Fortigate model is 1500D, running on 5.2.3 with the matching SSLVPN client.
Due to the nature of our environment, we have multiple AD domains behind the firewall. Each "domain" has its own SSL VPN Portal, where when connected users they get assigned an IP address from a unique pool designated for them. They are also assigned DNS servers from their domain.
But because when it comes to DNS Suffix settings being system wide only, everyone is assigned a list of 5 DNS suffixes to search.
As a result, when users connect and try to resolve a single host name, the DNS resolution process takes more than 15 seconds. Part of this is because it looks like their computer (Win7 - Win10) are trying to resolve using the DNS server assigned to their NIC first.
Is there any way to do DNS suffixes per VPN portal? Is there any to use the VPN assigned DNS server exclusively while connect? Any suggestions on how to speed this up?
tim5700 wrote:Part of this is because it looks like their computer (Win7 - Win10) are trying to resolve using the DNS server assigned to their NIC first.
BS,
Windows 10 uses DNS Multicast which leads to DNS leaks.
That's an excellent thought.
But how does that explain the Win7 & 8.x clients?
Disabling Multicast Name Resolution doesn't seem to help.
Hello,
I am just wondering whether it would be possible to use a separate VDOM for every single AD?
It would solve the problem.
AtiT
You can add dns suffixes to the portal
config vpn ssl settings set dns-suffix ”example.com example.org” end
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.