Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.
So i finished all the instructions as posted on page https://community.sophos.com/kb/en-us/133109
Downloaded the client and exported the configuration. Set up the client and finally made a connection.
So far so good. Can ping hosts on the internal network by ip adress, however i can't seem to reach hosts by their name.
I did enter the ip of the DNS server but somehow hosts aren't being resolved.
Any thoughts or pointers on this.
Thnx, Peter-Paul
Observed the same issue with my installation.
Already reported this issue to the dev Team. They could reproduce it and will fix it in the next version. (ETA should be next week)
__________________________________________________________________________________________________________________
This is an issue by not putting a Connection DNS Suffix onto the connection. You can do a temporary workaround for now by configuring GPO to deploy the primary DNS Suffix of your domain.
This GPO element can be found in Computer Settings > Policies > Administrative Templates > Network > DNS Client > Primary DNS Suffix.
This will help in many areas :)
Emile
Unknown said:Hello Leet,
Can you please list the steps on what the settings are to make it work on SSL VPN. I would like to see why it is not working with Sophos Connect.
Thank you,
Ramesh
I haven't had a single minute to try and diagnose this further yet and I'm not comfortable posting the logs publicly with company info in them.
SSL VPN works with nearly the exact same settings as Sophos Connect.
Neither work for domain resources initially. When I try to go to \\server.domain.local it doesn't work. None of my network drives can connect either.
HOWEVER, on the SSL VPN, On the XG admin webpage, I have to go to "Show VPN Settings" >>> "SSL VPN" and specify "Domain Name" as "domain.local"
After doing that, SSL VPN works for domain resources, however, Sophos Connect does not and doesn't have a setting for me to specify a domain.
What is the correct way to handle dns suffix search in Sophos Connect vpn for users to reach internal systems by hostname on their own personal devices we can't touch with gpo without manually adding internal domains to dns suffix search list?
Hello Momentum,
In the Sophos Connect Client policy you configure on XG, you will assign the DNS server 1 and DNS server 2 (if available). After the tunnel is established, all hostname look ups will be sent down the tunnel and the internal DNS server should resolve the internal systems by hostname.
Please let us know if this works for you.
Ramesh
Hi Ramesh
Configuring the DNS servers is only part of the requirements for friendly name resolution. You also need to be able to configure the DNS suffix (or better, a list of suffixes) for the connection. Configuring the suffix list to include "example.com" allows someone to connect to the server "server01.example.com" using just the short name server01. The configured DNS suffix is automatically added to the end of the name if the name is incomplete.
Most VPNs do this automatically - but the lack of documentation on the TGB and SCX file formats means we can't reverse-engineer it easily, and it's not exposed in the firewall or admin UIs.
It's also worth noting that at least for me, I had to manually create a firewall rule to permit communication from the VPN to the internal networks - it wasn't automatically provisioned when I completed the Sophos Connect configuration on the firewall.
rmk_2018 said:Hello Momentum,
In the Sophos Connect Client policy you configure on XG, you will assign the DNS server 1 and DNS server 2 (if available). After the tunnel is established, all hostname look ups will be sent down the tunnel and the internal DNS server should resolve the internal systems by hostname.
Please let us know if this works for you.
Ramesh
Not getting good results for dns lookups on a Win10 version 1803 build 17134.706 client I'm testing with XG210_WP03_SFOS 17.5.4 MR-4-1 and sophos connect client xg pattern 1.2.001 windows application version 1.2.5.0202. With Sophos Connect successfully connected all dns lookups end up going to the local ethernet adapter's dns server instead of of the xg tunnel dns server. The result is that lookups for hosts on the internal company domain are being sent out to the wrong public dns server and resolve incorrectly. nslookup queries without manually specifying the internal xg dns server go to the physical ethernet adapter's dns server. The xg internal dns server ip specified in the sophos connect config xg page is reachable over the vpn, pings, and If I manually specify that ip in an nslookup query it does return the expected result for internal hostnames or fqdn's resolving to the internal ip's. Disabling ipv6 on the client's ethernet adapter + sophos tap adapter and also adding the internal domain name as either the sophos tap connection specific dns suffix or the dns suffix search list have been tried with no change. We are using split tunnel in the scx config with internal subnets defined. Wireless adapter is disabled on the client. What's the client's logic for how internal dns lookups should be routed?
Windows IP Configuration
Host Name . . . . . . . . . . . . : ABCD-1234
Primary Dns Suffix . . . . . . . : mydomain1.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : mydomain1.com
mydomain2.com
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) Ethernet Connection (2) I219-LM
Physical Address. . . . . . . . . : 84-****
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.0.0.188(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Wednesday, April 24, 2019 11:02:30 AM
Lease Expires . . . . . . . . . . : Thursday, April 25, 2019 11:54:04 AM
Default Gateway . . . . . . . . . : 10.0.0.1
DHCP Server . . . . . . . . . . . : 10.0.0.1
DNS Servers . . . . . . . . . . . : 10.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter Ethernet 3:
Connection-specific DNS Suffix . : mydomain2.com
Description . . . . . . . . . . . : Sophos TAP Adapter
Physical Address. . . . . . . . . : 00-FF-F7-11-F6-B0
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.99.2(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.200.1
NetBIOS over Tcpip. . . . . . . . : Enabled
scx file:
{
"name": "TEST1",
"managed": false,
"version": 1,
"gateway": "something.mydomain.com",
"vip": "0.0.0.0",
"auto_connect": {
"required": false,
"enabled": false
},
"proposals": "aes256-sha2_256-modp1024",
"dpd_delay": 60,
"rekey_time": 15300,
"start_action": "none",
"local_auth": {
"psk": {
"id": "0.0.0.0"
},
"xauth": {
"can_save": false
},
"otp": true
},
"remote_auth": {
"psk": {
"id": "%any",
"secret": "******************"
},
"otp": false
},
"child": {
"rekey_time": 3060,
"remote_ts": [
"*********************"
]
}
}
Hello Momentum,
When you enter nslookup on your dos command window what is the DNS server it is using? Is that the correct DNS server as assigned in the Policy? Then when you do a lookup for an internal host name (note you have specify the FQDN for the hostname) are you getting back a response?
