https://community.checkpoint.com/t5/SASE-and-Remote-Access/Check-Point-Capsule-VPN-DNS-Resolving-issue/m-p/108302#M9338 <P>Hello,&nbsp;</P><P>Yes, the limitation stems from Windows limitations on third party VPN Clients.<BR />We were looking for a workaround, and with help from local office we may have seem to found one, by replacing the Office Mode Domain with "."</P><P>Its not a very well documented limitation for the client and doesnt work very well with the "Route All" functionality that is supported from the client.<BR />Currently testing the workaround in production, but so far it looks good. Its not "officially supported" by Check Point but it seems to do the trick for now&nbsp;<span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Wed, 20 Jan 2021 13:18:23 GMT PetterD 2021-01-20T13:18:23Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Check-Point-Capsule-VPN-DNS-Resolving-issue/m-p/107704#M9336 <P>Hello,</P><P>Im having an issue with Check Point Capsule VPN (Windows Store) Client and resolving external dns-names.</P><P>We have a customer that uses Check Point Capsule VPN Client and have defined Office Mode DNS-servers, internal DNS-suffix etc. Customer also uses "Route all traffic" via the VPN-gateway (required).</P><P>Solution has been working fine for the users that have tested this in a PoC but now the have went into production several uses complain about multiple external internet-sites that doesnt work.</P><P>Checking known limitations, capsule VPN Admin guide etc we find no settings that should impact this, but in sk112164 we see that:</P><P><BR />"Windows 8.1 Plugin and Capsule VPN app for Windows 10 can only resolve host names whose domain suffix is configured in the Office Mode Optional Param"</P><P>So the issue we are having is that Capsule VPN ignores the Office Mode DNS-servers for lookups to external hosts and uses each clients-local DNS-server, where some of these DNS-servers rejects DNS-queries from the Firewall they connect via..</P><P>This seems like a "logical flaw" in the use of Capsule VPN and "Route All" and causes us a major headache...<BR />A service request has been created with TAC waiting for input.</P><P><BR />Anyone have any experience with / any input on if we can solve this somehow without changing local DNS-servers on a few thousand users that already uses Capsule VPN for multiple Check Point gateways or switch to another client ?&nbsp;</P><P>&nbsp;</P><P>Thanks! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>&nbsp;</P><P>Regards.<BR />Petter</P> Wed, 13 Jan 2021 12:04:05 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Check-Point-Capsule-VPN-DNS-Resolving-issue/m-p/107704#M9336 PetterD 2021-01-13T12:04:05Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Check-Point-Capsule-VPN-DNS-Resolving-issue/m-p/107777#M9337 <P>Keep in mind that Capsule VPN is merely a wrapper for the VPN functionality built into Windows 10.<BR />I’m guessing that’s where this particular limitation stems from.</P> Thu, 14 Jan 2021 04:03:45 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Check-Point-Capsule-VPN-DNS-Resolving-issue/m-p/107777#M9337 PhoneBoy 2021-01-14T04:03:45Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Check-Point-Capsule-VPN-DNS-Resolving-issue/m-p/108302#M9338 <P>Hello,&nbsp;</P><P>Yes, the limitation stems from Windows limitations on third party VPN Clients.<BR />We were looking for a workaround, and with help from local office we may have seem to found one, by replacing the Office Mode Domain with "."</P><P>Its not a very well documented limitation for the client and doesnt work very well with the "Route All" functionality that is supported from the client.<BR />Currently testing the workaround in production, but so far it looks good. Its not "officially supported" by Check Point but it seems to do the trick for now&nbsp;<span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Wed, 20 Jan 2021 13:18:23 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Check-Point-Capsule-VPN-DNS-Resolving-issue/m-p/108302#M9338 PetterD 2021-01-20T13:18:23Z