FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
zeeshan_FTNT
Staff
Staff

Purpose

This article explains how to overcome the DNS resolver issue with the newest Mac OS 10.11 El-Captian when using SSLVPN.

Mac OS X 10.11 introduced a new software issue in the DNS resolver. If there are two network interfaces (such as one ethernet and one WiFi), traffic may be routed into one of the interfaces, while the source IP address is set to the other interface. This flaw impacts FortiClient users when using split tunnel VPN connections.


Expectations, Requirements

Split tunneling and FortiClient should work with Mac OS X 10.11, El-Capitan without any issue.


Configuration

The DNS resolution works differently between iOS and Android.

In Android: once the VPN tunnel is established all the DNS requests are redirected to the internal DNS.

In iOS: once the VPN tunnel is established only the DNS requests with the tunnel DNS suffix are redirected to the internal DNS.


Troubleshooting

Users encountering this issue on Mac OS X 10.11 may:

  • Use a public DNS, so that all DNS traffic goes through the public interface.
  • Use full VPN tunnels.
  • Downgrade to FortiClient 5.2.5.