Threat Prevention - Endpoint works with most software, but there are instances when the specific VPN products/services are not compatible with our DNS filtering engine.
Below are the VPN products/services that have been discovered to cause incompatibilities with the DarkLayer Guard engine embedded in the Threat Prevention - Endpoint product:
- any browsers or VPN browser extensions that bypass the local DNS Servers when resolving the DNS query;
- Azure VPN - Azure VPN does not create a NIC adapter that the DarkLayer Guard engine can intercept, but it uses the existing NIC adapter. Unfortunately, DarkLayer Guard can intercept via nslookup, but it cannot intercept DNS queries from the browser;
- Barracuda VPN - is not supported because the VPN is configured to use full tunneling and the DarkLayer Guard does not work with full tunneling;
- Fortigate firewall SSLVPN / WAN Miniport (SSTP);
- GFI Transparent Proxy - GFI Proxy is mostly used in transparent proxy mode (the proxy server is placed between the local network and the internet). This means the endpoints are NOT configured to use a proxy. When Threat Prevention - Endpoint is installed on the machines, the traffic is filtered locally but it gets redirected through the same gateway GFI is using. This way the packets never reach DarkLayer Guard - Endpoint filtering engine and the requests effectively get resolved at the gateway level and not locally;
- SonicWall Cloud Edge VPN - this VPN product/service support Full-Tunneling or Split-Include, while the DarkLayer Guard requires Split-Exclude to work;
- Viscosity VPN.
Additionally, when it comes to protecting VPN servers (hosts), we recommend you have the DarkLayer Guard product turned OFF. Usually, a VPN Server (host) shouldn't be used to perform DNS queries, but if you still want to do that, you can use the protection offered by the Threat Prevention Network product, which is configured on the perimeter level (on the DNS servers).