Please let us know.
Ramesh
fyi - edited my post before this one prior to seeing your response to include some more details.
with debug enabled in nslookup it's verified that it's sending all lookups to the 10.0.0.1 dhcp allocated dns server on the physical ethernet adapter rather than the ip of the dns server from the Sophos Connect configuration. internal servers can still be pinged or accessed fine across the vpn by ip. Internal hosts resolve ok by nslookup internalhostname (xg lan interfacea ip address here) or nslookup internalhostname.mydomain2.com (xg lan interface ip address here). The same xg lan interface ip is specified in the vpn >> Sophos Connect configuration xg page.
fyi - edited my post before this one prior to seeing your response to include some more details.
with debug enabled in nslookup it's verified that it's sending all lookups to the 10.0.0.1 dhcp allocated dns server on the physical ethernet adapter rather than the ip of the dns server from the Sophos Connect configuration. internal servers can still be pinged or accessed fine across the vpn by ip. Internal hosts resolve ok by nslookup internalhostname (xg lan interfacea ip address here) or nslookup internalhostname.mydomain2.com (xg lan interface ip address here). The same xg lan interface ip is specified in the vpn >> Sophos Connect configuration xg page.
partially answering my own question: I found that manually setting a metric of 10 on the Sophos TAP adapter (Ethernet 3 in the ipconfig shown above) solves or works around this issue on Windows 10. Dns lookups then go to the internal dns server specified in the sophos connect policy and are resolving correctly. This approach was based on https://www.petenetlive.com/KB/Article/0001402
before:
C:\>netstat -rn
===========================================================================
Interface List
6...***** ......Intel(R) Ethernet Connection (2) I219-LM
12...00 ff f7 11 f6 b0 ......Sophos TAP Adapter
1...........................Software Loopback Interface 1
===========================================================================
after:
C:\>netstat -rn
===========================================================================
Interface List
12...00 ff f7 11 f6 b0 ......Sophos TAP Adapter
6...****** ......Intel(R) Ethernet Connection (2) I219-LM
1...........................Software Loopback Interface 1
===========================================================================
I have been following this thread for a while as I've had the same issue and not much time to investigate myself. After a few hours of trying to get it to work, I setup SSL VPN again and have been using it ever since.
Upon changing the Metric as you stated, it does fix the issue. I'm not sure it counts as a permanent fix as I believe the client should be doing this automatically just like the SSL VPN Client.
Thank you LeetJN and momentum for the data. I will analyze them and see if there is a fix for it in the client. Is it possible that you append a route print output before the connection is enabled and then a route print out after the tunnel is established. This will help.
Thank you again for your feedback.
Ramesh
Hello momentum,
Sorry I misunderstood the problem. In fact there is no problem with Sophos Connect client. When you specifically do nslookup it uses the DNS server assigned to the Physical adapter. But when do you Web Browsing or PING by FQDN then windows will broadcast to all the DNS servers and will use the valid reply from the first one. So that is the test I would request you to do and not the nslookup test. Also in nslookuo you can assign a specific DNS server to use and then assign the internal DHCO server and do the test. That will work.
In other words, with Sophos Connect Client 1.2 hostname will be resolved ONLY if it is FQDN.
I hope this helps,
Ramesh
Hello LeetJN,
I am not sure what problems you ran into with Sophos Connect 1.2. Yes in the current release you cannot resolve just by hostname because the policy does not configure DNS suffix. SSL VPN configuration has a configuration for DNS suffix. For now you need to use FQDN to resolve hostnames.
I hope this helps.
Ramesh
rmk_2018 said:Sorry I misunderstood the problem. In fact there is no problem with Sophos Connect client. When you specifically do nslookup it uses the DNS server assigned to the Physical adapter. But when do you Web Browsing or PING by FQDN then windows will broadcast to all the DNS servers and will use the valid reply from the first one. So that is the test I would request you to do and not the nslookup test. Also in nslookuo you can assign a specific DNS server to use and then assign the internal DHCO server and do the test. That will work.
Was seeing same results from ping with pings going to incorrectly resolved ip returned by the wrong dns server. ipconfig /flushdns didn't seem to help. This appeared to resolved after changing the sophos tap adapter metric.
Hello momentum,
Is this a Windows 10 issue with some configuration that is causing this. We have multiple systems in the lab (Windows 10 and Windos 7) that are used in tests and we do not have this problem.
Can you run wireshark and capture traffic so we can actually see where the packets are sent to.
Ramesh
Hello momentum,
Sophos Connect 1.3 is released and it is now available via your firewall via pattern update. You can go to System->Backup & Firmware->Pattern Updates and click Pattern update now to downloaded in case it is not there already.
Please do let us know how this new version works for you after a week of usage. Looking for feedback from customers for this new release.
Thank you,
Ramesh
