DNS Server ip on Local DNS option in L3VPN
sarahevans Chas Posted 21 Sep 2020 22:45
  
SSL VPN has other issues too. Outlook/Exchange connectivity is sporadic if we get a connection at all.   Windows share drive disconnects and slowness/disconnects reported on our EMR. Try connecting with Ivacy VPN.

I Can Help:

Change

Moderator on This Board

1
25
3

Started Topics

Followers

Follow

Board Leaders