Document toolboxDocument toolbox

Endpoint Compatibility Guidelines

Owned by Gary Leicht
Last updated: Sept 06, 2024
7 min read

This topic provides guidelines when you use Infoblox Endpoint in conjunction with third-party software. When using certain VPN software, you might need to take extra steps or considerations to ensure compatibility with Infoblox Endpoint. 

The provided information is for reference only. This information represents the results of lab testing in a controlled environment focused on individual protocol services. Enabling additional protocols, services, cache hit ratio for recursive DNS, and customer environment variables will affect performance. This information does not serve as an official list of supported or unsupported software for Infoblox Endpoint. To design and size a solution for a production environment, please contact your Infoblox Solution Architect.

Note

When you use Infoblox Endpoint with a VPN client, ensure that the VPN connection is established in the split-tunnel mode for every network protocol (IPv4 or IPv4/IPv6 for dual stack). If you have internal domains that are served by your local DNS servers and you want to reach them without interruption, you can consider adding them to the bypassed internal domain list, so that the DNS queries for these internal domains are sent to the local DNS servers instead of Infoblox Threat Defense. For more information about Infoblox Endpoint, see Managing Endpoint.

The following table contains a list of commonly-used third-party VPN software and the compatibility information with Infoblox Endpoint.

Third-Party Software

Compatibility Description

Known Issues

Akamai Enterprise Applications Access (EAA) VPN

Infoblox Endpoint is compatible with Akamai EAA VPN in the split-tunnel mode.

Note: Support for Akamai EAA VPN was verified only for Windows.

N/A
Appgate VPN

Infoblox Endpoint is compatible with Appgate VPN in the split-tunnel mode.

NoteInfoblox Endpoint supports Appgate SDP v5.3.2 or higher.

N/A
AWS Client VPN Endpoint

Infoblox Endpoint is not compatible with AWS Client VPN Endpoint because when your VPN configuration is set up to modify the DNS server on the network interface, Infoblox Endpoint cannot provide proper protection to your network.

Issue: When AWS Client VPN Endpoint with DNS server IP address is configured, it modifies the DNS server IP configured on the network interface of the Client machine. As a consequence, Infoblox Endpoint will not be able to provide proper protection as designed.

Azure Client VPN Endpoint

Per Microsoft support, Azure VPN is not supported to use loop back as DNS server for P2S VPN connection. This is a by-design limitation and currently there is no official workaround for this scenario.

N/A


Check Point VPN

Infoblox Endpoint is compatible with Check Point VPN in the split-tunnel mode.

Infoblox Endpoint is not compatible with Check Point VPN in the full-tunnel mode.

N/A
Cisco AnyConnect VPN

Infoblox Endpoint is compatible only with the Internet portion of AnyConnect VPN in the split-tunnel mode.

Infoblox Endpoint is not compatible with AnyConnect in the full-tunnel mode.

N/A

F5 VPNInfoblox Endpoint is not compatible with F5 VPN in the split-tunnel mode. N/A
Fortinet FortiClient VPN

Infoblox Endpoint is compatible with Fortinet Forticlient VPN for windows devices.

Tested versions of Forticlient: 7.0.8.0308 Windows.

Infoblox recommends the following:

  • Do not configure the client DNS address as “Same as client DNS Address".
  • Specify the DNS servers on the Fortigate server.
McAfee Web Gateway Proxy

Infoblox Endpoint is partially compatible with the McAfee Web Gateway Proxy.

Some of the features, such as block redirect or bypass redirect, might not function properly.

Issue: When the McAfee Web Gateway proxy is enabled, all traffic goes through the proxy. Some of the features, such as block redirect and bypass redirect, might not function properly

Workaround: Add the redirect IPs to the McAfee proxy bypass list. That way, the proxy is allowed to get the contents from the redirect IP during the HTTP(S) GET requests for block domains.

NetskopeInfoblox Endpoint is officially certified to run with Netskope client 93.0.1 and later, provided that you disable "Bypass Loopback DNS feature flag" on Netskope. As any other VPNs Netskope must be set to run as a split tunnel and also specifically in CASB mode, meaning that Netskope is only securing specified 80/443 Traffic rather than all 80/443, otherwise the redirect feature will not work. N/A
OpenVPN

Infoblox Endpoint is compatible with OpenVPN clients with the following configuration:

  • Create an .ovpn file and import the .ovpn file into the OpenVPN client. For an example of an .ovpn file, click here.
  • When using an OpenVPN server, ensure that persist-tun is not enabled on the server side, so that network changes are triggered during disconnect or reconnect.  

N/A

Palo Alto Networks GlobalProtect VPN

Infoblox Endpoint is compatible on windows with Palo Alto Networks GlobalProtect VPN using the below configuration:

  • Network > GlobalProtect > Portal > [Portal Name] > Agent > [Agent Name] > App > Split-Tunnel Option. Do note that you have to set the "Split-Tunnel" option to "Both Network Traffic and DNS" instead of "Network Traffic Only".

  • my-ip.debug.infoblox.com and csp.infoblox.com must be must be resolvable from the Endpoint. You may need to add these domains to the "Include Domains" in your GlobalProtect gateway configurations.

  • Infoblox Endpoint must be able to access csp.infoblox.com on TCP port 443

  • Internal domains configured in the Infoblox Platform must also be added, if the configuration allows it, as “Include domains” in all configured Palo Alto Networks GlobalProtect gateways. Do note that not all configurations permit this. 

