BloxOne Threat Defense
Page tree

Contents

Expand all   Collapse all

This topic provides guidelines when you use BloxOne Endpoint in conjunction with third-party VPN software. When using certain VPN software, you might need to take extra steps or considerations to ensure compatibility with BloxOne Endpoint. 

Information provided in this topic serves as guidelines only. It does not serve as an official list of supported or unsupported VPN software for BloxOne Endpoint.

Note

When you use BloxOne Endpoint with a VPN client, ensure that the VPN connection is established in the split-tunnel mode for every network protocol (IPv4 or IPv4/IPv6 for dual stack). If you have internal domains that are served by your local DNS servers and you want to reach them without interruption, you can consider adding them to the bypassed internal domain list, so that the DNS queries for these internal domains are sent to the local DNS servers instead of BloxOne Threat Defense Cloud. For more information about BloxOne Endpoint, see Endpoint Management.

The following table contains a list of commonly-used third-party VPN software and the compatibility information with BloxOne Endpoint.

Third-Party VPN

Compatibility Description

Known Issues

Appgate VPN

BloxOne Endpoint is compatible with Appgate VPN in the split-tunnel mode.

Note: BloxOne Endpoint supports Appgate SDP v5.3.2 or higher.

N/A
Check Point VPN

BloxOne Endpoint is compatible with Check Point VPN in the split-tunnel mode.

BloxOne Endpoint is not compatible with Check Point VPN in the full-tunnel mode.

N/A
Cisco AnyConnect VPN

BloxOne Endpoint is compatible only with the Internet portion of AnyConnect VPN in the split-tunnel mode.

BloxOne Endpoint is not compatible with AnyConnect in the full-tunnel mode.

N/A

F5 VPNBloxOne Endpoint is not compatible with F5 VPN.N/A
Fortinet FortiClient VPN

BloxOne Endpoint is not compatible with Fortinet FortiClient VPN.

N/A

McAfee Web Gateway Proxy

BloxOne Endpoint is partially compatible with the McAfee Web Gateway Proxy.

Some of the features, such as block redirect or bypass redirect, might not function properly.

Issue: When the McAfee Web Gateway proxy is enabled, all traffic goes through the proxy. Some of the features, such as block redirect and bypass redirect, might not function properly

Workaround: Add the redirect IPs to the McAfee proxy bypass list. That way, the proxy is allowed to get the contents from the redirect IP during the HTTP(S) GET requests for block domains.

OpenVPN

BloxOne Endpoint is compatible with OpenVPN clients with the following configuration:

  • Create an .ovpn file and import the .ovpn file into the OpenVPN client. For an example of an .ovpn file, click here.
  • When using an OpenVPN server, ensure that persist-tun is not enabled on the server side, so that network changes are triggered during disconnect or reconnect.  

N/A

Palo Alto GlobalProtect VPN

BloxOne Endpoint is compatible with Palo Alto GlobalProtect VPN in the split-tunnel mode on Windows devices only

BloxOne Endpoint is not compatible with Palo Alto GobalProtect VPN on macOS devices.

Issue: Except for version 3.1.3, Palo Alto GlobalProtect VPN (for Windows only) cannot start or connect while using BloxOne Endpoint.

Workaround: Start or enable BloxOne Endpoint AFTER starting or connecting GlobalProtect.

Pulse Connect Secure VPN

BloxOne Endpoint is partially compatible with Pulse Connect Secure VPN. 

Some of the features, such as block redirect or bypass redirect, might not function properly.

Issue: When BloxOne Endpoint is enabled in the recommended configuration for any domains in the browser, the queries go to both client DNS and Pulse Secure DNS without going through BloxOne Endpoint. Even though BloxOne responds correctly with the redirect IP, other DNS responses also come into play. For block redirect and bypass redirect, the browser may choose other IP addresses, without going to the block or bypass page. 

Workaround: Configure "Device only DNS" in Pulse Connect Secure VPN.

SonicWall VPNBloxOne Endpoint is not compatible with SonicWall VPN. N/A
Tunnelblick VPN
BloxOne Endpoint is compatible with Tunnelblick VPN if you make the following changes in Tunnelblick:
  • Allow changing of the DNS servers for the adaptor.
  • Apply DNS settings after the tunnel has been established.

In the Connecting and Disconnecting tab of the Tunnelblick advanced configuration, ensure that the following two settings are enabled:

  • Flush DNS cache after connecting or disconnecting (default)
  • Set DNS after routes are set instead of before routes are set

In the While Connected tab, change the following to Ignore:

  • DNS servers:

    • When changes to pre-VPN value: Choose Ignore.

    • When changed to anything else: Choose Ignore.

Issues: With some Tunnelblick versions, BloxOne Endpoint is unable to properly identify the correct internal DNS servers following a VPN disconnect

Workaround: Infoblox recommends the following steps if you encounter issues with internal DNS servers following a disconnect of the VPN. The change causes Tunnelblick to bring the primary network interface down and then up after a VPN disconnect.

Configure the following in the Settings tab of Tunnelblick's configuration panel: 

  • In older versions of Tunnelblick (prior to 3.7.5beta03), click the Reset the primary interface after disconnecting checkbox.
  • In newer versions of Tunnelblick, (3.7.5beta03 and higher), set both the On expected disconnect and the On unexpected disconnect settings to Reset Primary Interface.
  • No labels

This page has no comments.

© 2021 Infoblox. All rights reserved.        Feedback        Terms & Conditions        Legal        Privacy Policy