Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
isamt
Contributor

Windows Clients Registering Home Router Adapter Assigned IP in DNS

I have vpn users running both Win8.1 and Win10.

Forticlient version is 6.0.10, managed by EMS server

 

Clients run SSL vpn and IPSec connections.

 

On the EMS server there is a setting 'Prefer SSL VPN DNS'

If unchecked, SSL clients only register the Vpn IP address in DNS.

With it checked, SSL clients also register their home router IP address.

 

Question, for IPSec connections is there a similar setting that performs the same behaviour?

We don't want IPSec users home IP addresses registering within DNS.

 

Thanks

6 REPLIES 6
isamt
Contributor

Raised a ticket on Fortinet for this.

 

Fortinet's response:

 

The issue is reported in 0659906 FortiClient IPSec VPN connected clients register local adapters IP to DNS-server, causing FSSO and client traffic to fail. The issue is under the developer's investigation.

bmduncan34
New Contributor III

I am having the same problem.  Any update on this?

isamt

Fortinet have marked my ticket 'Pend Bug Fix'

No further updates have been added as yet.

thungo1604

Hi,

We had the same problem here. This problem is resolved now. To resolve it, weve modified a key in the windows registry.

This is the key to modify: HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FortiClient\Sslvpn\NoDnsRegistration. You have to enter a value of 2.

Since we did that, no more problem with odd DNS registration. The only IP address assigne to the DNS entry is the VPN SSL one.

It works for us, maybe you should try it!

isamt

Hello thungo1604,

 

Thanks for the registry key.

I'm assuming this is what is updated with 'Prefer SSL VPN DNS' unchecked in the EMS server.

I already stated that with this unchecked, SSL clients only register their assigned Vpn IP in DNS which is fine.

My problem is that there is no equivalent setting for IPSec Vpn clients. They always register both their assigned Vpn IP plus the users home router assigned IP in the Corporate DNS server.

 

Fortinet have identified this as a bug and advise they are testing their fix in 6.4 version of the client.

 

If there is a registry key that stops IPSec clients registering home IP's in DNS then let us know.

 

That is something I could maybe try!

isamt

Fortinet have finally come back on this and advised that the problem is fixed in 6.4.3

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors