This topic provides guidelines when you use BloxOne Endpoint in conjunction with third-party software. When using certain VPN software, you might need to take extra steps or considerations to ensure compatibility with BloxOne Endpoint.
Information provided in this topic serves as guidelines only. It does not serve as an official list of supported or unsupported software for BloxOne Endpoint.
Note
The following table contains a list of commonly-used third-party VPN software and the compatibility information with BloxOne Endpoint.
Third-Party Software | Compatibility Description | Known Issues |
---|---|---|
Akamai Enterprise Applications Access (EAA) VPN | BloxOne Endpoint is compatible with Akamai EAA VPN in the split-tunnel mode. Note: Support for Akamai EAA VPN was verified only for Windows. | N/A |
Appgate VPN | BloxOne Endpoint is compatible with Appgate VPN in the split-tunnel mode. Note: BloxOne Endpoint supports Appgate SDP v5.3.2 or higher. | N/A |
AWS Client VPN Endpoint | BloxOne Endpoint is not compatible with AWS Client VPN Endpoint because when your VPN configuration is set up to modify the DNS server on the network interface, BloxOne Endpoint cannot provide proper protection to your network. | Issue: When your VPN configuration is set up to modify the DNS server configured on the network interface, BloxOne Endpoint will not be able to provide proper protection as designed. Workaround:
|
Azure Client VPN Endpoint | BloxOne Endpoint is compatible with Azure Client VPN Endpoint with following change in Azure VPN configuration. Home -> Virtual Networks -> <Select the required virtual network> -> DNS Server -> set as customer (IP Address 127.0.0.2) Prerequisites: Adding the hostname in the host file is required to connect Azure. For BloxOne to be compatible with Azure VPN, IP address 127.0.0.2/127.0.0.1 should be added in the Azure configuration on the Azure portal. Note: 127.0.0.2 should work for both Mac and Windows. | N/A |
Check Point VPN | BloxOne Endpoint is compatible with Check Point VPN in the split-tunnel mode. BloxOne Endpoint is not compatible with Check Point VPN in the full-tunnel mode. | N/A |
Cisco AnyConnect VPN | BloxOne Endpoint is compatible only with the Internet portion of AnyConnect VPN in the split-tunnel mode. BloxOne Endpoint is not compatible with AnyConnect in the full-tunnel mode. | N/A |
F5 VPN | BloxOne Endpoint is compatible with F5 VPN in the split-tunnel mode. | N/A |
Fortinet FortiClient VPN | BloxOne Endpoint is compatible with Fortinet Forticlient VPN for windows devices. Tested versions of Forticlient: 7.0.7.0345 Windows. | N/A |
McAfee Web Gateway Proxy | BloxOne Endpoint is partially compatible with the McAfee Web Gateway Proxy. Some of the features, such as block redirect or bypass redirect, might not function properly. | Issue: When the McAfee Web Gateway proxy is enabled, all traffic goes through the proxy. Some of the features, such as block redirect and bypass redirect, might not function properly Workaround: Add the redirect IPs to the McAfee proxy bypass list. That way, the proxy is allowed to get the contents from the redirect IP during the HTTP(S) GET requests for block domains. |
Netskope | BloxOne Endpoint is officially certified to run with Netskope client 93.0.1 and later, provided that you disable "Bypass Loopback DNS feature flag" on Netskope. As any other VPNs Netskope must be set to run as a split tunnel and also specifically in CASB mode, meaning that Netskope is only securing specified 80/443 Traffic rather than all 80/443, otherwise the redirect feature will not work. | N/A |
OpenVPN | BloxOne Endpoint is compatible with OpenVPN clients with the following configuration:
| N/A |
Palo Alto Networks GlobalProtect VPN | BloxOne Endpoint is compatible with Palo Alto Networks GlobalProtect VPN using below configuration:
Notes:
| Issue: Sometimes in an office network, the endpoint device must be restarted after the BloxOne Endpoint agent installation to work properly with the Palo Alto Networks GlobalProtect client. |
Pulse Connect Secure VPN | Pulse Secure VPN has two operation modes:
In order to get Pulse Secure VPN and Bloxone Endpoint to work on the same machine, FQDN-based split-tunneling must be disabled in the Pulse Secure VPN gateway. | Issue: Both modes can be enabled; however, an issue occurs when using FQDN-based split-tunneling. FQDN-based split-tunneling is required for the Pulse Secure to receive all DNS traffic when operating in this mode. When operating in this mode, it completely replaces DNS addresses of the physical NIC adapter with its own address. When it gets disconnected, it restores the previous DNS addresses. FQDN-based split-tunneling handles the DNS table of the physical NIC adapter in the same way as BloxOne Endpoint resulting in incompatibility of Pulse Secure with BloxOne Endpoint. Workaround: To get Pulse Secure VPN and BloxOne Endpoint to work together on the same machine, FQDN-based split-tunneling must be disabled in the Pulse Secure VPN gateway. Also, if there are any domains configured in the FQDN split tunnel at pulse secure, these domains must be added to the Cloud Services Portal as internal domains. For additional information, see |
SonicWall VPN | BloxOne Endpoint is not compatible with SonicWall VPN. | N/A |
Symantec WSS Agent | BloxOne Endpoint is compatible with Symantec WSS Agent when you exclude the following domains and IP addresses on the agent: TCP 443:
TCP/UDP 53 and 443:
| N/A |
Tunnelblick VPN | BloxOne Endpoint is compatible with Tunnelblick VPN if you make the following changes in Tunnelblick:
In the Connecting and Disconnecting tab of the Tunnelblick advanced configuration, ensure that the following two settings are enabled:
In the While Connected tab, change the following to Ignore:
| With some Tunnelblick versions, BloxOne Endpoint is unable to properly identify the correct internal DNS servers following a VPN disconnect. To avoid this issue, change the “Set DNS/WINS” option in Tunnelblick to "set nameserver (3.1)":
|
Zscaler Private Access (ZPA) | BloxOne Endpoint is compatible with Zscaler Private Access (ZPA). ZPA works correctly with Windows and Mac versions. Tested versions of Zscaler client: 3.7.0.172 for MAC OS, 3.9.0.183 for Windows. | N/A |
Zscaler Internet Access (ZIA) | BloxOne Endpoint is compatible with Zscaler Internet Access (ZIA). ZIA works correctly with Windows and Mac versions. ZIA is supported by using Proxy Auto-Configuration (PAC) files to determine whether web browser requests (HTTP, HTTPS, and FTP) go directly to the destination or are forwarded to a web proxy server. For information on how to configure PAC files, see the BloxOne Threat Defense Integration in ZScaler deployment guide. | N/A |