Versions Compared

Old Version 22

changes.mady.by.user Gary Leicht

Saved on

compared with

New Version 23

changes.mady.by.user Gary Leicht

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This topic provides guidelines when you use BloxOne Endpoint in conjunction with third-party software. When using certain VPN software, you might need to take extra steps or considerations to ensure compatibility with BloxOne Endpoint. 

...

Third-Party Software

Compatibility Description

Known Issues

Akamai Enterprise Applications Access (EAA) VPN

BloxOne Endpoint is compatible with Akamai EAA VPN in the split-tunnel mode.

Note: Support for Akamai EAA VPN was verified only for Windows.

N/A
Appgate VPN

BloxOne Endpoint is compatible with Appgate VPN in the split-tunnel mode.

Note: BloxOne Endpoint supports Appgate SDP v5.3.2 or higher.

N/A
AWS Client VPN Endpoint

BloxOne Endpoint is not compatible with AWS Client VPN Endpoint because when your VPN configuration is set up to modify the DNS server on the network interface, BloxOne Endpoint cannot provide proper protection to your network.

IssueWhen your VPN configuration is set up to modify the DNS server configured on the network interface, BloxOne Endpoint will not be able to provide proper protection as designed.

Workaround:  

  1. Set up your VPN configuration so it does not modify the DNS server on your network interface.
  2. Add your corporate domains to the bypass list.
Check Point VPN

BloxOne Endpoint is compatible with Check Point VPN in the split-tunnel mode.

BloxOne Endpoint is not compatible with Check Point VPN in the full-tunnel mode.

N/A
Cisco AnyConnect VPN

BloxOne Endpoint is compatible only with the Internet portion of AnyConnect VPN in the split-tunnel mode.

BloxOne Endpoint is not compatible with AnyConnect in the full-tunnel mode.

N/A

F5 VPNBloxOne Endpoint is compatible with F5 VPN in the split-tunnel mode.N/A
Fortinet FortiClient VPN

BloxOne Endpoint is compatible with Fortinet Forticlient VPN for windows devices.

Tested versions of Forticlient: 7.0.7.0345 Windows.

N/A

McAfee Web Gateway Proxy

BloxOne Endpoint is partially compatible with the McAfee Web Gateway Proxy.

Some of the features, such as block redirect or bypass redirect, might not function properly.

Issue: When the McAfee Web Gateway proxy is enabled, all traffic goes through the proxy. Some of the features, such as block redirect and bypass redirect, might not function properly

Workaround: Add the redirect IPs to the McAfee proxy bypass list. That way, the proxy is allowed to get the contents from the redirect IP during the HTTP(S) GET requests for block domains.

NetskopeBloxOne Endpoint is officially certified to run with Netskope client 93.0.1 and later, provided that you disable "Bypass Loopback DNS feature flag" on Netskope. As any other VPNs Netskope must be set to run as a split tunnel and also specifically in CASB mode, meaning that Netskope is only securing specified 80/443 Traffic rather than all 80/443, otherwise the redirect feature will not work. N/A
OpenVPN

BloxOne Endpoint is compatible with OpenVPN clients with the following configuration:

  • Create an .ovpn file and import the .ovpn file into the OpenVPN client. For an example of an .ovpn file, click here.
  • When using an OpenVPN server, ensure that persist-tun is not enabled on the server side, so that network changes are triggered during disconnect or reconnect.  

N/A

Palo Alto GlobalProtect VPN

BloxOne Endpoint is compatible with Palo Alto GlobalProtect VPN in the split-tunnel mode on Windows and MacOS Devices.

Issue: Except for version 3.1.3, Palo Alto GlobalProtect VPN (for Windows only) cannot start or connect while using BloxOne Endpoint.

Workaround:

Mac:
The domain, amiawesome.ibrc, must be added to the exclude list and be configured to resolve in order to rtest packet interception via local resolver. .Otherwise, BloxOne Endpoint will go into an unprotected state because of interception detection due to the VPN behaving like a full tunnel. Along with amiawesome.ibrc, all Infoblox domains must also be added to the exclude list.

