Help
FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
zeeshan_FTNT
Staff
Staff

Created on ‎01-31-2016 11:06 PM Edited on ‎11-23-2021 12:42 AM By Community Manager

Article Id 195906

Technical Tip: SSL VPN split tunnel on Mac OS X 10.11 El-Capitan

Purpose

This article explains how to overcome the DNS resolver issue with the newest Mac OS 10.11 El-Captian when using SSLVPN.

Mac OS X 10.11 introduced a new software issue in the DNS resolver. If there are two network interfaces (such as one ethernet and one WiFi), traffic may be routed into one of the interfaces, while the source IP address is set to the other interface. This flaw impacts FortiClient users when using split tunnel VPN connections.


Expectations, Requirements

Split tunneling and FortiClient should work with Mac OS X 10.11, El-Capitan without any issue.


Configuration

The DNS resolution works differently between iOS and Android.

In Android: once the VPN tunnel is established all the DNS requests are redirected to the internal DNS.

In iOS: once the VPN tunnel is established only the DNS requests with the tunnel DNS suffix are redirected to the internal DNS.


Troubleshooting

Users encountering this issue on Mac OS X 10.11 may:
  • Use a public DNS, so that all DNS traffic goes through the public interface.
  • Use full VPN tunnels.
  • Downgrade to FortiClient 5.2.5.
Labels:
3761
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.