DNS Security - Endpoint uses the DNS IP Address configured on the NIC(s) to filter traffic to stop access to malicious domains or subdomains. Since some VPN products/services also interact with NIC(s) on a computer it is important to know that Heimdal's DNS Security - Endpoint has been developed to offer compatibility with a list of the most known VPN products/services used within companies, to give Enterprise customers to option to use both layer of protection: the DNS Security - Endpoint and the VPN product/service. Below you can find the VPN vendors that are compatible with the DNS Security - Endpoint:
1. Cisco AnyConnect
2. Fortinet FortiClient
3. Always ON VPN
4. Palo Alto Global Protect
5. Other VPN products/services
Cisco AnyConnect
DNS Security - Endpoint is compatible with the Cisco AnyConnect VPN service. In order to set it up, you need to log in to the HEIMDAL Dashboard, access Endpoint Settings -> Your Group Policy -> DNS Security tab -> DarkLayer Guard tab, and enable Cisco AnyConnect/Fortinet compatibility mode. In order for this feature to work you also need to configure your Cisco interface to split-exclude (full tunnel or split-include tunnel are NOT supported) the following IP Addresses (these are the IP Addresses of the HEIMDAL Security cloud services):
- 40.119.146.250
- 40.114.223.57
- 40.87.128.228
- 40.121.66.93
- 52.172.28.76
- 152.199.21.175
- 168.63.8.217
- 13.95.20.191
- 52.166.12.23
- optionally, 127.7.7.0/24 could be added as well;
IMPORTANT
According to the Cisco documentation (https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/200395-Interop-between-AnyConnect-and-the-OpenD.html), the VPN headend can be configured in a couple of different ways to handle traffic from the AnyConnect client.
1. Full tunnel configuration (tunnel-all): This forces all traffic from the endpoint to be sent across the VPN tunnel encrypted, and therefore traffic never leaves the public interface adapter in clear text.
2. Split tunnel configuration:
- Split-include tunneling: Traffic destined only to specific subnets or hosts defined on the VPN headend is sent across the tunnel, and all other traffic is sent outside the tunnel in clear text.
- Split-exclude tunneling: Traffic destined only to specific subnets or hosts defined on the VPN headend is excluded from encryption and leaves the public interface in clear text, all other traffic is encrypted and only sent across the tunnel.
In the case of the Cisco AnyConnect VPN, the Cisco ASA 5585-X interface (or any other Cisco ASA interface) allows you to set up split-exclusion in the Advanced -> Split Tunneling menu, by adding/editing split exclusions in the image below:
After setting it up, split-exclusion should reflect on the Cisco AnyConnect interface in the Route Details tab:
For setups using Full Tunelling or Split-Include, we recommend you use the DNS Security Network protection (which is set up at the DNS Server level) in conjunction with the Pause DarkLayer GUARD when Cisco Anyconnect or Fortinet is detected. This setup will allow users to connect with Cisco AnyConnect to the VPN and pause the DarkLayer Guard protection (thus, excluding the possibility of getting Internet connectivity timeouts) while ensuring protection from the DNS Security Network product (outer layer).
Fortinet FortiClient
DNS Security - Endpoint is compatible with Fortinet's FortiClient VPN service. In order to set it up, you need to log in to the HEIMDAL Dashboard, access Endpoint Settings -> Your Group Policy -> DNS Security tab -> DarkLayer Guard tab and enable Cisco AnyConnect/Fortinet compatibility mode.
Always ON VPN
DNS Security - Endpoint is compatible with Always ON VPN service. In order to set it up, you need to log in to the HEIMDAL Dashboard, access Endpoint Settings -> Your Group Policy -> DNS Security tab -> DarkLayer Guard tab and enable Support PPP Adapters.
Palo Alto Global Protect
DNS Security - Endpoint is compatible with Palo Alto's Global Protect VPN service. In order to set it up, you need to log in to the HEIMDAL Dashboard, access Endpoint Settings -> Your Group Policy -> DNS Security tab -> DarkLayer Guard tab and enable Cisco AnyConnect/Fortinet compatibility mode.
Other VPN products/services
If the VPN creates a TAP adapter, then the HEIMDAL Agent will not be able to apply the loopback 127.7.7.x on the IPv4 (or the respective one for IPv6) and the traffic will not be filtered.
In case you are using a VPN solution that is not supported by Heimdal our recommendation is to disable the DarkLayer Guard product and enable the DNS Security Network product, which is configured on the perimeter level (on the DNS servers).
Additionally, when it comes to protecting VPN servers (hosts), we recommend you have the DarkLayer Guard product turned OFF. Usually, a VPN Server (host) shouldn't be used to perform DNS queries, but if you still want to do that, you can use the protection offered by the DNS Security Network product, which is configured on the perimeter level (on the DNS servers).