Internal DNS name resolution not working

Welcome to the forums. Split tunneling is like that. If you force all traffic through the firewall, you' ll find it works as desired. If you don' t have a big pipe at the FGT end, you may find the web browsing is choking production.

So there is no way to do this without disabling split tunneling? No dns tricks or anything else? This seems crazy.

The split-dns feature is your friend but I don' t know of how it' s depeloyed in the fortigate dessgn. But correct me if I' m wrong, is it your clients or is it the SSLVPN ( fortigate) conducting the dns-lookup for the bookmark address? You can validate that the appliance has a dns server applied or use the nslookup tool to see what dns-server your using.

However when using the bookmarks or connection tool I cannot connect via the name of the system

From that, I read that you are using the bookmarks from the SSL VPN web portal. We are not talking about browser bookmarks. SSL VPN Web Portal Adresses are resolved by the Fortigate itself. Did you configure your Fortigate to use the internal DNS Servers? regards Maik

@EMNOC: Under VPN > SSL > Config ... Advanced > I put in the two dns servers ip addresses and WINS servers. @MAIK: Yes, by bookmarks I am refering to the SSL VPN portal bookmarks, not local ones on a user' s machine.

It is the fortigate itself who does the dns lookup NOT the dns in the ssl config. You need to enter an internal dns under System -> Network -> DNS

This doesn' t answer your question, but provides some of my experience with split tunneling. I used split tunneling in production for about 5 users for several months but I removed it from use because there are so many DNS tricks and hacks out there these days, that I couldn' t make internal resources work 100% reliably with it. The problems I ran into were at places like airports or hotels where there is a captive portal before access is granted. Often these types of sites enforce certain DNS servers and that messes up the split tunnel, leading to security warnings for internal resources or outright failures. Also, we use SaaS email and if there is a latency or other connectivity issue using the local Internet connection, getting onto the full tunnel usually restores access. I' m in the initial stages of looking at MS DirectAccess to provide always on internal network resources and local internet. The technology behind DA is such that it should allow both to work reliably (but it' s very complicated to get set up).

Cisco ASA has a split-dns feature that get' s thru these issues hurdles and allows the client to resolve only domainnames allowed for that vpn client. I' m surprise that fortigate does not have this function. For the op FGUser, now that it' s confirm the fortigate looks up the SSLVPN bookmarks, can you answer the questions of , " does the fgt have your inside local dns-servers configured?"

@SELECTIVE: 1. What is the point of the SSL VPN DNS settings then? 2. Our Prof Services installer for the units put 8.8.8.8 and the DNS server from our ISP as the ones to use in that system. Should I replace them with our internal DNS servers (which themselves point out to those two IPs anyway for their external DNS lookups)? He said specifically that we should avoid sending DNS lookup requests from the Fortigate to our internal DNS servers (our DCs have DNS role as well). THanks!

I guess if there was some way to make sure streaming media from VPN users didn' t hose our system that' d be ok to turn it off. My main goal was to keep any unnecessary traffic/resources off the units. Especially if a home user' s system is messed up and has malware using it to send smtp traffic or something else. You get the gist. Why send youtube traffic over the vpn, right?