Technical Tip: Able to see both local IP and SSL VPN IP on the local DNS server while connecting to the SSL VPN

This article describes how to resolve the issue when the customer is seeing both the local adaptor IP and SSL VPN adaptor IP on the local DNS server.

Local IP: The IP assigned to the end-user network adaptor might be LAN or Wi-Fi.

SSL VPN IP: The IP assigned from the FortiGate to the SSL VPN adaptor.

When the end-user is connected to the SSL VPN and gets the internal DNS IP address from the FortiGate, this error occurs.

Below is a sample output from the user's PC after connecting to SSL VPN.

Entry on the DNS server for the same user after connecting to SSL VPN.

The solution to resolve this issue is described below:

1. Take the XML backup of the FortiClient by referring to the XML backup guide.
2. Open the backup file using notepad.
3. Search for the following keyword in the notepad and change the value to 2:

no_dns_registration

4. While searching the keyword, two lines can be found, do the changes on both.
5. After making the changes, save the file and import it again to the FortiClient.
6. After, try to connect the FortiClient. The SSL VPN IP on the local DNS server will be visible.

The following is the change in DNS entry in the server:

If no_dns_registration=1, only the physical network adapter's 'Register This Connection's Address in DNS' is selected.
If no_dns_registration=2, only the tunnel interface's 'Register This Connection's Address in DNS' is selected.
if no_dns_registration=0, both physical and tunnel interface's 'Register This Connection's Address in DNS' are selected.

Note: Try also disabling the DNS registration on the local NIC via NIC properties:

Go to NIC -> Properties -> IPv4 -> Advanced -> DNS tab -> Uncheck 'Register this connection’s addresses in DNS.' 

Configure FortiClient VPN adapter to register its IP in DNS.

Use GPO(Group policy object) settings:
Computer Configuration -> Administrative Templates -> Network -> DNS Client.