Versions Compared

Old Version 50

changes.mady.by.user Gary Leicht

Saved on

compared with

New Version 51

changes.mady.by.user Gary Leicht

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This topic provides guidelines when you use BloxOne use BloxOne Endpoint in conjunction with third-party software. When using certain VPN software, you might need to take extra steps or considerations to ensure compatibility with BloxOne with BloxOne Endpoint. 

Info

The provided information is for reference only. This information represents the results of lab testing in a controlled environment focused on individual protocol services. Enabling additional protocols, services, cache hit ratio for recursive DNS, and customer environment variables will affect performance. This information does not serve as an official list of supported or unsupported software for BloxOne for BloxOne Endpoint. To design and size a solution for a production environment, please contact your Infoblox Solution Architect.


Note
titleNote
When you use BloxOne use BloxOne Endpoint with a VPN client, ensure that the VPN connection is established in the split-tunnel mode for every network protocol (IPv4 or IPv4/IPv6 for dual stack). If you have internal domains that are served by your local DNS servers and you want to reach them without interruption, you can consider adding them to the bypassed internal domain list, so that the DNS queries for these internal domains are sent to the local DNS servers instead of Infoblox of BloxOne Threat Defense Cloud. For more information about BloxOne about BloxOne Endpoint, see Managing BloxOne Endpoint.

The following table contains a list of commonly-used third-party VPN software and the compatibility information with BloxOne with BloxOne Endpoint.

Third-Party Software

Compatibility Description

Known Issues

Akamai Enterprise Applications Access (EAA) VPN

BloxOne Endpoint is compatible with Akamai EAA VPN in the split-tunnel mode.

Note: Support for Akamai EAA VPN was verified only for Windows.

N/A
Appgate VPN

BloxOne Endpoint BloxOne Endpoint is compatible with Appgate VPN in the split-tunnel mode.

Note:  BloxOne BloxOne Endpoint supports Appgate SDP v5.3.2 or higher.

N/A
AWS Client VPN Endpoint

BloxOne Endpoint BloxOne Endpoint is not compatible with AWS Client VPN Endpoint because when your VPN configuration is set up to modify the DNS server on the network interface,  BloxOne BloxOne Endpoint cannot provide proper protection to your network.

Issue: When AWS Client VPN Endpoint with DNS server IP address is configured, it modifies the DNS server IP configured on the network interface of the Client machine. As a consequence,  BloxOne BloxOne Endpoint will not be able to provide proper protection as designed.

Azure Client VPN Endpoint

Per Microsoft support, Azure VPN is not supported to use loop back as DNS server for P2S VPN connection. This is a by-design limitation and currently there is no official workaround for this scenario.

N/A


Check Point VPN

BloxOne Endpoint BloxOne Endpoint is compatible with Check Point VPN in the split-tunnel mode.

BloxOne Endpoint is not compatible with Check Point VPN in the full-tunnel mode.

N/A
Cisco AnyConnect VPN

BloxOne Endpoint BloxOne Endpoint is compatible only with the Internet portion of AnyConnect VPN in the split-tunnel mode.

BloxOne Endpoint BloxOne Endpoint is not compatible with AnyConnect in the full-tunnel mode.

N/A

F5 VPNBloxOne Endpoint is BloxOne Endpoint is not compatible with F5 VPN in the split-tunnel mode. N/A
Fortinet FortiClient VPN

BloxOne Endpoint BloxOne Endpoint is compatible with Fortinet Forticlient VPN for windows devices.

Tested versions of Forticlient: 7.0.8.0308 Windows.

Infoblox recommends the following:

  • Do not configure the client DNS address as “Same as client DNS Address".
  • Specify the DNS servers on the Fortigate server.
McAfee Web Gateway Proxy

BloxOne Endpoint BloxOne Endpoint is partially compatible with the McAfee Web Gateway Proxy.

Some of the features, such as block redirect or bypass redirect, might not function properly.

