Can anyone explain to me how the FQDN ACL works with split tunneling? I know if you enter an IP address resource and exclude that from the tunnel, the IVE will add routes to the clients route table for those IP resources and use the physical interface of the client. How does it function with an FQDN resource? Does the IVE do a lookup for the listed FQDNs and add the resulting IP addresses to the clients route table or is it doing some kind of intercept live on the traffic destined for the FQDN?
I can get my split tunnel to work the way I want using IP address resources to exclude them from being tunneled but I can't seem to get it working when I try using the FQDN of the same systems.
Any insight would be greatly appreciated.
Solved! Go to Solution.
VPN server - Configured with FQDN ST policies.
Pulse Client - Receives the list of FQDN configured + type of policy (Allow or Deny) while connecting.
After establishing the VPN connection,
# Client tries to send traffic to FQDN-A
# DNS request was sent out to resolve FQDN-A (query)
# DNS response was received with IP address (answers).
# Pulse Client intercepts every DNS response and check the queried FQDN value (FQDN-A).
# If the FQDN matches with the received policy, then it will carry out the configured action (Allow or Deny).
# If it doesn't. then it will ignore.
Quick follow up question since I understand how this works now.
How can I stop the pulse secure client from overwriting the local DNS on the client system local network adapter? I need this local resolution to work since we aren't allowing internet access through the tunnel. The server is set to "use ive settings" for DNS in the VPN connection profile so the Pulse Secure client adapter gets that address but the local DNS settings are being overwritten as well with the same DNS server IP.
Ah! So when I remove the FQDN resources and tell the tunnel to only split by IP addresses, my local DNS servers no longer get overwritten by the pulse secure client.
Yes, that's correct. Pulse Client will modify the physical interface DNS servers to use the IVE DNS servers. In that way, it will force the DNS resolutions to happen using virtual adapter, so that, the client will intercept the responses.
Removing the FQDN based split tunneling policy will put back the things to normal. 😊