search cancel

DNS based policy not working for the VPN application


Article ID: 239271


Updated On:


Cloud Secure Web Gateway - Cloud SWG


DNS based policy is not working for a VPN application.

VPN application DNS hostname is not visible in the WSS reports.

Instead of the DNS hostname, we see the IP address.

But when the same VPN application connects via on-premise proxy, it shows the DNS hostname correctly.



Component : All non-explicit access methods


For all access method, the WSS proxy works in checking the SNI for TLS sessions.

As such the WSS Cloud Secure Web Gateway will use the SNI raher than the request hostname even in the case of Explicit access methods.

But some VPN applications are not setting the SNI header, so no hostname can be filled in for the transaction and subsequent reports.


In order for the policy to work in those cases (where SNI is not available) we need to create a policy based on the IP address instead of the DNS hostname.

If you want to bypass the SSL, in that case also need to create a rule on the IP address.