https://community.checkpoint.com/t5/SASE-and-Remote-Access/per-client-DNS-Server-selection/m-p/254131#M1733 <P>I resolved this by changing the interface metric on the checkpoint mobile client to be higher.&nbsp;</P> Mon, 28 Jul 2025 18:08:48 GMT Sam2 2025-07-28T18:08:48Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/per-client-DNS-Server-selection/m-p/254125#M1732 <P>We are looking to migrate from our current recursive dns provider to a new one. Both providers provide a roaming agent that allows our sec teams to approve/deny access to specific domains by user.&nbsp;<BR /><BR />We currently disable our roaming agent when the checkpoint vpn connects and force all dns to our on-premise dns servers. With our new client we are looking to keep it enabled and only send DNS traffic to the VPN if it matches our domain.&nbsp;<BR /><BR />We have 3 VPN solutions deployed. SNX, Checkpoint Mobile, and Capsule Connect.&nbsp;<BR /><BR />Is there a way to force DNS servers by client? I want both SNX and Capsule to be provided with DNS servers via office mode but not Checkpoint Mobile.&nbsp; I have looked at ipassignment.conf but that only allows for LDAP groups. We typically only use SNX for external contractors, so LDAP would apply fine, but capsule is used by employees, and if I use an LDAP group for them it will prevent the roaming agent from functioning on the users assigned to a capsule related LDAP group.&nbsp;<BR /><BR /><BR /></P> Mon, 28 Jul 2025 16:51:40 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/per-client-DNS-Server-selection/m-p/254125#M1732 Sam2 2025-07-28T16:51:40Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/per-client-DNS-Server-selection/m-p/254131#M1733 <P>I resolved this by changing the interface metric on the checkpoint mobile client to be higher.&nbsp;</P> Mon, 28 Jul 2025 18:08:48 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/per-client-DNS-Server-selection/m-p/254131#M1733 Sam2 2025-07-28T18:08:48Z