Sophos Connect 1.3/1.4 no entry in local DNS

Sophos Connect 1.4 ist working well and using our internal Windows DNS servers and can resolve our hosts correctly. But:

  • There is no DNS entry of the connected clients in our Windows DNS, so I can not ping the VPN clients from inside our LAN by their hostnames. Pinging the client's IP leased by Sophos XP works.

  • With SSL VPN Client that works. After a client connects by VPN, there is a DNS entry with hostname on our DNS server and I am able to ping the hostname from our LAN.

Does someone know how to solve this?

  • Hi  

    Thank you for contacting us.

    Could you please provide more details on the scenario and screenshot of DNS entries for Both Sophos Connect and SSL VPN client? It would help us to assist you better.

  • In reply to Keyur:

    WORKING: Scenario 1 (with Sophos SSL VPN Client)

    Client anwxnbms13 --> SSL VPN Connection (IP 10.81.234.6) established

    OK: Client can resolve all internal hosts
    OK: Pinging anwxnbms13 from local LAN is working (screenshot)
    OK: Entry in Windows DNS Server exists (screenshot)



    SSL-VPN Config:

      

     

     

     NOT WORKING: Scenario 2 (with Sophos Connect 1.3/1.4 Client)

    Client anwxnbms13 --> Sophos Connect Connection (IP 10.81.235.6) established

    OK: Client can resolve all internal hosts
    NOT: Pinging anwxnbms13 from local LAN is NOT working (but pinging IP address works)
    NOT: Entry in Windows DNS Server is missing

    Sophos Connect Config:

     

    Update: The DNS Entries for the Sophos TAP Adapter are correct on the client (172.18.x.x).

  • In reply to MVo:

    Hello MVo,

     

    you need to configure the domain name for Sophos Connect policy. You do that using Sophos Connect Admin. Please let me know if you have any questions. Also do let us know if your problem is resolved after you make those changes.

     

    Best Regards,

    Ramesh

  • In reply to SENIORA SENI:

    Thank you Seniora Seni for the update.

  • In reply to rmk_2018:

    Hello Ramesh

    Thank you for your reply. All our employees are already using the configuration (SCX) that includes the domain name suffix according to our internal domain name / dns zone.

    So this ist not the solution.

    Best Regards

    Marc

  • In reply to MVo:

    Hello Marc,

     

    Sorry I did not understand your email. So it is working, but you are saying it is not a solution? Can you please explain the problem you are having?

     

    Regards,
    Ramesh

  • In reply to rmk_2018:

    Hello Ramesh

    I described the my problem in detail in my post from October 25 above. My only problem is that the VPN clients do not register at our DNS server. So I can not resolve any VPN clients from my internal network. It's not the same behaviour like we had with the SSL VPN Client where all clients register on our DNS server.

    So again:

    • From client side everything is okay. VPN client machines can resolve everything in our LAN.
    • I can not ping a connected VPN client machine from LAN by hostname (but pinging by IP address works). 
    • No name resolution of the VPN clients (from LAN) because of missing DNS entry in Windows DNS Server for the connected VPN client machines.

    Best Regards
    Marc 

  • In reply to MVo:

    I have the same problem. The reason is probably that the Sophos Connect client create a network connection without "Register this connection in DNS" option selected and therefore Windows does not even try to register received VPN address on the domain DNS server. When I manually selected this option in the tcp connection advanced properties, everything worked fine.


    Unfortunately, automating activation of this option is not easy. Microsoft does not provide any gpo policy for this. I only found this command in powershell:
    Set-DNSClient -InterfaceAlias 'VPN Name' -RegisterThisConnectionsAddress:$True
    but they should be started only after setting up the VPN connection.

    But the best solution would be simply to improve the VPN client.

  • In reply to MichalKawecki:

    Thank you Michal. We have planned a fix for this in Sophos Connect 2.0 release in Q1 2020.

     

    Happy New Year to you

    Best Wishes,

    Ramesh 

  • In reply to rmk_2018:

    I just hope that the improved version of the client will also be available for the older version of Sophos XG Firewall 17.x, because as I have sadly learned recently, the new version 18 will not support devices of the Cyberoam iNG series .... :-(

    Waiting for a new client, I found a solution. I created a new scheduled task that started with a 30s delay after detecting event 4004 in the Microsoft/Windows/NetworkProfile event log. His action is a one-line command with the following content:
    powershell Get-NetAdapter -InterfaceDescription "Sophos*" | Where-Object {$_.Status -eq 'Up'} | Set-DnsClient -RegisterThisConnectionsAddress:$True; Register-DNSClient

    Happy New Year.