Windows:
Currently, Palo Alto GlobalProtect VPN cannot be set to start and connect on boot while using the BloxOne Endpoint client. As a workaround, you can delay the start of the BloxOne Endpoint client or GlobalProtect boot process in system services, or you can utilize a tool to delay the start of the client. As long as the BloxOne Endpoint client starts after GlobalProtect, issues do not occur.

In the office network, the Palo Alto VPN must be stopped, then restarted, to work with BloxOne Endpoint.

GlobalProtect version 6.04.c21 or higher is required for the workaround; however, slow IP acquisition remains problematic when using this version in a workaround.

Pulse Connect Secure VPN

Pulse Secure VPN has two operation modes:

  • IP-based split-tunneling

  • FQDN-based split-tunneling

In order to get Pulse Secure VPN and Bloxone Endpoint to work on the same machine, FQDN-based split-tunneling must be disabled in the Pulse Secure VPN gateway.

Issue: Both modes can be enabled; however, an issue occurs when using FQDN-based split-tunneling. FQDN-based split-tunneling is required for the Pulse Secure to receive all DNS traffic when operating in this mode. When operating in this mode, it completely replaces DNS addresses of the physical NIC adapter with its own address. When it gets disconnected, it restores the previous DNS addresses. FQDN-based split-tunneling handles the DNS table of the physical NIC adapter in the same way as BloxOne Endpoint resulting in incompatibility of Pulse Secure with BloxOne Endpoint. 

Workaround: To get Pulse Secure VPN and BloxOne Endpoint to work together on the same machine, FQDN-based split-tunneling must be disabled in the Pulse Secure VPN gateway. Also, if there are any domains configured in the FQDN split tunnel at pulse secure, these domains must be added to the Cloud Services Portal as internal domains. 

For additional information, see
https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44429.

SonicWall VPNBloxOne Endpoint is not compatible with SonicWall VPN. N/A
Symantec WSS Agent

BloxOne Endpoint is compatible with Symantec WSS Agent when you exclude the following domains and IP addresses on the agent:

TCP 443:

  • csp.infoblox.com 
  • threatdefense.infoblox.com and its subdomains 

TCP/UDP 53 and 443:

  • 52.119.40.100
  • 52.119.41.100 
  • 103.80.5.100
  • 103.80.6.100
N/A
Tunnelblick VPN
BloxOne Endpoint is compatible with Tunnelblick VPN if you make the following changes in Tunnelblick:
  • Allow changing of the DNS servers for the adaptor.
  • Apply DNS settings after the tunnel has been established.

In the Connecting and Disconnecting tab of the Tunnelblick advanced configuration, ensure that the following two settings are enabled:

  • Flush DNS cache after connecting or disconnecting (default)
  • Set DNS after routes are set instead of before routes are set

In the While Connected tab, change the following to Ignore:

  • DNS servers:

    • When changes to pre-VPN value: Choose Ignore.

    • When changed to anything else: Choose Ignore.

With some Tunnelblick versions, BloxOne Endpoint is unable to properly identify the correct internal DNS servers following a VPN disconnect. To avoid this issue, change the “Set DNS/WINS” option in Tunnelblick to "set nameserver (3.1)":

  1. Open the Tunnelblick GUI
  2. Select your configuration from the right panel.
  3. In the Tunnelblick GUI, click on the Settings tab
  4. Change “Set DNS/WINS” option value to the “set nameserver (3.1)


Zscaler Private Access (ZPA)

BloxOne Endpoint is compatible with Zscaler Private Access (ZPA). ZPA works correctly with Windows and Mac versions.

Tested versions of Zscaler client: 3.7.0.172 for MAC OS, 3.9.0.183 for Windows. 

N/A
Zscaler Private Internet Access (ZIA)

BloxOne Endpoint is compatible with Zscaler Internet Access (ZIA). ZIA works correctly with Windows and Mac versions. 

ZIA is supported by using Proxy Auto-Configuration (PAC) files to determine whether web browser requests (HTTP, HTTPS, and FTP) go directly to the
destination or are forwarded to a web proxy server.

For information on how to configure PAC files, see the BloxOne Threat Defense Integration in ZScaler deployment guide.   

N/A

...