Issue: When the McAfee Web Gateway proxy is enabled, all traffic goes through the proxy. Some of the features, such as block redirect and bypass redirect, might not function properly

Workaround: Add the redirect IPs to the McAfee proxy bypass list. That way, the proxy is allowed to get the contents from the redirect IP during the HTTP(S) GET requests for block domains.

NetskopeBloxOne Endpoint BloxOne Endpoint is officially certified to run with Netskope client 93.0.1 and later, provided that you disable "Bypass Loopback DNS feature flag" on Netskope. As any other VPNs Netskope must be set to run as a split tunnel and also specifically in CASB mode, meaning that Netskope is only securing specified 80/443 Traffic rather than all 80/443, otherwise the redirect feature will not work. N/A
OpenVPN

BloxOne Endpoint BloxOne Endpoint is compatible with OpenVPN clients with the following configuration:

  • Create an .ovpn file and import the .ovpn file into the OpenVPN client. For an example of an .ovpn file, click here.
  • When using an OpenVPN server, ensure that persist-tun is not enabled on the server side, so that network changes are triggered during disconnect or reconnect.  

N/A

Palo Alto Networks GlobalProtect VPN

BloxOne Endpoint BloxOne Endpoint is compatible on windows with Palo Alto Networks GlobalProtect VPN using the below configuration:

  • Network > GlobalProtect > Portal > [Portal Name] > Agent > [Agent Name] > App > Split-Tunnel Option. Do note that you have to set the "Split-Tunnel" option to "Both Network Traffic and DNS" instead of "Network Traffic Only".

  • my-ip.debug.infoblox.com and csp.infoblox.com must be must be resolvable from the Endpoint. You may need to add these domains to the "Include Domains" in your GlobalProtect gateway configurations.

  • BloxOne Endpoint BloxOne Endpoint must be able to access csp.infoblox.com on TCP port 443

  • Internal domains configured in the Cloud the Cloud Services Platform must also be added, if the configuration allows it, as “Include domains” in all configured Palo Alto Networks GlobalProtect gateways. Do note that not all configurations permit this. 

  • Do note that "Internal Domains" on the GlobalProtect Gateway configuration can be found in the Palo Alto Networks PAN-OS web UI under (Network > GlobalProtect > Gatways > NameOfGateway > Agent > Client Settings > NameOfClientSetting > Split Tunnel > Domain and Application > Include Domain).

  • BloxOne Endpoint BloxOne Endpoint on MAC OS is not compatible with Palo Alto Networks GlobalProtect VPN with DNS server IP address parameter turned on.

Notes:

  • The BloxOne The BloxOne Endpoint is compatible with Palo Alto Networks GlobalProtect client version 6.0.4-c21 and higher.
  • A configuration applicable for "Palo Alto Networks GlobalProtect VPN" should also be applicable for "Palo Alto Networks Prisma Access - Mobile User VPN" as they are the same thing except that Palo Alto Networks hosts the infrastructure for Prisma Access, while "GlobalProtect" is run on the on-prem firewalls by the customer.
  • When adding an "Internal Domain" on the GlobalProtect Gateway configuration, you must add it with a wildcard character to take effect (e.g. *.internal.domain.corp). Without the wildcard, only the domain itself will be forwarded down the tunnel. This is different to the Infoblox Infoblox Infoblox BloxOne "Internal Domains" list which does not require the addition of the wildcard character.
  • On the Palo Alto Networks firewall, you can configure up to 200 domains to be forwarded down the VPN tunnel when the tunnel is configured in split-tunnel ("Both Network Traffic and DNS" mode).
  • Palo Alto Networks firewall requires the GlobalProtect licence in order to include traffic to the VPN tunnel based on domain name. 
  • For further information, refer to the Palo Alto Networks GlobalProtect documentation: Configure a Split Tunnel Based on the Domain and Application.

IssueSometimes in an office network, the endpoint device must be restarted after the BloxOne the BloxOne Endpoint agent installation to work properly with the Palo Alto Networks GlobalProtect client.