  • Do note that "Internal Domains" on the GlobalProtect Gateway configuration can be found in the Palo Alto Networks PAN-OS web UI under (Network > GlobalProtect > Gatways > NameOfGateway > Agent > Client Settings > NameOfClientSetting > Split Tunnel > Domain and Application > Include Domain).

  • Infoblox Endpoint on MAC OS is not compatible with Palo Alto Networks GlobalProtect VPN with DNS server IP address parameter turned on.

Notes:

  • The Infoblox Endpoint is compatible with Palo Alto Networks GlobalProtect client version 6.0.4-c21 and higher.
  • A configuration applicable for "Palo Alto Networks GlobalProtect VPN" should also be applicable for "Palo Alto Networks Prisma Access - Mobile User VPN" as they are the same thing except that Palo Alto Networks hosts the infrastructure for Prisma Access, while "GlobalProtect" is run on the on-prem firewalls by the customer.
  • When adding an "Internal Domain" on the GlobalProtect Gateway configuration, you must add it with a wildcard character to take effect (e.g. *.internal.domain.corp). Without the wildcard, only the domain itself will be forwarded down the tunnel. This is different to the Infoblox "Internal Domains" list which does not require the addition of the wildcard character.
  • On the Palo Alto Networks firewall, you can configure up to 200 domains to be forwarded down the VPN tunnel when the tunnel is configured in split-tunnel ("Both Network Traffic and DNS" mode).
  • Palo Alto Networks firewall requires the GlobalProtect licence in order to include traffic to the VPN tunnel based on domain name. 
  • For further information, refer to the Palo Alto Networks GlobalProtect documentation: Configure a Split Tunnel Based on the Domain and Application.

IssueSometimes in an office network, the endpoint device must be restarted after the Infoblox Endpoint agent installation to work properly with the Palo Alto Networks GlobalProtect client.

IssueWhen Palo Alto Networks GlobalProtect VPN with DNS server IP address is configured , it modifies the DNS server ip configured on the network interface of the MAC Client machine. So, Infoblox Endpoint will not be able to provide proper protection as designed on MAC OS.


Pulse Connect Secure VPN

Pulse Secure VPN has two operation modes:

  • IP-based split-tunneling

  • FQDN-based split-tunneling

In order to get Pulse Secure VPN and Infoblox Endpoint to work on the same machine, FQDN-based split-tunneling must be disabled in the Pulse Secure VPN gateway.

Issue: Both modes can be enabled; however, an issue occurs when using FQDN-based split-tunneling. FQDN-based split-tunneling is required for the Pulse Secure to receive all DNS traffic when operating in this mode. When operating in this mode, it completely replaces DNS addresses of the physical NIC adapter with its own address. When it gets disconnected, it restores the previous DNS addresses. FQDN-based split-tunneling handles the DNS table of the physical NIC adapter in the same way as Infoblox Endpoint resulting in incompatibility of Pulse Secure with Infoblox Endpoint. 

Workaround: To get Pulse Secure VPN and Infoblox Endpoint to work together on the same machine, FQDN-based split-tunneling must be disabled in the Pulse Secure VPN gateway. Also, if there are any domains configured in the FQDN split tunnel at pulse secure, these domains must be added to the Infoblox Portal as internal domains. 

For additional information, see
https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44429.

SonicWall VPNInfoblox Endpoint is not compatible with SonicWall VPN. N/A
Symantec WSS Agent

Infoblox Endpoint is compatible with Symantec WSS Agent when you exclude the following domains and IP addresses on the agent:

TCP 443:

  • csp.infoblox.com 
  • threatdefense.infoblox.com and its subdomains 

TCP/UDP 53 and 443:

  • 52.119.40.100
  • 52.119.41.100 
  • 103.80.5.100
  • 103.80.6.100
N/A
Tunnelblick VPN
Infoblox Endpoint is compatible with Tunnelblick VPN if you make the following changes in Tunnelblick:
  • Allow changing of the DNS servers for the adaptor.
  • Apply DNS settings after the tunnel has been established.

In the Connecting and Disconnecting tab of the Tunnelblick advanced configuration, ensure that the following two settings are enabled:

  • Flush DNS cache after connecting or disconnecting (default)
  • Set DNS after routes are set instead of before routes are set

In the While Connected tab, change the following to Ignore:

  • DNS servers:

    • When changes to pre-VPN value: Choose Ignore.

    • When changed to anything else: Choose Ignore.

With some Tunnelblick versions, Infoblox Endpoint is unable to properly identify the correct internal DNS servers following a VPN disconnect. To avoid this issue, change the “Set DNS/WINS” option in Tunnelblick to "set nameserver (3.1)":

  1. Open the Tunnelblick GUI
  2. Select your configuration from the right panel.
  3. In the Tunnelblick GUI, click on the Settings tab
  4. Change “Set DNS/WINS” option value to the “set nameserver (3.1)


Zscaler Private Access (ZPA)

Infoblox Endpoint is compatible with Zscaler Private Access (ZPA). ZPA works correctly with Windows and Mac versions.

Tested versions of Zscaler client: 3.7.0.172 for MAC OS, 3.9.0.183 for Windows. 

N/A
Zscaler Internet Access (ZIA)

Infoblox Endpoint is compatible with Zscaler Internet Access (ZIA). ZIA works correctly with Windows and Mac versions. 

ZIA is supported by using Proxy Auto-Configuration (PAC) files to determine whether web browser requests (HTTP, HTTPS, and FTP) go directly to the destination or are forwarded to a web proxy server.

For information on how to configure PAC files, see the BloxOne Threat Defense Integration in ZScaler deployment guide.   

N/A