search cancel

DNS based policy not working for the VPN application

book

Article ID: 239271

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

DNS based policy is not working for a VPN application.

VPN application DNS hostname is not visible in the WSS reports.

Instead of the DNS hostname, we see the IP address.

But when the same VPN application connects via on-premise proxy, it shows the DNS hostname correctly.

 

Environment

Component : All non-explicit access methods

Cause

For all access method, the WSS proxy works in checking the SNI for TLS sessions.

As such the WSS Cloud Secure Web Gateway will use the SNI raher than the request hostname even in the case of Explicit access methods.

But some VPN applications are not setting the SNI header, so no hostname can be filled in for the transaction and subsequent reports.

Resolution

In order for the policy to work in those cases (where SNI is not available) we need to create a policy based on the IP address instead of the DNS hostname.

If you want to bypass the SSL, in that case also need to create a rule on the IP address.