This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNS Suffix not applying for hosts on different IP ranges

When users (even me) connect via the SSL VPN client there are certain webapps that will not load without the fqdn.


Examples:

https://app1 = Fine

https://app2 = Not Fine

https://app2.domain.local.com = Fine

You can ping and tracert "app2" and it resolves properly to the IP address.

The difference is that app1 is on 192.168.2.x while app2 is on 192.168.3.x

Remote Access > SSL > Remote Access Profile lists access to the 192.168.0.0/16

Remote Access > Advanced  - The DNS Servers are entered as well as the domain name for the DNS suffix (both DNS servers are on the 192.168.2.X) and I have verified that all of the non-working DNS names have their records properly mapped to the correct IP.


Network Services > DNS - "VPN Pool (SSL)" is allowed. 

Network Services > DNS > Request Routing - 3.168.192.in-addr.arpa is there and pointed to our domain controller group.


Everything appears to be configured correctly. Looking an ipconfig /all on my home machine, connected to the SSL VPN shows the dns suffix is there, and again I can ping and tracert using the DNS name and that works properly.

We are using split tunnel and the IPv4 metric on the virtual adapter is set to 1.

I've been fighting this for quite some time and looking at similar issues posted on the forums but those appears to be issues with it not working at all. Ours DNS works...except for things on a different IP range.




This thread was automatically locked due to age.
Parents
  • Hi and welcome to the UTM Community!

    I'll take a WAG and ask if your home network is in 192.168.0.0/16.  My usual recommendation is for internal subnets to be in the 172.16.0.0/12 range.  Reserve 192.168.0.0/16 for public hotspots and home users.  Reserve anything in 10.0.0.0/8 for giant multinationals, ISPs, etc.

    How have you defined "VPN Pool (SSL)" in the UTM?  Insert a picture of the Edit of the Web Filtering Profile that applies to remote users.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Hi and welcome to the UTM Community!

    I'll take a WAG and ask if your home network is in 192.168.0.0/16.  My usual recommendation is for internal subnets to be in the 172.16.0.0/12 range.  Reserve 192.168.0.0/16 for public hotspots and home users.  Reserve anything in 10.0.0.0/8 for giant multinationals, ISPs, etc.

    How have you defined "VPN Pool (SSL)" in the UTM?  Insert a picture of the Edit of the Web Filtering Profile that applies to remote users.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • The VPN Pool (SSL) is defined in the range 10.242.2.0/24

    My home network does use 192.168.1.0/24 but I can access things on 192.168.2.x but not .3.x

    There is not Web Filtering Profile that explicitly lists the VPN Pool SSL, the default Web Filter Profile has allowed networks of 10.0.0.0/8,  192.168.0.0/16 and our public wifi network of 172.15.0.0/22


  • Copy a line here from the log where the access to https://app2 is blocked.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA