Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.

Force the routing of a domain name out the internet when doing split tunnel ssl vpn for clients.

We have decided to do a phased roll out of ForiClient VPN for our users.  The first phase (which we are in) is to let everyone do SSL VPN just like they were doing on our old Cisco VPN.  I have that working however, we found that one of our domain name is not getting routed correctly.


Our hosts are in AWS and if the host if fronted by an ALB it will get domain name like  Which is also put into route53.  I need all look ups for that domain name to be done over the internet (not through our internal DNS servers).  An external DNS lookup would return the external IP address and then route the traffic correctly.


Whats the easiest way to make that happen?



In my portals I already have

config split-dns

edit 1
set domains ",,"
set dns-server1
set dns-server2


and that is not doing it.  Inside the portal config I found you could also add 

set dns-suffix ",,"


set split-tunneling enable


Even with all this its not working.  When I VPN in and I am hitting this portal if I do:


The internal DNS servers return the internal address not the external one.


I thought I read something about policy based dns lookups.


What seems to be working is to setup split-tunnel and split-tunnel-dns in the portal. Then in the SSL-VPN Settings set DNS Server = Same as client system DNS.


Whats weird with this setup is that if I do an nslookup of an internal only FQDN host it fails.  But if I ssh to that same hostname that successes.  I am not sure if that will effect us in the future but its is something to keep in mind.

Top Kudoed Authors