Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
PetterD
Explorer

Check Point Capsule VPN - DNS Resolving issue

Hello,

Im having an issue with Check Point Capsule VPN (Windows Store) Client and resolving external dns-names.

We have a customer that uses Check Point Capsule VPN Client and have defined Office Mode DNS-servers, internal DNS-suffix etc. Customer also uses "Route all traffic" via the VPN-gateway (required).

Solution has been working fine for the users that have tested this in a PoC but now the have went into production several uses complain about multiple external internet-sites that doesnt work.

Checking known limitations, capsule VPN Admin guide etc we find no settings that should impact this, but in sk112164 we see that:


"Windows 8.1 Plugin and Capsule VPN app for Windows 10 can only resolve host names whose domain suffix is configured in the Office Mode Optional Param"

So the issue we are having is that Capsule VPN ignores the Office Mode DNS-servers for lookups to external hosts and uses each clients-local DNS-server, where some of these DNS-servers rejects DNS-queries from the Firewall they connect via..

This seems like a "logical flaw" in the use of Capsule VPN and "Route All" and causes us a major headache...
A service request has been created with TAC waiting for input.


Anyone have any experience with / any input on if we can solve this somehow without changing local DNS-servers on a few thousand users that already uses Capsule VPN for multiple Check Point gateways or switch to another client ? 

 

Thanks! 🙂

 

Regards.
Petter

0 Kudos
2 Replies
PhoneBoy
Admin
Admin

Keep in mind that Capsule VPN is merely a wrapper for the VPN functionality built into Windows 10.
I’m guessing that’s where this particular limitation stems from.

0 Kudos
PetterD
Explorer

Hello, 

Yes, the limitation stems from Windows limitations on third party VPN Clients.
We were looking for a workaround, and with help from local office we may have seem to found one, by replacing the Office Mode Domain with "."

Its not a very well documented limitation for the client and doesnt work very well with the "Route All" functionality that is supported from the client.
Currently testing the workaround in production, but so far it looks good. Its not "officially supported" by Check Point but it seems to do the trick for now 🙂

0 Kudos