This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
PetterD
Collaborator
‎2021-01-13 04:04 AM

Check Point Capsule VPN - DNS Resolving issue

Hello,

Im having an issue with Check Point Capsule VPN (Windows Store) Client and resolving external dns-names.

We have a customer that uses Check Point Capsule VPN Client and have defined Office Mode DNS-servers, internal DNS-suffix etc. Customer also uses "Route all traffic" via the VPN-gateway (required).

Solution has been working fine for the users that have tested this in a PoC but now the have went into production several uses complain about multiple external internet-sites that doesnt work.

Checking known limitations, capsule VPN Admin guide etc we find no settings that should impact this, but in sk112164 we see that:


"Windows 8.1 Plugin and Capsule VPN app for Windows 10 can only resolve host names whose domain suffix is configured in the Office Mode Optional Param"

So the issue we are having is that Capsule VPN ignores the Office Mode DNS-servers for lookups to external hosts and uses each clients-local DNS-server, where some of these DNS-servers rejects DNS-queries from the Firewall they connect via..

This seems like a "logical flaw" in the use of Capsule VPN and "Route All" and causes us a major headache...
A service request has been created with TAC waiting for input.


Anyone have any experience with / any input on if we can solve this somehow without changing local DNS-servers on a few thousand users that already uses Capsule VPN for multiple Check Point gateways or switch to another client ? 

 

Thanks! 🙂

 

Regards.
Petter

CCSM / CCSE / CCVS / CCTE
0 Kudos
2 Replies
PhoneBoy
Admin
Admin
‎2021-01-13 08:03 PM

Keep in mind that Capsule VPN is merely a wrapper for the VPN functionality built into Windows 10.
I’m guessing that’s where this particular limitation stems from.

0 Kudos
PetterD
Collaborator
‎2021-01-20 05:13 AM
In response to PhoneBoy

Hello, 

Yes, the limitation stems from Windows limitations on third party VPN Clients.
We were looking for a workaround, and with help from local office we may have seem to found one, by replacing the Office Mode Domain with "."

Its not a very well documented limitation for the client and doesnt work very well with the "Route All" functionality that is supported from the client.
Currently testing the workaround in production, but so far it looks good. Its not "officially supported" by Check Point but it seems to do the trick for now 🙂

CCSM / CCSE / CCVS / CCTE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events