Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

SMA 6210 - ext. Website with DNS Entry in Active Directory - Mobile Connect Tunnel

Hello, we want to reach our external Organisation Website (ex. web.xyz.com) over mobile connect client and sma 6210, which is hosted internally. here we have created an active directory Zone with Host A (ex. web.xyz.com with IP: 192.168.40.4). Now, if i ping over Connect Tunnel, i only get the external ip (ex. 10.50.22.11), but i want to reach the internal IP (192.168.40.4).

Unfortunately we dont have a section in our SMA 6210 such as (Host Resolution).

Could someone give me a hint, how to realize this? Thank you.

Greetz

Erdal

Category: Secure Mobile Access Appliances
Reply

Answers

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @Erdal did you tried to add the external Domain Suffix (xyz.com) to the VPN connection to have the requests answered by your VPN DNS Server which holds the information?

    --Michael@BWC

  • ErdalErdal Newbie ✭
    edited October 2022

    @BWC Thank you for your correct answer. i ve already inserted the domain in search suffix (private search domains) it still not works.

    DNS Routing with Split Tunnel

    In split tunnel, only DNS requests that match the VPN DNS suffix search domains will use the VPN DNS servers. Requests to domains that do not match the VPN DNS suffixes go to the local (3G/WiFi connection) DNS servers. This is true for connections to all server appliances: SMA 1000 series, SMA 100 series, and firewalls. This is a limitation of Apple's iOS.

    Example DNS suffix: example.com

    • Query for www.example.com uses VPN DNS Server
    • Query for intranet.corp.example.com uses VPN DNS Server
    • Query for www.google.com uses Local DNS server
    • Query for i2.examplecorp.com uses Local DNS server

    This behavior can be overridden in Split Tunnel mode by enabling the Enable Use tunnel as primary network (Mobile Connect only) checkbox.

    The checkbox is not enabled. perhabs it is a bug. Our Firmwareversion is: 12.4.1-02629 + hotfixes (clt-hotfix-12.4.1-02965, clt-hotfix-12.4.1-03053, pform-hotfix-12.4.1-02965, pform-hotfix-12.4.1-02994, pform-hotfix-12.4.1-03053)

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @Erdal I don't have access to a SMA right now, but did you checked the logs for dropped traffic? Did you do a packet capture to see if the DNS requests really getting routed into the Tunnel?

    --Michael@BWC

  • NatNat Newbie

    @Erdal

    It don't really need the domain suffix if you just got 1 website. Search suffix with split route mainly for wildcard hosts searching.

    From SMA POV, you have to make the FQDN resolve private IP in SMA DNS resolution.

    When SMA can get private IP & your ACL allow to the private IP, CT will deploy routes to window once connected.


  • ErdalErdal Newbie ✭
    edited October 2022


    Hi BWC, the last time i did a Packet Capture, SMA runs out of Space, although it stopped himself after 100%. It seem it is/was a bug. After it ran out of space the Database was broken. But when i tried to capture, i could not see any pakets.. We have updated our SMA and thank you for your answer, i will try a capture again.

    Really good tip @Nat when i try to resolve the dns name the appliance resolve it correctly. But why i didn't get the right IP-Address, when i am connected with Connect Tunnel? The Access rule is ok.

    Erdal

  • MitatOngeMitatOnge All-Knowing Sage ✭✭✭✭

    Hi Erdal,


    What is your connect tunnel mode? (Split tunnel, Tunnel all mode)

  • NatNat Newbie

    @Erdal Add the private IP as "host name or IP" if you just added as URL resource. Then add to ACL.

    And what client you are testing? window CT is totally different from mobile connect. For mobile connect, enable the "primary network" checkbox will work as well.

    You can see the different before and after connected mobile connect:


  • ErdalErdal Newbie ✭
    edited October 2022

    Hello NAT,

    thank you for your help. We use Mobile Connect Tunnel. The resource is added as Host or IP. Its still not working, that the thing why i am getting crazy. It seems that the router from internet is being used for internet access and not the sma.

    Erdal

  • NatNat Newbie

    Then mobile connect is not sending DNS to internal.

    Quick test just try "Enable Use tunnel as primary network (Mobile Connect only)". Remember to re-login after apply change.

  • ErdalErdal Newbie ✭

    Sorry Nat we DIDN'T use Mobile Connect. We use Connect Tunnel! i don't have this program (mobile connect)

  • NatNat Newbie

    Generally, the requirement is not hard to achieve but we don't understand your network.

    Maybe you can try redirect all to check if it works.

    Also, try call sonicwall support and let me remote check the config on SMA with you. We can't check the configuration.

    Just theoretically achievable.

Sign In or Register to comment.