IssueWhen Palo Alto Networks GlobalProtect VPN with DNS server IP address is configured , it modifies the DNS server ip configured on the network interface of the MAC Client machine. So,  BloxOne BloxOne Endpoint will not be able to provide proper protection as designed on MAC OS.


Pulse Connect Secure VPN

Pulse Secure VPN has two operation modes:

  • IP-based split-tunneling

  • FQDN-based split-tunneling

In order to get Pulse Secure VPN and BloxOne and Bloxone Endpoint to work on the same machine, FQDN-based split-tunneling must be disabled in the Pulse Secure VPN gateway.

Issue: Both modes can be enabled; however, an issue occurs when using FQDN-based split-tunneling. FQDN-based split-tunneling is required for the Pulse Secure to receive all DNS traffic when operating in this mode. When operating in this mode, it completely replaces DNS addresses of the physical NIC adapter with its own address. When it gets disconnected, it restores the previous DNS addresses. FQDN-based split-tunneling handles the DNS table of the physical NIC adapter in the same way as BloxOne as BloxOne Endpoint resulting in incompatibility of Pulse Secure with BloxOne with BloxOne Endpoint. 

Workaround: To get Pulse Secure VPN and BloxOne and BloxOne Endpoint to work together on the same machine, FQDN-based split-tunneling must be disabled in the Pulse Secure VPN gateway. Also, if there are any domains configured in the FQDN split tunnel at pulse secure, these domains must be added to the Infoblox the Cloud Services Portal as internal domains. 

For additional information, see
https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44429.

SonicWall VPNBloxOne Endpoint BloxOne Endpoint is not compatible with SonicWall VPN. N/A
Symantec WSS Agent

BloxOne Endpoint BloxOne Endpoint is compatible with Symantec WSS Agent when you exclude the following domains and IP addresses on the agent:

TCP 443:

  • csp.infoblox.com 
  • threatdefense.infoblox.com and its subdomains 

TCP/UDP 53 and 443:

  • 52.119.40.100
  • 52.119.41.100 
  • 103.80.5.100
  • 103.80.6.100
N/A
Tunnelblick VPN
BloxOne Endpoint BloxOne Endpoint is compatible with Tunnelblick VPN if you make the following changes in Tunnelblick:
  • Allow changing of the DNS servers for the adaptor.
  • Apply DNS settings after the tunnel has been established.

In the Connecting and Disconnecting tab of the Tunnelblick advanced configuration, ensure that the following two settings are enabled:

  • Flush DNS cache after connecting or disconnecting (default)
  • Set DNS after routes are set instead of before routes are set

In the While Connected tab, change the following to Ignore:

  • DNS servers:

    • When changes to pre-VPN value: Choose Ignore.

    • When changed to anything else: Choose Ignore.

With some Tunnelblick versions,  BloxOne BloxOne Endpoint is unable to properly identify the correct internal DNS servers following a VPN disconnect. To avoid this issue, change the “Set DNS/WINS” option in Tunnelblick to "set nameserver (3.1)":

  1. Open the Tunnelblick GUI
  2. Select your configuration from the right panel.
  3. In the Tunnelblick GUI, click on the Settings tab
  4. Change “Set DNS/WINS” option value to the “set nameserver (3.1)


Zscaler Private Access (ZPA)

BloxOne Endpoint BloxOne Endpoint is compatible with Zscaler Private Access (ZPA). ZPA works correctly with Windows and Mac versions.

Tested versions of Zscaler client: 3.7.0.172 for MAC OS, 3.9.0.183 for Windows. 

N/A
Zscaler Internet Access (ZIA)

BloxOne Endpoint BloxOne Endpoint is compatible with Zscaler Internet Access (ZIA). ZIA works correctly with Windows and Mac versions. 

ZIA is supported by using Proxy Auto-Configuration (PAC) files to determine whether web browser requests (HTTP, HTTPS, and FTP) go directly to the destination or are forwarded to a web proxy server.

For information on how to configure PAC files, see the BloxOne Threat Defense Integration in ZScaler deployment guide.   

N/A

...