Stuck on getting SSLVPN authentication with Microsoft Entra ID to work

OWB

Hi @Zyxel_Melen

But this is an SSL VPN for remote access, how do I decide on route-based or policy-based? Or do I maybe misunderstand.

Zyxel_Melen

Hi @OWB

Please allow me to clarify first, is the DNS server connecting to the firewall by SSL VPN?

In my experience, the DNS server is normally connecting be LAN interface for local DNS server, WAN interface for public DNS Server, and site-to-site VPN for internal DNS server. That's why Domain forwarder query interface only support these types of interfaces.

OWB

Hi @Zyxel_Melen

No, the DNS server is not connected to the firewall by SSL VPN.

But it was my understanding from your previous post, that it must be handeled different, depending on if the SSL-VPN were route-based or policy-based, and I was not aware that it could be both?So, the Global

Zone Forwarder querying from WAN and pointing to our ISP DNS server, is the correct way for the firewall to reach login.microsoftonline.com?

Thank you.

Best regards Ole.

Zyxel_Melen

Hi @OWB

We might mix different questions together. Please allow me to explain:

1. "Route-based and policy-based are the two primary implementation methods of site-to-site VPN, which define how the VPN tunnel selects and handles traffic across IP subnets. These methods do not apply to remote access VPN (client-to-site)."
2. The Global Zone Forwarder means the firewall will query all domain names to a specific DNS server. If some specific domains can only be resolved by a particular DNS server, or if the DNS server of the Global Zone Forwarder cannot resolve them, you can set a Domain Zone Forwarder rule to specify which DNS server should be used to query the DNS record.

OWB

Thank you, I got it. :-)